[Stripes-dev] [JIRA] Created: (STS-620) Stripes deployed in Tomcat with SecurityManager enabled throws AccessControlException

Thu, 30 Oct 2008 13:05:19 -0700 

Stripes deployed in Tomcat with SecurityManager enabled throws 
AccessControlException
-------------------------------------------------------------------------------------

                 Key: STS-620
                 URL: http://www.stripesframework.org/jira/browse/STS-620
             Project: Stripes
          Issue Type: Bug
    Affects Versions: Release 1.5
            Reporter: Matthew Altman


There are two classes
net.sourceforge.stripes.config.BootstrapPropertyResolver
net.sourceforge.stripes.util.ResolverUtil

that do not catch exceptions which then get thrown all the way back out and 
prevent Stripes from running in an environment with the SecurityManager enabled.

An example stacktrace is:
Caused by: java.security.AccessControlException: access denied
(java.util.PropertyPermission ActionResolver.PackageFilters read)
       at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
       at
java.security.AccessController.checkPermission(AccessController.java:546)
       at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
       at 
java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
       at java.lang.System.getProperty(System.java:652)
       at
net.sourceforge.stripes.config.BootstrapPropertyResolver.getProperty(BootstrapPropertyResolver.java:68)
       at
net.sourceforge.stripes.controller.AnnotatedClassActionResolver.getPackageFilters(AnnotatedClassActionResolver.java:492)
       at
net.sourceforge.stripes.controller.AnnotatedClassActionResolver.findClasses(AnnotatedClassActionResolver.java:510)
       at
net.sourceforge.stripes.controller.AnnotatedClassActionResolver.init(AnnotatedClassActionResolver.java:94)
       at
net.sourceforge.stripes.controller.NameBasedActionResolver.init(NameBasedActionResolver.java:115)
       at
net.sourceforge.stripes.config.DefaultConfiguration.init(DefaultConfiguration.java:101)
       ... 48 more

BootstrapPropertyResolver.getProperty() contain the following calls which could 
throw these types of exceptions:
FilterConfig.getInitParameter()
FilterConfig.getServletContext().getInitParameter()
System.getProperty()

ResolverUtil.loadImplementationsFromContextClassloader() contains the following 
call which could throw this exception:
ClassLoader.getParent()

Additionally, the File.exists() and File.isDirectory() could also throw 
security exceptions, but if these calls are placed within the matchesAny() "if" 
block, then the locations can just be limited based on the 
ActionResolver.UrlFilters init-param

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://www.stripesframework.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development

Reply via email to