[
https://issues.apache.org/jira/browse/OWB-312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12858614#action_12858614
]
YING WANG commented on OWB-312:
-------------------------------
To avoid this annoying "Access denied" Exceptions when java2 security enabled,
does anyone mind if I delegate invocations of following methods to some
SecurityUtil class and add doPrivileged guard around them?
Method.setAccess(boolean) ==> SecurityUtil.doPrivilegedSetAccess(Method,
boolean)
Class.setAccess(boolean) ==> SecurityUtil.doPrivilegedSetAccess(Class, boolean)
Class.getDeclaredConstructors() ==>
SecurityUtil.doPrivilegedGetDeclaredConstructors(Class)
Class.getDeclaredConstructor(...) ==>
SecurityUtil.doPrivilegedSGetDeclaredConstructor(Class..)
Class.getDeclaredMethods() ==>
SecurityUtil.doPrivilegedGetDeclaredMethods(Class)
Class.getDeclaredMethod(...) ==>
SecurityUtil.doPrivilegedGetDeclaredMethods(Class..)
Class.getDeclaredFields() ==>
SecurityUtil.doPrivilegedGetDeclaredFields(Class)
Class.getDeclaredField(...) ==>
SecurityUtil.doPrivilegedGetDeclaredField(Class..)
ProxyFactory.createClass() ==>
SecurityUtil.doPrivilegedGetProxyClass(ProxyFactory..)
One problem I have is the setAcess()/getDeclaredMethods() invocations in
javax.enterprise.util.AnnotationLiteral, which is now part of geronimo jcdi
api. Should we open a bug against geronimo?
> Add dopriv's to allow OWB to function with java 2 security enabled
> ------------------------------------------------------------------
>
> Key: OWB-312
> URL: https://issues.apache.org/jira/browse/OWB-312
> Project: OpenWebBeans
> Issue Type: Bug
> Components: Core
> Affects Versions: M4
> Reporter: Jacquelle Leggett
> Assignee: YING WANG
> Fix For: 1.0.0
>
>
> When using OWB with java 2 security enabled, my application requires the
> following permissions:
> permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
> permission java.lang.RuntimePermission "accessDeclaredMembers";
> permission java.lang.RuntimePermission "getClassLoader";
> permission java.lang.RuntimePermission "getProtectionDomain";
> The associated errors do not appear to be strategic security exceptions;
> therefore, dopriv blocks should be added to the appropriate sections of code.
> Adding dopriv blocks to AnnotationUtil and ClassUtil, will resolve most of
> the issues based on the SecurityExceptions I saw.
> java.security.AccessControlException: Access denied
> (java.lang.RuntimePermission accessDeclaredMembers)
> at
> java.security.AccessController.checkPermission(AccessController.java:108)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:533)
> at
> com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:212)
> at
> java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1678)
> at java.lang.Class.checkMemberAccess(Class.java:109)
> at java.lang.Class.getDeclaredMethods(Class.java:668)
> at
> org.apache.webbeans.util.AnnotationUtil.hasAnnotationMember(AnnotationUtil.java:457)
> at
> org.apache.webbeans.container.InjectionResolver.findByQualifier(InjectionResolver.java:523)
> at
> org.apache.webbeans.container.InjectionResolver.implResolveByType(InjectionResolver.java:410)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
