[
https://issues.apache.org/struts/browse/WW-3114?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kent R. Spillner updated WW-3114:
---------------------------------
Attachment: demonstrate-gae-security-hole.war
The attached .war file (demonstrate-gae-security-hole.war) exhibits the
behavior I previously described (actionless results for index.jsp files are
served as raw source with content-type text/plain) when deployed to Google
AppEngine.
Download and unzip the .war file locally, then edit WEB-INF/appengine-web.xml
and change the application's id to the name of one of your own AppEngine
applications. Run appcfg update to upload the application.
You can see the problem I describe by visiting these URLs:
http://<yourapplication>.appspot.com/
http://<yourapplication>.appspot.com/foo
http://<yourapplication>.appspot.com/foo/
Everything works as expected if you visit these URLs:
http://<yourapplication>.appspot.com/index
http://<yourapplication>.appspot.com/bar
http://<yourapplication>.appspot.com/foo/index
http://<yourapplication>.appspot.com/foo/baz
> Work around getSystemClassloader call for compatibility with GAE
> ----------------------------------------------------------------
>
> Key: WW-3114
> URL: https://issues.apache.org/struts/browse/WW-3114
> Project: Struts 2
> Issue Type: Bug
> Components: Plugin - Convention
> Affects Versions: 2.1.7
> Reporter: Leonard Broman
> Assignee: Wes Wannemacher
> Fix For: 2.1.7
>
> Attachments: demonstrate-gae-security-hole.war, gae-patch.txt
>
>
> The Google App Engine sandbox does not allow application to access the system
> classloader using the ClassLoader.getSystemClassLoader() accessor. The
> convention plugin uses this to exclude urls to scan in
> PackageBasedActionConfigBuilder.java.
> Due to this, convention plugin is not functioning properly in the GAE sandbox.
> Stacktrace from app engine:
> com.opensymphony.xwork2.util.logging.jdk.JdkLogger error: Unable to scan
> named packages
> java.security.AccessControlException: access denied
> (java.lang.RuntimePermission getClassLoader)
> at java.security.AccessControlContext.checkPermission(Unknown Source)
> at java.security.AccessController.checkPermission(Unknown Source)
> at java.lang.SecurityManager.checkPermission(Unknown Source)
> at java.lang.ClassLoader.getSystemClassLoader(Unknown Source)
> at
> org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildUrlSet(PackageBasedActionConfigBuilder.java:324)
> at
> org.apache.struts2.convention.PackageBasedActionConfigBuilder.findActions(PackageBasedActionConfigBuilder.java:295)
> at
> org.apache.struts2.convention.PackageBasedActionConfigBuilder.buildActionConfigs(PackageBasedActionConfigBuilder.java:277)
> at
> org.apache.struts2.convention.ClasspathPackageProvider.loadPackages(ClasspathPackageProvider.java:52)
> at
> com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:200)
> at
> com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:55)
> at
> org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:360)
> at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:403)
> at
> org.apache.struts2.dispatcher.FilterDispatcher.init(FilterDispatcher.java:190)
> at org.mortbay.jetty.servlet.FilterHolder.doStart(FilterHolder.java:99)
> at
> org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:40)
> at
> org.mortbay.jetty.servlet.ServletHandler.initialize(ServletHandler.java:589)
> at org.mortbay.jetty.servlet.Context.startContext(Context.java:139)
> at
> org.mortbay.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1218)
> at
> org.mortbay.jetty.handler.ContextHandler.doStart(ContextHandler.java:500)
> at
> org.mortbay.jetty.webapp.WebAppContext.doStart(WebAppContext.java:448)
> at
> org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:40)
> at
> com.google.apphosting.runtime.jetty.AppVersionHandlerMap.createHandler(AppVersionHandlerMap.java:190)
> at
> com.google.apphosting.runtime.jetty.AppVersionHandlerMap.getHandler(AppVersionHandlerMap.java:167)
> at
> com.google.apphosting.runtime.jetty.JettyServletEngineAdapter.serviceRequest(JettyServletEngineAdapter.java:113)
> at
> com.google.apphosting.runtime.JavaRuntime.handleRequest(JavaRuntime.java:235)
> at
> com.google.apphosting.base.RuntimePb$EvaluationRuntime$6.handleBlockingRequest(RuntimePb.java:4547)
> at
> com.google.apphosting.base.RuntimePb$EvaluationRuntime$6.handleBlockingRequest(RuntimePb.java:4545)
> at
> com.google.net.rpc.impl.BlockingApplicationHandler.handleRequest(BlockingApplicationHandler.java:24)
> at com.google.net.rpc.impl.RpcUtil.runRpcInApplication(RpcUtil.java:359)
> at com.google.net.rpc.impl.Server$2.run(Server.java:792)
> at
> com.google.tracing.LocalTraceSpanRunnable.run(LocalTraceSpanRunnable.java:56)
> at
> com.google.tracing.LocalTraceSpanBuilder.internalContinueSpan(LocalTraceSpanBuilder.java:489)
> at com.google.net.rpc.impl.Server.startRpc(Server.java:748)
> at com.google.net.rpc.impl.Server.processRequest(Server.java:340)
> at
> com.google.net.rpc.impl.ServerConnection.messageReceived(ServerConnection.java:422)
> at
> com.google.net.rpc.impl.RpcConnection.parseMessages(RpcConnection.java:319)
> at
> com.google.net.rpc.impl.RpcConnection.dataReceived(RpcConnection.java:290)
> at com.google.net.async.Connection.handleReadEvent(Connection.java:419)
> at
> com.google.net.async.EventDispatcher.processNetworkEvents(EventDispatcher.java:733)
> at
> com.google.net.async.EventDispatcher.internalLoop(EventDispatcher.java:207)
> at com.google.net.async.EventDispatcher.loop(EventDispatcher.java:101)
> at
> com.google.net.rpc.RpcService.runUntilServerShutdown(RpcService.java:249)
> at
> com.google.apphosting.runtime.JavaRuntime$RpcRunnable.run(JavaRuntime.java:373)
> at java.lang.Thread.run(Unknown Source)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
