[ https://issues.apache.org/jira/browse/ARTEMIS-294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Bertram reassigned ARTEMIS-294: -------------------------------------- Assignee: Justin Bertram > Make ServiceUtils loads its services within doPrivileged block > -------------------------------------------------------------- > > Key: ARTEMIS-294 > URL: https://issues.apache.org/jira/browse/ARTEMIS-294 > Project: ActiveMQ Artemis > Issue Type: Bug > Components: Broker > Affects Versions: 1.1.0 > Reporter: Jeff Mesnil > Assignee: Justin Bertram > Fix For: 1.1.1 > > > We have tests that fails when the JVM is running a Security Manager. > {noformat} > 1) IJ000604: Throwable while attempting to get a new connection: null: > java.security.AccessControlException: WFSM000001: Permission check failed > (permission "("java.io.FilePermission" > "/opt/buildAgent/work/6da23a4ee9951677/dist/target/wildfly-10.0.0.CR5-SNAPSHOT/modules/system/layers/base/org/wildfly/extension/messaging-activemq/main/wildfly-messaging-activemq-10.0.0.CR5-SNAPSHOT.jar" > "read")" in code source "(vfs:/content/DefaultJMSConnectionFactoryTest.jar > <no signer certificates>)" of "null") > at > org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273) > at > org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175) > at java.lang.SecurityManager.checkRead(SecurityManager.java:888) > at > org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:377) > at java.util.zip.ZipFile.<init>(ZipFile.java:210) > at java.util.zip.ZipFile.<init>(ZipFile.java:149) > at java.util.jar.JarFile.<init>(JarFile.java:166) > at java.util.jar.JarFile.<init>(JarFile.java:103) > at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:93) > at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:69) > at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99) > at > sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122) > at > sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150) > at java.net.URL.openStream(URL.java:1038) > at java.util.ServiceLoader.parse(ServiceLoader.java:304) > at java.util.ServiceLoader.access$200(ServiceLoader.java:185) > at > java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357) > at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323) > at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396) > at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395) > at java.security.AccessController.doPrivileged(Native Method) > at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398) > at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474) > at > org.apache.activemq.artemis.service.extensions.ServiceUtils.setActiveMQXAResourceWrapperFactory(ServiceUtils.java:72) > at > org.apache.activemq.artemis.service.extensions.ServiceUtils.getActiveMQXAResourceWrapperFactory(ServiceUtils.java:40) > at > org.apache.activemq.artemis.service.extensions.ServiceUtils.wrapXAResource(ServiceUtils.java:46) > at > org.apache.activemq.artemis.ra.ActiveMQRAManagedConnection.getXAResource(ActiveMQRAManagedConnection.java:480) > at > org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.createConnectionListener(TxConnectionManagerImpl.java:715) > at > org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1345) > at > org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:501) > at > org.jboss.jca.core.connectionmanager.pool.AbstractPool.getTransactionNewConnection(AbstractPool.java:717) > at > org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:614) > at > org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:603) > at > org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430) > at > org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:761) > at > org.apache.activemq.artemis.ra.ActiveMQRASessionFactoryImpl.allocateConnection(ActiveMQRASessionFactoryImpl.java:853) > at > org.apache.activemq.artemis.ra.ActiveMQRASessionFactoryImpl.createSession(ActiveMQRASessionFactoryImpl.java:520) > ... > {noformat} > After debugging, the issue is in the RA's ServiceUtils that loads its > services outside a AccessController.doPriviledged block. Depending on who's > requesting the RA's managed connection, it may not have the required > permissions to load the services. > In addition, the ServiceUtils loads its services using the TCCL and caches > its activeMQXAResourceWrapperFactory instance. > Depending on who's requesting a managed connection, the TCCL might differ. > It'd be better to use the ServiceUtils's own class loader instead. -- This message was sent by Atlassian JIRA (v6.3.4#6332)