Author: gtrasuk Date: Mon Apr 2 04:00:34 2012 New Revision: 1308236 URL: http://svn.apache.org/viewvc?rev=1308236&view=rev Log: Implemented privileged operations in the VirtualFileSystemClassLoader. Application now has implicit permission to access its classpath.
Modified: river/jtsk/skunk/surrogate/src/org/apache/river/container/StarterServiceDeployer.java river/jtsk/skunk/surrogate/src/org/apache/river/container/classloading/VirtualFileSystemClassLoader.java river/jtsk/skunk/surrogate/src/org/apache/river/container/liaison/VirtualFileSystemConfiguration.java river/jtsk/skunk/surrogate/testfiles/logging.properties Modified: river/jtsk/skunk/surrogate/src/org/apache/river/container/StarterServiceDeployer.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/surrogate/src/org/apache/river/container/StarterServiceDeployer.java?rev=1308236&r1=1308235&r2=1308236&view=diff ============================================================================== --- river/jtsk/skunk/surrogate/src/org/apache/river/container/StarterServiceDeployer.java (original) +++ river/jtsk/skunk/surrogate/src/org/apache/river/container/StarterServiceDeployer.java Mon Apr 2 04:00:34 2012 @@ -28,6 +28,7 @@ import java.lang.reflect.Constructor; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.net.URL; +import java.security.AllPermission; import java.security.CodeSource; import java.security.Permission; import java.security.Principal; @@ -226,6 +227,8 @@ public class StarterServiceDeployer { } grantPermissions(cl, new Permission[] {new FilePermission(workingDir.getAbsolutePath(), Strings.READ)}); + // Just to see if this is a security problem... + //grantPermissions(cl, new Permission[] { new AllPermission() }); Utils.logClassLoaderHierarchy(log, Level.FINE, this.getClass()); String configName = VirtualFileSystemConfiguration.class.getName(); invokeStatic(cl, configName, Modified: river/jtsk/skunk/surrogate/src/org/apache/river/container/classloading/VirtualFileSystemClassLoader.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/surrogate/src/org/apache/river/container/classloading/VirtualFileSystemClassLoader.java?rev=1308236&r1=1308235&r2=1308236&view=diff ============================================================================== --- river/jtsk/skunk/surrogate/src/org/apache/river/container/classloading/VirtualFileSystemClassLoader.java (original) +++ river/jtsk/skunk/surrogate/src/org/apache/river/container/classloading/VirtualFileSystemClassLoader.java Mon Apr 2 04:00:34 2012 @@ -21,18 +21,21 @@ import java.io.IOException; import java.net.URL; import java.net.URLClassLoader; import java.security.CodeSource; +import java.security.PrivilegedAction; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; import java.util.ArrayList; import java.util.Collections; import java.util.Enumeration; import java.util.List; import java.util.logging.Level; import java.util.logging.Logger; +import net.jini.security.Security; import org.apache.commons.vfs.FileObject; import org.apache.commons.vfs.FileSystemException; import org.apache.commons.vfs.FileUtil; import org.apache.river.container.LocalizedRuntimeException; import org.apache.river.container.MessageNames; -import org.apache.river.container.Utils; /** @@ -89,7 +92,7 @@ public class VirtualFileSystemClassLoade List<ClasspathFilter> filters = new ClasspathFilterBuilder().parseToFilters(classPath); for (ClasspathFilter filter : filters) { FileObject entryObject = fileRoot.resolveFile(filter.getJarName()); - + FileObject entryFileSystem = fileRoot.getFileSystem().getFileSystemManager().createFileSystem(entryObject); classpathEntries.add(new ClasspathEntry(filter, entryFileSystem)); @@ -107,28 +110,44 @@ public class VirtualFileSystemClassLoade @return */ @Override - public URL findResource(String name) { + public URL findResource(final String name) { try { - FileObject fo = findResourceFileObject(name); - return fo == null ? null : fo.getURL(); - } catch (FileSystemException ex) { + return Security.doPrivileged(new PrivilegedExceptionAction<URL>() { + + @Override + public URL run() throws Exception { + FileObject fo = findResourceFileObject(name); + return fo == null ? null : fo.getURL(); + } + }); + + } catch (Exception ex) { Logger.getLogger(VirtualFileSystemClassLoader.class.getName()).log(Level.SEVERE, null, ex); } return null; } @Override - public Enumeration<URL> findResources(String name) throws IOException { - List<URL> urlList = new ArrayList<URL>(); - try { - List<FileObject> foList = findResourceFileObjects(name); - for (FileObject fo : foList) { - urlList.add(fo.getURL()); + public Enumeration<URL> findResources(final String name) throws IOException { + + Enumeration result = + Security.doPrivileged(new PrivilegedAction<Enumeration>() { + + public Enumeration run() { + List<URL> urlList = new ArrayList<URL>(); + try { + + List<FileObject> foList = findResourceFileObjects(name); + for (FileObject fo : foList) { + urlList.add(fo.getURL()); + } + } catch (FileSystemException ex) { + Logger.getLogger(VirtualFileSystemClassLoader.class.getName()).log(Level.SEVERE, null, ex); + } + return Collections.enumeration(urlList); } - } catch (FileSystemException ex) { - Logger.getLogger(VirtualFileSystemClassLoader.class.getName()).log(Level.SEVERE, null, ex); - } - return Collections.enumeration(urlList); + }); + return result; } /** @@ -175,17 +194,27 @@ public class VirtualFileSystemClassLoade } @Override - protected Class<?> findClass(String name) throws ClassNotFoundException { - String resourceName = classToResourceName(name); - FileObject resourceFileObject = findResourceFileObject(resourceName); - if (resourceFileObject == null) { - throw new ClassNotFoundException(name + "(" + resourceName + ")"); - } + protected Class<?> findClass(final String name) throws ClassNotFoundException { try { - byte[] bytes = FileUtil.getContent(resourceFileObject); - return defineClass(name, bytes, 0, bytes.length); - } catch (IOException ioe) { - throw new ClassNotFoundException(name, ioe); + return Security.doPrivileged(new PrivilegedExceptionAction<Class>() { + + public Class run() throws ClassNotFoundException { + String resourceName = classToResourceName(name); + FileObject resourceFileObject = findResourceFileObject(resourceName); + if (resourceFileObject == null) { + throw new ClassNotFoundException(name + "(" + resourceName + ")"); + } + try { + byte[] bytes = FileUtil.getContent(resourceFileObject); + return defineClass(name, bytes, 0, bytes.length); + } catch (IOException ioe) { + throw new ClassNotFoundException(name, ioe); + } + + } + }); + } catch (PrivilegedActionException ex) { + throw (ClassNotFoundException) ex.getException(); } } @@ -230,7 +259,7 @@ public class VirtualFileSystemClassLoade public String toString() { StringBuffer listString = new StringBuffer(); listString.append(format(classpathEntries)); - + listString.append(", codebase ["); URL[] urlArray = getURLs(); for (int i = 0; i < urlArray.length; i++) { @@ -240,18 +269,19 @@ public class VirtualFileSystemClassLoade listString.append("]"); return listString.toString(); } + public static String format(List<ClasspathEntry> items) { if (items == null) { return "null"; } StringBuffer sb = new StringBuffer(); sb.append("["); - boolean first=true; - for (Object o: items) { + boolean first = true; + for (Object o : items) { if (!first) { sb.append(", "); } else { - first=false; + first = false; } sb.append("'"); sb.append(o.toString()); @@ -261,5 +291,4 @@ public class VirtualFileSystemClassLoade return sb.toString(); } - } Modified: river/jtsk/skunk/surrogate/src/org/apache/river/container/liaison/VirtualFileSystemConfiguration.java URL: http://svn.apache.org/viewvc/river/jtsk/skunk/surrogate/src/org/apache/river/container/liaison/VirtualFileSystemConfiguration.java?rev=1308236&r1=1308235&r2=1308236&view=diff ============================================================================== --- river/jtsk/skunk/surrogate/src/org/apache/river/container/liaison/VirtualFileSystemConfiguration.java (original) +++ river/jtsk/skunk/surrogate/src/org/apache/river/container/liaison/VirtualFileSystemConfiguration.java Mon Apr 2 04:00:34 2012 @@ -43,6 +43,8 @@ import org.apache.commons.vfs.VFS; public class VirtualFileSystemConfiguration implements Configuration { + private static final Logger log=Logger.getLogger(VirtualFileSystemConfiguration.class.getName()); + private static FileObject rootDirectory = null; private static Map<String, Object> specialEntries = new HashMap<String, Object>(); @@ -72,6 +74,7 @@ public class VirtualFileSystemConfigurat So, we have to instead throw an exception that is part of the jre platform. */ + log.log(Level.SEVERE, "Problem setting working directory", ex); throw new RuntimeException(ex.getMessage()); } Modified: river/jtsk/skunk/surrogate/testfiles/logging.properties URL: http://svn.apache.org/viewvc/river/jtsk/skunk/surrogate/testfiles/logging.properties?rev=1308236&r1=1308235&r2=1308236&view=diff ============================================================================== --- river/jtsk/skunk/surrogate/testfiles/logging.properties (original) +++ river/jtsk/skunk/surrogate/testfiles/logging.properties Mon Apr 2 04:00:34 2012 @@ -53,3 +53,4 @@ org.apache.river.container.level = FINER org.apache.river.container.AnnotatedClassDeployer.level=FINER org.apache.river.container.ShowContextToConsole.level=INFO net.jini.config.level=FINE +org.apache.river.container.security.ContainerCodePolicy.level=INFO \ No newline at end of file