[jira] [Commented] (ARTEMIS-294) Make ServiceUtils loads its services within doPrivileged block

ASF GitHub Bot (JIRA) Wed, 04 Nov 2015 02:52:03 -0800

    [ 
https://issues.apache.org/jira/browse/ARTEMIS-294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14989318#comment-14989318
 ]


ASF GitHub Bot commented on ARTEMIS-294:
----------------------------------------

GitHub user jmesnil opened a pull request:

    https://github.com/apache/activemq-artemis/pull/231

    [ARTEMIS-294] Use doPriviledged block for ServiceLoader

    In ServiceUtils, loads services from an AccessController.doPriviledged
    block and use the ServiceUtils's own classloader instead of the TCCL
    (that may be different depending on who's requesting a managed
    connection factory first)
    
    JIRA: https://issues.apache.org/jira/browse/ARTEMIS-294

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/jmesnil/activemq-artemis 
ARTEMIS-294_ServiceUtils_doPriviledged

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/activemq-artemis/pull/231.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #231
    
----
commit 9657dec3b4165c74470bb930826943d035a1cccb
Author: Jeff Mesnil <[email protected]>
Date:   2015-11-04T10:38:43Z

    [ARTEMIS-294] Use doPriviledged block for ServiceLoader
    
    In ServiceUtils, loads services from an AccessController.doPriviledged
    block and use the ServiceUtils's own classloader instead of the TCCL
    (that may be different depending on who's requesting a managed
    connection factory first)
    
    JIRA: https://issues.apache.org/jira/browse/ARTEMIS-294

----


> Make ServiceUtils loads its services within doPrivileged block
> --------------------------------------------------------------
>
>                 Key: ARTEMIS-294
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-294
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 1.1.0
>            Reporter: Jeff Mesnil
>
> We have tests that fails when the JVM is running a Security Manager.
> {noformat}
> 1) IJ000604: Throwable while attempting to get a new connection: null: 
> java.security.AccessControlException: WFSM000001: Permission check failed 
> (permission "("java.io.FilePermission" 
> "/opt/buildAgent/work/6da23a4ee9951677/dist/target/wildfly-10.0.0.CR5-SNAPSHOT/modules/system/layers/base/org/wildfly/extension/messaging-activemq/main/wildfly-messaging-activemq-10.0.0.CR5-SNAPSHOT.jar"
>  "read")" in code source "(vfs:/content/DefaultJMSConnectionFactoryTest.jar 
> <no signer certificates>)" of "null")
>     at 
> org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273)
>     at 
> org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
>     at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
>     at 
> org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:377)
>     at java.util.zip.ZipFile.<init>(ZipFile.java:210)
>     at java.util.zip.ZipFile.<init>(ZipFile.java:149)
>     at java.util.jar.JarFile.<init>(JarFile.java:166)
>     at java.util.jar.JarFile.<init>(JarFile.java:103)
>     at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:93)
>     at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:69)
>     at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99)
>     at 
> sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
>     at 
> sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150)
>     at java.net.URL.openStream(URL.java:1038)
>     at java.util.ServiceLoader.parse(ServiceLoader.java:304)
>     at java.util.ServiceLoader.access$200(ServiceLoader.java:185)
>     at 
> java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357)
>     at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323)
>     at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396)
>     at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395)
>     at java.security.AccessController.doPrivileged(Native Method)
>     at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398)
>     at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
>     at 
> org.apache.activemq.artemis.service.extensions.ServiceUtils.setActiveMQXAResourceWrapperFactory(ServiceUtils.java:72)
>     at 
> org.apache.activemq.artemis.service.extensions.ServiceUtils.getActiveMQXAResourceWrapperFactory(ServiceUtils.java:40)
>     at 
> org.apache.activemq.artemis.service.extensions.ServiceUtils.wrapXAResource(ServiceUtils.java:46)
>     at 
> org.apache.activemq.artemis.ra.ActiveMQRAManagedConnection.getXAResource(ActiveMQRAManagedConnection.java:480)
>     at 
> org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.createConnectionListener(TxConnectionManagerImpl.java:715)
>     at 
> org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1345)
>     at 
> org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:501)
>     at 
> org.jboss.jca.core.connectionmanager.pool.AbstractPool.getTransactionNewConnection(AbstractPool.java:717)
>     at 
> org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:614)
>     at 
> org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:603)
>     at 
> org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430)
>     at 
> org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:761)
>     at 
> org.apache.activemq.artemis.ra.ActiveMQRASessionFactoryImpl.allocateConnection(ActiveMQRASessionFactoryImpl.java:853)
>     at 
> org.apache.activemq.artemis.ra.ActiveMQRASessionFactoryImpl.createSession(ActiveMQRASessionFactoryImpl.java:520)
>    ...
> {noformat}
> After debugging, the issue is in the RA's ServiceUtils that loads its 
> services outside a AccessController.doPriviledged block. Depending on who's 
> requesting the RA's managed connection, it may not have the required 
> permissions to load the services.
> In addition, the ServiceUtils loads its services using the TCCL and caches 
> its activeMQXAResourceWrapperFactory instance.
> Depending on who's requesting a managed connection, the TCCL might differ. 
> It'd be better to use the ServiceUtils's own class loader instead.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (ARTEMIS-294) Make ServiceUtils loads its services within doPrivileged block

Reply via email to