[
https://issues.apache.org/jira/browse/ARTEMIS-294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14989418#comment-14989418
]
ASF subversion and git services commented on ARTEMIS-294:
---------------------------------------------------------
Commit 7d6a6de8dde9700995771daddcf505b78cd58e45 in activemq-artemis's branch
refs/heads/master from [~jmesnil]
[ https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.git;h=7d6a6de ]
[ARTEMIS-294] Use doPriviledged block for ServiceLoader
In ServiceUtils, loads services from an AccessController.doPriviledged
block and use the ServiceUtils's own classloader instead of the TCCL
(that may be different depending on who's requesting a managed
connection factory first)
JIRA: https://issues.apache.org/jira/browse/ARTEMIS-294
> Make ServiceUtils loads its services within doPrivileged block
> --------------------------------------------------------------
>
> Key: ARTEMIS-294
> URL: https://issues.apache.org/jira/browse/ARTEMIS-294
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: Broker
> Affects Versions: 1.1.0
> Reporter: Jeff Mesnil
>
> We have tests that fails when the JVM is running a Security Manager.
> {noformat}
> 1) IJ000604: Throwable while attempting to get a new connection: null:
> java.security.AccessControlException: WFSM000001: Permission check failed
> (permission "("java.io.FilePermission"
> "/opt/buildAgent/work/6da23a4ee9951677/dist/target/wildfly-10.0.0.CR5-SNAPSHOT/modules/system/layers/base/org/wildfly/extension/messaging-activemq/main/wildfly-messaging-activemq-10.0.0.CR5-SNAPSHOT.jar"
> "read")" in code source "(vfs:/content/DefaultJMSConnectionFactoryTest.jar
> <no signer certificates>)" of "null")
> at
> org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273)
> at
> org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
> at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
> at
> org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:377)
> at java.util.zip.ZipFile.<init>(ZipFile.java:210)
> at java.util.zip.ZipFile.<init>(ZipFile.java:149)
> at java.util.jar.JarFile.<init>(JarFile.java:166)
> at java.util.jar.JarFile.<init>(JarFile.java:103)
> at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:93)
> at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:69)
> at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99)
> at
> sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
> at
> sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150)
> at java.net.URL.openStream(URL.java:1038)
> at java.util.ServiceLoader.parse(ServiceLoader.java:304)
> at java.util.ServiceLoader.access$200(ServiceLoader.java:185)
> at
> java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357)
> at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323)
> at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396)
> at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395)
> at java.security.AccessController.doPrivileged(Native Method)
> at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398)
> at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
> at
> org.apache.activemq.artemis.service.extensions.ServiceUtils.setActiveMQXAResourceWrapperFactory(ServiceUtils.java:72)
> at
> org.apache.activemq.artemis.service.extensions.ServiceUtils.getActiveMQXAResourceWrapperFactory(ServiceUtils.java:40)
> at
> org.apache.activemq.artemis.service.extensions.ServiceUtils.wrapXAResource(ServiceUtils.java:46)
> at
> org.apache.activemq.artemis.ra.ActiveMQRAManagedConnection.getXAResource(ActiveMQRAManagedConnection.java:480)
> at
> org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.createConnectionListener(TxConnectionManagerImpl.java:715)
> at
> org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1345)
> at
> org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:501)
> at
> org.jboss.jca.core.connectionmanager.pool.AbstractPool.getTransactionNewConnection(AbstractPool.java:717)
> at
> org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:614)
> at
> org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:603)
> at
> org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430)
> at
> org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:761)
> at
> org.apache.activemq.artemis.ra.ActiveMQRASessionFactoryImpl.allocateConnection(ActiveMQRASessionFactoryImpl.java:853)
> at
> org.apache.activemq.artemis.ra.ActiveMQRASessionFactoryImpl.createSession(ActiveMQRASessionFactoryImpl.java:520)
> ...
> {noformat}
> After debugging, the issue is in the RA's ServiceUtils that loads its
> services outside a AccessController.doPriviledged block. Depending on who's
> requesting the RA's managed connection, it may not have the required
> permissions to load the services.
> In addition, the ServiceUtils loads its services using the TCCL and caches
> its activeMQXAResourceWrapperFactory instance.
> Depending on who's requesting a managed connection, the TCCL might differ.
> It'd be better to use the ServiceUtils's own class loader instead.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
