RE: Serious Java2 sercurity problem

[James Carman]

Why don't you try putting in some doPrivileged blocks around the calls to
HiveMind?

-----Original Message-----
From: David J. M. Karlsen [mailto:[EMAIL PROTECTED] 
Sent: Friday, May 13, 2005 9:19 AM
To: hivemind-dev@jakarta.apache.org
Subject: Re: Serious Java2 sercurity problem


James Carman wrote:
> Maybe we should put in some doPrivileged blocks in HiveMind when we 
> use Javassist.

Yeah - I think so.
Now I've tried to add

permission java.lang.RuntimePermission "accessClassInPackage.{sun.beans.*};

but it changes nothing...


a real pitty.
Now I have to rewrite everything and abandon hivemind.... Extremely
irritating that I didn't discover this before...


> 
> -----Original Message-----
> From: David J. M. Karlsen [mailto:[EMAIL PROTECTED]
> Sent: Friday, May 13, 2005 6:57 AM
> To: hivemind-dev@jakarta.apache.org
> Subject: Re: Serious Java2 sercurity problem
> 
> 
> James Carman wrote:
> 
>>I read somewhere here
>>
> 
> <http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com
> .ibm.w
> asee.doc/info/ee/ae/rsec_rsecmgr2.html>that 
> 
>>there's a file called filter.policy that can override the settings in
>>the was.policy file.
> 
> 
> filter.policy reads:
> 
> filterMask {
>    permission java.lang.RuntimePermission "exitVM";
>    permission java.lang.RuntimePermission "setSecurityManager";
>    permission java.security.SecurityPermission "setPolicy";
>    permission javax.security.auth.AuthPermission 
> "setLoginConfiguration"; };
> 
> runtimeFilterMask {
>    permission java.lang.RuntimePermission "exitVM";
>    permission java.lang.RuntimePermission "setSecurityManager";
>    permission java.security.SecurityPermission "setPolicy";
>    permission javax.security.auth.AuthPermission 
> "setLoginConfiguration"; };
> 
> 
> 
> 
> My was.policy reads:
> 
> grant codeBase "file:${application}" {
>     permission java.security.AllPermission;
>     permission java.lang.RuntimePermission "accessClassInPackage.*";
>     permission java.lang.RuntimePermission 
> "accessClassInPackage.sun.beans.infos";
> };
> 
> grant codeBase "" {
> permission java.security.AllPermission;
> permission java.lang.RuntimePermission "accessClassInPackage.*"; 
> permission java.lang.RuntimePermission 
> "accessClassInPackage.sun.beans.infos";
> };
> 
> 
> {application} is expanded to mean all parts of the ear (ejb's jars 
> etc)
> 
> I think the problem is that the genereated class does not belong to 
> the
> codeBase's given...
> 
> 
> 
> 
>>
>>-----Original Message-----
>>From: David J. M. Karlsen [mailto:[EMAIL PROTECTED]
>>Sent: Thursday, May 12, 2005 5:10 PM
>>To: hivemind-dev@jakarta.apache.org
>>Subject: Re: Serious Java2 sercurity problem
>>
>>
>>James Carman wrote:
>>
>> >What do you have in your filter.policy file?
>> >
>> >
>>Hmm, took a look at:
>>
> 
> http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com
> .ibm.w
> ebsphere.nd.doc/info/ae/ae/tsec_filterpolicy.html
> 
>>(it's for WAS6, but I guess a lot or all of the setting apply for
>>5.0.x as well). I'll have a try expreimenting with the file:${jars},
>>what file:${application} means isn't stated - may'be it doesn't cover
>>all parts of the EAR?
>>
>> >-----Original Message-----
>> >From: David J. M. Karlsen [mailto:[EMAIL PROTECTED]
>> >Sent: Thursday, May 12, 2005 4:39 PM
>> >To: hivemind-dev@jakarta.apache.org
>> >Subject: Serious Java2 sercurity problem
>> >
>> >
>> >Hi list!
>> >
>> >I've been running my HM app inside a WebSphere 5.0.x container for a
>>
>>>long time - and all well.  >
>>
>> >BUT, when we turn on security things start to fail. The application 
>> >has a was.policy (WebSphere's naming of a java.security file) in the 
>> >EAR,
>> >granting:
>> >
>> >grant codeBase "java:${application}" {
>> >    java.security.AllPermission
>> >};
>> >
>> >(taken from memory - but it's valid syntax)
>> >
>> >I've tried to add:
>> >
>> > grant {
>> >    java.security.AllPermission;
>> >}
>> >
>> >which should grant all permissions regardless of signing of code or 
>> >where the code came from.
>> >
>> >But still, I end up with this:
>> >
>> >[12.05.05 21:46:26:392 CEST]   6f98ac SecurityManag W SECJ0314W: Current
>> >Java 2 Security policy reported a potential violation of Java 2 
>> >Security Permission. Please refer to Problem Determination Guide for 
>> >further information.
>> >
>> >Permission:
>> >
>> >      accessClassInPackage.sun.beans.infos : access denied 
>> >(java.lang.RuntimePermission accessClassInPackage.sun.beans.infos)
>> >
>> >Code:
>> >
>> >     $InnerProxy_103d2718b8e_1  in  {null code URL}
>> >
>> >Stack Trace:
>> >
>> >java.security.AccessControlException: access denied 
>> >(java.lang.RuntimePermission accessClassInPackage.sun.beans.infos)
>> >        at 
>> >java.security.AccessControlContext.checkPermission(AccessControlCont
>> >ext
>> >.
>> >java:267)
>> >        at
>> >java.security.AccessController.checkPermission(AccessController.java:394
>> >)
>> >        at
>> >java.lang.SecurityManager.checkPermission(SecurityManager.java:540)
>> >        at
>> >com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager
>> >.java:168)
>> >        at
>> >java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1496)
>> >        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:285)
>> >        at java.lang.ClassLoader.loadClass(ClassLoader.java:287)
>> >        at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
>> >        at
>> >com.ibm.ws.classloader.ProtectionClassLoader.loadClass(ProtectionClassLo
>> >ader.java:43)
>> >        at
>> >com.ibm.ws.classloader.ProtectionClassLoader.loadClass(ProtectionClassLo
>> >ader.java:39)
>> >        at
>> >com.ibm.ws.classloader.CompoundClassLoader.loadClass(CompoundClassLoader
>> >.java:318)
>> >        at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
>> >        at
>> >com.ibm.ws.classloader.CompoundClassLoader.loadClass(CompoundClassLoader
>> >.java:294)
>> >        at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
>> >        at
>> >com.ibm.ws.classloader.CompoundClassLoader.loadClass(CompoundClassLoader
>> >.java:318)
>> >        at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
>> >        at java.beans.Introspector.instantiate(Introspector.java:1294)
>> >        at java.beans.Introspector.findInformant(Introspector.java:335)
>> >        at java.beans.Introspector.<init>(Introspector.java:264)
>> >        at java.beans.Introspector.getBeanInfo(Introspector.java:89)
>> >        at
>> >org.apache.hivemind.util.PropertyUtils.buildClassAdaptor(PropertyUtils.j
>> >ava:148)
>> >        at
>> >org.apache.hivemind.util.PropertyUtils.getAdaptor(PropertyUtils.java:137
>> >)
>> >        at
>> >org.apache.hivemind.util.PropertyUtils.getPropertyType(PropertyUtils.jav
>> >a:91)
>> >        at
>> >org.apache.hivemind.schema.rules.ReadAttributeRule.begin(ReadAttributeRu
>> >le.java:78)
>> >        at
>> >org.apache.hivemind.impl.SchemaElement.fireBegin(SchemaElement.java:209)
>> >        at
>> >org.apache.hivemind.impl.SchemaProcessorImpl.processElement(SchemaProces
>> >sorImpl.java:213)
>> >        at
>> >org.apache.hivemind.impl.SchemaProcessorImpl.processRootElement(SchemaPr
>> >ocessorImpl.java:188)
>> >        at
>> >org.apache.hivemind.impl.SchemaProcessorImpl.process(SchemaProcessorImpl
>> >.java:176)
>> >        at
>> >org.apache.hivemind.impl.InvokeFactoryServiceConstructor.constructCoreSe
>> >rviceImplementation(InvokeFactoryServiceConstructor.java:82)
>> >
>> >
>> >
>> >known problem? Any workarounds? I'm going in for acceptance-test for 
>> >my customer - so I'm kind of in a hurry. All help will be very much 
>> >appreciated.
>> >
>> >Regs,
>> >David K.
>> >
>> >
>> >--------------------------------------------------------------------
>> >-
>> >To unsubscribe, e-mail: [EMAIL PROTECTED]
>> >For additional commands, e-mail: [EMAIL PROTECTED]
>> >
>> >
>> >
>> >--------------------------------------------------------------------
>> >-
>> >To unsubscribe, e-mail: [EMAIL PROTECTED]
>> >For additional commands, e-mail: [EMAIL PROTECTED]
>> >
>> > 
>> >
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>>For additional commands, e-mail: [EMAIL PROTECTED]
>>
> 
> 
> 


-- 
David J. M. Karlsen - +47 90 68 22 43 http://www.davidkarlsen.com
http://mp3.davidkarlsen.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]