Suhov Roman created ARTEMIS-4933:
------------------------------------
Summary: org.apache.activemq.artemis.boot.Artemis.execute(File,
File, String[]) creates a java.net.URLClassLoader classloader, which should be
performed within a doPrivileged block
Key: ARTEMIS-4933
URL: https://issues.apache.org/jira/browse/ARTEMIS-4933
Project: ActiveMQ Artemis
Issue Type: Bug
Reporter: Suhov Roman
file:
[https://github.com/apache/activemq-artemis/blob/main/artemis-boot/src/main/java/org/apache/activemq/artemis/boot/Artemis.java]
line: 146
Instantiating a _URLClassLoader_ in the execute method without using a
_doPrivileged_ block can cause problems, especially in security-restricted
environments such as the Java Security Manager.
You need to wrap the URLClassLoader creation in a doPrivileged block something
like this:
_ClassLoader originalCL = Thread.currentThread().getContextClassLoader();_
_try {_
_URLClassLoader loader =
AccessController.doPrivileged((PrivilegedAction<URLClassLoader>) () ->_
_new URLClassLoader(urls.toArray(new URL[urls.size()])));_
_Thread.currentThread().setContextClassLoader(loader);_
_Class<?> clazz =
loader.loadClass("org.apache.activemq.artemis.cli.Artemis");_
_Method method = clazz.getMethod("execute", Boolean.TYPE, File.class,
File.class, args.getClass());_
_try {_
_return method.invoke(null, true, fileHome, fileInstance, args);_
_} catch (InvocationTargetException e) {_
_throw e.getTargetException();_
_}_
_} finally {_
_Thread.currentThread().setContextClassLoader(originalCL);_
_}_
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
