Maybe we should put in some doPrivileged blocks in HiveMind when we use Javassist.
-----Original Message----- From: David J. M. Karlsen [mailto:[EMAIL PROTECTED] Sent: Friday, May 13, 2005 6:57 AM To: [email protected] Subject: Re: Serious Java2 sercurity problem James Carman wrote: > I read somewhere here > <http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.w asee.doc/info/ee/ae/rsec_rsecmgr2.html>that > there's a file called filter.policy that can override the settings in > the was.policy file. filter.policy reads: filterMask { permission java.lang.RuntimePermission "exitVM"; permission java.lang.RuntimePermission "setSecurityManager"; permission java.security.SecurityPermission "setPolicy"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; }; runtimeFilterMask { permission java.lang.RuntimePermission "exitVM"; permission java.lang.RuntimePermission "setSecurityManager"; permission java.security.SecurityPermission "setPolicy"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; }; My was.policy reads: grant codeBase "file:${application}" { permission java.security.AllPermission; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.infos"; }; grant codeBase "" { permission java.security.AllPermission; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.infos"; }; {application} is expanded to mean all parts of the ear (ejb's jars etc) I think the problem is that the genereated class does not belong to the codeBase's given... > > > -----Original Message----- > From: David J. M. Karlsen [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 12, 2005 5:10 PM > To: [email protected] > Subject: Re: Serious Java2 sercurity problem > > > James Carman wrote: > > >What do you have in your filter.policy file? > > > > > Hmm, took a look at: > http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.w ebsphere.nd.doc/info/ae/ae/tsec_filterpolicy.html > > (it's for WAS6, but I guess a lot or all of the setting apply for > 5.0.x as well). I'll have a try expreimenting with the file:${jars}, > what file:${application} means isn't stated - may'be it doesn't cover > all parts of the EAR? > > >-----Original Message----- > >From: David J. M. Karlsen [mailto:[EMAIL PROTECTED] > >Sent: Thursday, May 12, 2005 4:39 PM > >To: [email protected] > >Subject: Serious Java2 sercurity problem > > > > > >Hi list! > > > >I've been running my HM app inside a WebSphere 5.0.x container for a > >long time - and all well. > > >BUT, when we turn on security things start to fail. The application has > >a was.policy (WebSphere's naming of a java.security file) in the EAR, > >granting: > > > >grant codeBase "java:${application}" { > > java.security.AllPermission > >}; > > > >(taken from memory - but it's valid syntax) > > > >I've tried to add: > > > > grant { > > java.security.AllPermission; > >} > > > >which should grant all permissions regardless of signing of code or > >where the code came from. > > > >But still, I end up with this: > > > >[12.05.05 21:46:26:392 CEST] 6f98ac SecurityManag W SECJ0314W: Current > >Java 2 Security policy reported a potential violation of Java 2 > >Security Permission. Please refer to Problem Determination Guide for > >further information. > > > >Permission: > > > > accessClassInPackage.sun.beans.infos : access denied > >(java.lang.RuntimePermission accessClassInPackage.sun.beans.infos) > > > >Code: > > > > $InnerProxy_103d2718b8e_1 in {null code URL} > > > >Stack Trace: > > > >java.security.AccessControlException: access denied > >(java.lang.RuntimePermission accessClassInPackage.sun.beans.infos) > > at > >java.security.AccessControlContext.checkPermission(AccessControlContext > >. > >java:267) > > at > >java.security.AccessController.checkPermission(AccessController.java:394 > >) > > at > >java.lang.SecurityManager.checkPermission(SecurityManager.java:540) > > at > >com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager > >.java:168) > > at > >java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1496) > > at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:285) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:287) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:250) > > at > >com.ibm.ws.classloader.ProtectionClassLoader.loadClass(ProtectionClassLo > >ader.java:43) > > at > >com.ibm.ws.classloader.ProtectionClassLoader.loadClass(ProtectionClassLo > >ader.java:39) > > at > >com.ibm.ws.classloader.CompoundClassLoader.loadClass(CompoundClassLoader > >.java:318) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:250) > > at > >com.ibm.ws.classloader.CompoundClassLoader.loadClass(CompoundClassLoader > >.java:294) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:250) > > at > >com.ibm.ws.classloader.CompoundClassLoader.loadClass(CompoundClassLoader > >.java:318) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:250) > > at java.beans.Introspector.instantiate(Introspector.java:1294) > > at java.beans.Introspector.findInformant(Introspector.java:335) > > at java.beans.Introspector.<init>(Introspector.java:264) > > at java.beans.Introspector.getBeanInfo(Introspector.java:89) > > at > >org.apache.hivemind.util.PropertyUtils.buildClassAdaptor(PropertyUtils.j > >ava:148) > > at > >org.apache.hivemind.util.PropertyUtils.getAdaptor(PropertyUtils.java:137 > >) > > at > >org.apache.hivemind.util.PropertyUtils.getPropertyType(PropertyUtils.jav > >a:91) > > at > >org.apache.hivemind.schema.rules.ReadAttributeRule.begin(ReadAttributeRu > >le.java:78) > > at > >org.apache.hivemind.impl.SchemaElement.fireBegin(SchemaElement.java:209) > > at > >org.apache.hivemind.impl.SchemaProcessorImpl.processElement(SchemaProces > >sorImpl.java:213) > > at > >org.apache.hivemind.impl.SchemaProcessorImpl.processRootElement(SchemaPr > >ocessorImpl.java:188) > > at > >org.apache.hivemind.impl.SchemaProcessorImpl.process(SchemaProcessorImpl > >.java:176) > > at > >org.apache.hivemind.impl.InvokeFactoryServiceConstructor.constructCoreSe > >rviceImplementation(InvokeFactoryServiceConstructor.java:82) > > > > > > > >known problem? Any workarounds? I'm going in for acceptance-test for my > >customer - so I'm kind of in a hurry. All help will be very much > >appreciated. > > > >Regs, > >David K. > > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- David J. M. Karlsen - +47 90 68 22 43 http://www.davidkarlsen.com http://mp3.davidkarlsen.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
