[Stripes-dev] [JIRA] Updated: (STS-620) Stripes deployed in Tomcat with SecurityManager enabled throws AccessControlException

Tue, 23 Dec 2008 14:57:46 -0800 

     [ 
http://www.stripesframework.org/jira/browse/STS-620?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ben Gunter updated STS-620:
---------------------------

    Affects Version/s:     (was: Release 1.5)
                       Release 1.4.3

> Stripes deployed in Tomcat with SecurityManager enabled throws 
> AccessControlException
> -------------------------------------------------------------------------------------
>
>                 Key: STS-620
>                 URL: http://www.stripesframework.org/jira/browse/STS-620
>             Project: Stripes
>          Issue Type: Bug
>    Affects Versions: Release 1.4.3
>            Reporter: Matthew Altman
>             Fix For: Release 1.5.1, Release 1.6
>
>
> There are two classes
> net.sourceforge.stripes.config.BootstrapPropertyResolver
> net.sourceforge.stripes.util.ResolverUtil
> that do not catch exceptions which then get thrown all the way back out and 
> prevent Stripes from running in an environment with the SecurityManager 
> enabled.
> An example stacktrace is:
> Caused by: java.security.AccessControlException: access denied
> (java.util.PropertyPermission ActionResolver.PackageFilters read)
>        at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
>        at
> java.security.AccessController.checkPermission(AccessController.java:546)
>        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>        at 
> java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
>        at java.lang.System.getProperty(System.java:652)
>        at
> net.sourceforge.stripes.config.BootstrapPropertyResolver.getProperty(BootstrapPropertyResolver.java:68)
>        at
> net.sourceforge.stripes.controller.AnnotatedClassActionResolver.getPackageFilters(AnnotatedClassActionResolver.java:492)
>        at
> net.sourceforge.stripes.controller.AnnotatedClassActionResolver.findClasses(AnnotatedClassActionResolver.java:510)
>        at
> net.sourceforge.stripes.controller.AnnotatedClassActionResolver.init(AnnotatedClassActionResolver.java:94)
>        at
> net.sourceforge.stripes.controller.NameBasedActionResolver.init(NameBasedActionResolver.java:115)
>        at
> net.sourceforge.stripes.config.DefaultConfiguration.init(DefaultConfiguration.java:101)
>        ... 48 more
> BootstrapPropertyResolver.getProperty() contain the following calls which 
> could throw these types of exceptions:
> FilterConfig.getInitParameter()
> FilterConfig.getServletContext().getInitParameter()
> System.getProperty()
> ResolverUtil.loadImplementationsFromContextClassloader() contains the 
> following call which could throw this exception:
> ClassLoader.getParent()
> Additionally, the File.exists() and File.isDirectory() could also throw 
> security exceptions, but if these calls are placed within the matchesAny() 
> "if" block, then the locations can just be limited based on the 
> ActionResolver.UrlFilters init-param

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://www.stripesframework.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development

Reply via email to