[
https://issues.apache.org/jira/browse/MYFACES-1879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12625908#action_12625908
]
Leonardo Uribe commented on MYFACES-1879:
-----------------------------------------
I have updated the patch, removing tabs and using myfaces braces style.
In this code (taken from the patch of shared-core v2):
Index: src/main/java/org/apache/myfaces/shared/util/StateUtils.java
===================================================================
--- src/main/java/org/apache/myfaces/shared/util/StateUtils.java
(revision 689223)
+++ src/main/java/org/apache/myfaces/shared/util/StateUtils.java
(working copy)
@@ -38,6 +38,9 @@
import java.io.ObjectOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
import java.util.Random;
import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream;
@@ -313,7 +316,44 @@
try
{
ObjectInputStream s = serialFactory.getObjectInputStream(input);
- Object object = s.readObject();
+ Object object = null;
+ if (System.getSecurityManager() != null)
+ {
+ final ObjectInputStream ois = s;
+ try
+ {
+ object = AccessController.doPrivileged(new
PrivilegedExceptionAction()
+ {
+ public Object run() throws PrivilegedActionException
+ {
+ try
+ {
+ return ois.readObject();
+ }
+ catch(IOException e)
+ {
+ throw new FacesException(e);
+ }
+ catch (ClassNotFoundException e)
+ {
+ throw new FacesException(e);
+ }
+ }
+ });
+ }
+ catch (PrivilegedActionException pae)
+ {
+ throw new FacesException(pae);
+ }
+ finally
+ {
+ ois.close();
+ }
+ }
+ else
+ {
+ object = s.readObject();
+ }
s.close();
input.close();
s = null;
if there is a security manager set, the ObjectInputStream (pointed by both s
and ois vars) is closed twice. It could be better use a try{}finally{} block to
ensure the stream to be closed.
Now this code (myfaces-core v2 patch):
Index: src/main/java/org/apache/myfaces/application/jsp/JspStateManagerImpl.java
===================================================================
--- src/main/java/org/apache/myfaces/application/jsp/JspStateManagerImpl.java
(revision 689223)
+++ src/main/java/org/apache/myfaces/application/jsp/JspStateManagerImpl.java
(working copy)
@@ -28,6 +28,7 @@
import org.apache.myfaces.shared_impl.renderkit.RendererUtils;
import org.apache.myfaces.shared_impl.util.MyFacesObjectInputStream;
+import javax.faces.FacesException;
import javax.faces.FactoryFinder;
import javax.faces.component.NamingContainer;
import javax.faces.component.UIComponent;
@@ -39,6 +40,9 @@
import javax.faces.render.ResponseStateManager;
import java.io.*;
import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
import java.util.*;
import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream;
@@ -716,9 +720,42 @@
{
is = new GZIPInputStream(is);
}
- ObjectInputStream in = new MyFacesObjectInputStream(
- is);
- return new Object[] {in.readObject(), in.readObject()};
+ final ObjectInputStream in = new MyFacesObjectInputStream(is);
+ Object object = null;
+ if (System.getSecurityManager() != null)
+ {
+ try {
+ object = AccessController.doPrivileged(new
PrivilegedExceptionAction<Object []>()
+ {
+ public Object[] run() throws
PrivilegedActionException
+ {
+ try
+ {
+ return new Object[] {in.readObject(),
in.readObject()};
+ }
+ catch(IOException e)
+ {
+ throw new FacesException(e);
+ }
+ catch (ClassNotFoundException e)
+ {
+ log.error("Exiting deserializeView - Could
not deserialize state: " + e.getMessage(), e);
+ return null;
+ }
+ }
+ });
+ }
+ catch (PrivilegedActionException pae)
+ {
+ throw new FacesException(pae);
+ }
+ }
+ else
+ {
+ object = new Object[] {in.readObject(), in.readObject()};
+ }
+ in.close();
+ return object;
}
catch (IOException e)
{
Compared with the older version, if a PrivilegedActionException is thrown
(caused by a IOException, not by some security exception), the behavior changes
(the old code just log a error message and return null).
Maybe the solution should be write run method like this:
+ public Object[] run() throws
PrivilegedActionException, IOException
+ {
> Problems with myfaces when java2 security is enabled
> ----------------------------------------------------
>
> Key: MYFACES-1879
> URL: https://issues.apache.org/jira/browse/MYFACES-1879
> Project: MyFaces Core
> Issue Type: Bug
> Affects Versions: 1.2.3
> Reporter: Michael Concini
> Attachments: MYFACES-1879-core-v2.patch, MYFACES-1879-core.patch,
> MYFACES-1879-shared-v2.patch, MYFACES-1879-shared.patch
>
>
> When running MyFaces 1.2 on an application server with java2 security turned
> on, a user can receive an AccessControlException from several locations
> within the code, in some cases preventing the application from working in the
> environment.
> There are several places in the myfaces code that should be updated to
> include a doPriv when java2 security is on. Specifically in locations where
> the code is executing a call to
> Thread.currentThread().getContextClassLoader(), as well as in the
> JspStateManagerImpl's deserializeView() method.
> for example (in the classloader case):
> if (System.getSecurityManager() != null) {
> try {
> Object cl = AccessController.doPrivileged(new
> PrivilegedExceptionAction() {
> public Object run() throws
> PrivilegedActionException {
> return
> Thread.currentThread().getContextClassLoader();
> }
> });
> return (ClassLoader) cl;
> } catch (PrivilegedActionException pae) {
> throw new FacesException(pae);
> }
> }else{
> return Thread.currentThread().getContextClassLoader();
> }
> If its agreed that the change should be implemented, I'd be happy to perform
> the changes myself and supply a patch. I also thought that it might make
> sense to, at least for the ClassLoader lookup, create a method in ClassUtils
> called getContextClassloader that could be called elsewhere for efficiency's
> sake.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
