[jira] [Assigned] (ARTEMIS-294) Make ServiceUtils loads its services within doPrivileged block

Justin Bertram (JIRA) Fri, 20 Nov 2015 14:53:10 -0800

     [ 
https://issues.apache.org/jira/browse/ARTEMIS-294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Justin Bertram reassigned ARTEMIS-294:
--------------------------------------

    Assignee: Justin Bertram

> Make ServiceUtils loads its services within doPrivileged block
> --------------------------------------------------------------
>
>                 Key: ARTEMIS-294
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-294
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 1.1.0
>            Reporter: Jeff Mesnil
>            Assignee: Justin Bertram
>             Fix For: 1.1.1
>
>
> We have tests that fails when the JVM is running a Security Manager.
> {noformat}
> 1) IJ000604: Throwable while attempting to get a new connection: null: 
> java.security.AccessControlException: WFSM000001: Permission check failed 
> (permission "("java.io.FilePermission" 
> "/opt/buildAgent/work/6da23a4ee9951677/dist/target/wildfly-10.0.0.CR5-SNAPSHOT/modules/system/layers/base/org/wildfly/extension/messaging-activemq/main/wildfly-messaging-activemq-10.0.0.CR5-SNAPSHOT.jar"
>  "read")" in code source "(vfs:/content/DefaultJMSConnectionFactoryTest.jar 
> <no signer certificates>)" of "null")
>     at 
> org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273)
>     at 
> org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
>     at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
>     at 
> org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:377)
>     at java.util.zip.ZipFile.<init>(ZipFile.java:210)
>     at java.util.zip.ZipFile.<init>(ZipFile.java:149)
>     at java.util.jar.JarFile.<init>(JarFile.java:166)
>     at java.util.jar.JarFile.<init>(JarFile.java:103)
>     at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:93)
>     at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:69)
>     at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99)
>     at 
> sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
>     at 
> sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150)
>     at java.net.URL.openStream(URL.java:1038)
>     at java.util.ServiceLoader.parse(ServiceLoader.java:304)
>     at java.util.ServiceLoader.access$200(ServiceLoader.java:185)
>     at 
> java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357)
>     at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323)
>     at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396)
>     at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395)
>     at java.security.AccessController.doPrivileged(Native Method)
>     at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398)
>     at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
>     at 
> org.apache.activemq.artemis.service.extensions.ServiceUtils.setActiveMQXAResourceWrapperFactory(ServiceUtils.java:72)
>     at 
> org.apache.activemq.artemis.service.extensions.ServiceUtils.getActiveMQXAResourceWrapperFactory(ServiceUtils.java:40)
>     at 
> org.apache.activemq.artemis.service.extensions.ServiceUtils.wrapXAResource(ServiceUtils.java:46)
>     at 
> org.apache.activemq.artemis.ra.ActiveMQRAManagedConnection.getXAResource(ActiveMQRAManagedConnection.java:480)
>     at 
> org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.createConnectionListener(TxConnectionManagerImpl.java:715)
>     at 
> org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1345)
>     at 
> org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:501)
>     at 
> org.jboss.jca.core.connectionmanager.pool.AbstractPool.getTransactionNewConnection(AbstractPool.java:717)
>     at 
> org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:614)
>     at 
> org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:603)
>     at 
> org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430)
>     at 
> org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:761)
>     at 
> org.apache.activemq.artemis.ra.ActiveMQRASessionFactoryImpl.allocateConnection(ActiveMQRASessionFactoryImpl.java:853)
>     at 
> org.apache.activemq.artemis.ra.ActiveMQRASessionFactoryImpl.createSession(ActiveMQRASessionFactoryImpl.java:520)
>    ...
> {noformat}
> After debugging, the issue is in the RA's ServiceUtils that loads its 
> services outside a AccessController.doPriviledged block. Depending on who's 
> requesting the RA's managed connection, it may not have the required 
> permissions to load the services.
> In addition, the ServiceUtils loads its services using the TCCL and caches 
> its activeMQXAResourceWrapperFactory instance.
> Depending on who's requesting a managed connection, the TCCL might differ. 
> It'd be better to use the ServiceUtils's own class loader instead.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Assigned] (ARTEMIS-294) Make ServiceUtils loads its services within doPrivileged block

Reply via email to