[
http://www.stripesframework.org/jira/browse/STS-620?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ben Gunter resolved STS-620.
----------------------------
Resolution: Fixed
I fixed this the best I could. BootstrapPropertyResolver will catch
AccessControlExceptions when getting property values and log a debug message
telling what happened if it can't read the property. ResolverUtil has changed
significantly since this problem was reported and does not appear to have the
same problems as before. Aside from the two changes noted below, everything
worked fine after this code change.
Stripes still requires java.lang.RuntimePermission "accessDeclaredMembers",
which is not in the default catalina.policy. It needs that one to find the
event handler methods in the ActionBean classes.
I also had to allow file read for WEB-INF/classes/logging.properties. That
appears to be normal since there was already a template in the catalina.policy
file for it.
> Stripes deployed in Tomcat with SecurityManager enabled throws
> AccessControlException
> -------------------------------------------------------------------------------------
>
> Key: STS-620
> URL: http://www.stripesframework.org/jira/browse/STS-620
> Project: Stripes
> Issue Type: Bug
> Affects Versions: Release 1.4.3
> Reporter: Matthew Altman
> Fix For: Release 1.5.1, Release 1.6
>
>
> There are two classes
> net.sourceforge.stripes.config.BootstrapPropertyResolver
> net.sourceforge.stripes.util.ResolverUtil
> that do not catch exceptions which then get thrown all the way back out and
> prevent Stripes from running in an environment with the SecurityManager
> enabled.
> An example stacktrace is:
> Caused by: java.security.AccessControlException: access denied
> (java.util.PropertyPermission ActionResolver.PackageFilters read)
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
> at
> java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at
> java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
> at java.lang.System.getProperty(System.java:652)
> at
> net.sourceforge.stripes.config.BootstrapPropertyResolver.getProperty(BootstrapPropertyResolver.java:68)
> at
> net.sourceforge.stripes.controller.AnnotatedClassActionResolver.getPackageFilters(AnnotatedClassActionResolver.java:492)
> at
> net.sourceforge.stripes.controller.AnnotatedClassActionResolver.findClasses(AnnotatedClassActionResolver.java:510)
> at
> net.sourceforge.stripes.controller.AnnotatedClassActionResolver.init(AnnotatedClassActionResolver.java:94)
> at
> net.sourceforge.stripes.controller.NameBasedActionResolver.init(NameBasedActionResolver.java:115)
> at
> net.sourceforge.stripes.config.DefaultConfiguration.init(DefaultConfiguration.java:101)
> ... 48 more
> BootstrapPropertyResolver.getProperty() contain the following calls which
> could throw these types of exceptions:
> FilterConfig.getInitParameter()
> FilterConfig.getServletContext().getInitParameter()
> System.getProperty()
> ResolverUtil.loadImplementationsFromContextClassloader() contains the
> following call which could throw this exception:
> ClassLoader.getParent()
> Additionally, the File.exists() and File.isDirectory() could also throw
> security exceptions, but if these calls are placed within the matchesAny()
> "if" block, then the locations can just be limited based on the
> ActionResolver.UrlFilters init-param
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://www.stripesframework.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
