I ran into the following exception when I enabled Java 2 security in the Java EE environment using openjpa in the WebSphere environment:
java.security.AccessControlException: Access denied ( java.lang.RuntimePermission getClassLoader) at java.security.AccessController.checkPermission(AccessController.java :104) at java.lang.SecurityManager.checkPermission(SecurityManager.java:547) at com.ibm.ws.security.core.SecurityManager.checkPermission( SecurityManager.java:189) at java.lang.Thread.getContextClassLoader(Thread.java:490) at org.apache.openjpa.lib.conf.Configurations.findDerivedLoader( Configurations.java:232) at org.apache.openjpa.lib.conf.Configurations.newInstance( Configurations.java:194) at org.apache.openjpa.lib.conf.ObjectValue.newInstance(ObjectValue.java :103) at org.apache.openjpa.lib.conf.PluginValue.instantiate(PluginValue.java :101) at org.apache.openjpa.lib.conf.ObjectValue.instantiate(ObjectValue.java :79) at org.apache.openjpa.conf.OpenJPAConfigurationImpl.getDataCacheManagerInstance (OpenJPAConfigurationImpl.java:583) at org.apache.openjpa.kernel.AbstractBrokerFactory.newBroker( AbstractBrokerFactory.java:169) at org.apache.openjpa.kernel.DelegatingBrokerFactory.newBroker( DelegatingBrokerFactory.java:142) at org.apache.openjpa.persistence.EntityManagerFactoryImpl.createEntityManager( EntityManagerFactoryImpl.java:190) at com.ibm.websphere.ejb3sample.counter.StatelessCounterBean.getTheValue (StatelessCounterBean.java:63) The scenario is a openjpa entity manager factory is injected to a stateless session bean and it is trying to create an EntityManager from the factory. Since the factory is directly injected in the application, the container has no involvment in handling the AccessController.doPrivileged(). Another similiar scenario is Persistence.createEntityManagerFactory() is called from within a stateless session bean, in which a similiar but different security related symptom is surfaced. These tests run successfully when Java 2 security is disabled. A security policy has put in place in the app server to give all permissions to the openjpa jar files in the app server. For experimentation, I add a doPrivilege block in the Configurations.findDerivedLoader where the above exception took place and I was able to by-pass the failure and the doPriv seems to work. However I went into the same exception in different places when getSystemClassLoader() and other privileged operations are used. Questions: 1) How is security being handled in openjpa or JPA in general? 2) What is the philosphy of putting doPrivilege construct around security sensitive code in openjpa? I only find 2 instances of doPrivilege usage in openJPA. 3) Who is responsible to define and enable security in a app server environment? 4) Is injecting a provider entity manager factory to user code an valid procedure? I understand EntityManager proxy/wrapper is needed for persistence context injection but I see no reason why provider's entity manager factory can not be injected to user code. Am I way off base regarding security in OpenJPA and/or JPA in general? Any insights into this topics is greatly appreciated. Thanks. Albert Lee.