Re: [drools-user] Permissions problem in WebSphere

[Edson Tirelli]

   Hi Steven,
   Unfortunatelly, I didn't try working with drools + WS, so I can't 
help with the problem, but just to explain what drools is trying to do: 
current version needs access to the actual class file for classes used 
as "facts" in your network, in order to read the bytecode and index 
class properties (getter methods).

   As a side note, we will try to remove this requirement in the 
future, but we are not sure yet how can we garantee that the order of 
the getter methods will not change from one JVM to another without 
reading the class bytecode.

   []s
   Edson


Steven Williams wrote:

Hi all,
We are using WebSphere 6.1 with java security switched on and get the 
following error when we attempt to run drools:


Permission:

      \D:\WS_STAGE2\ec_ejb\bin\au\gov\vic\dse\lx\ec\Message.class : 
Access denied ( java.io.FilePermission 
\D:\WS_STAGE2\ec_ejb\bin\au\gov\vic\dse\lx\ec\Message.class read)

Code:

     org.drools.base.au.gov.vic.dse.lx.ec.Message$getStatus  in  {null 
code URL}

Stack Trace:

java.security.AccessControlException : Access denied 
(java.io.FilePermission 
\D:\WS_STAGE2\ec_ejb\bin\au\gov\vic\dse\lx\ec\Message.class read)
        at 
java.security.AccessController.checkPermission(AccessController.java:104)
        at java.lang.SecurityManager.checkPermission 
(SecurityManager.java:547)
        at 
com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:189)
        at 
com.ibm.ws.classloader.SinglePathClassProvider.check(SinglePathClassProvider.java:444) 

        at 
com.ibm.ws.classloader.SinglePathClassProvider.checkURL(SinglePathClassProvider.java:431)
        at 
com.ibm.ws.classloader.SinglePathClassProvider.getResource(SinglePathClassProvider.java:423)
        at 
com.ibm.ws.classloader.SinglePathClassProvider.getResourceAsStream(SinglePathClassProvider.java:458)
        at 
com.ibm.ws.classloader.CompoundClassLoader.localGetResourceAsStream(CompoundClassLoader.java:926)
        at 
com.ibm.ws.classloader.CompoundClassLoader.getResourceAsStream(CompoundClassLoader.java:887)
        at java.lang.Class.getResourceAsStream(Class.java:1124)
        at org.drools.util.asm.ClassFieldInspector.processClass 
(Unknown Source)
        at org.drools.util.asm.ClassFieldInspector.<init>(Unknown Source)
        at org.drools.base.BaseClassFieldExtractor.<init>(Unknown Source)
        at org.drools.base.au.gov.vic.dse.lx.ec.Message$getStatus 
.<init>(Unknown Source)
        at 
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:67)
        at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:521)
        at 
org.drools.base.ClassFieldExtractorFactory.getClassFieldExtractor 
(Unknown Source)
        at org.drools.base.ClassFieldExtractor.init(Unknown Source)
        at org.drools.base.ClassFieldExtractor.<init>(Unknown Source)
        at org.drools.base.ClassFieldExtractorCache.getExtractor 
(Unknown Source)
        at 
org.drools.semantics.java.RuleBuilder.getFieldExtractor(Unknown Source)
        at org.drools.semantics.java.RuleBuilder.build(Unknown Source)
        at org.drools.semantics.java.RuleBuilder.build (Unknown Source)
        at org.drools.semantics.java.RuleBuilder.build(Unknown Source)
        at org.drools.semantics.java.RuleBuilder.build(Unknown Source)
        at org.drools.compiler.PackageBuilder.addRule (Unknown Source)
        at org.drools.compiler.PackageBuilder.addPackage(Unknown Source)
        at 
org.drools.compiler.PackageBuilder.addPackageFromDrl(Unknown Source)
        at au.gov.vic.dse.lx.ec.DroolsTest.readRule (DroolsTest.java:62)
 
It looks to me like the drools generated Message class 
(org.drools.base.au.gov.vic.dse.lx.ec.Message) is failing when it 
attempts to access the application Message.class via its getStatus 
method. We have added java.security.AllPermission everywhere we can 
think of (was.policy, app.policy, library.policy, server.policy) and 
it still does not work.
 
Has anybody got drools working in a WebSphere environment (any 
version) with java security turned on?
 
I noticed that there used to be a problem with cglib where the 
generated classes did not get the same protection domain as the 
cglib.jar (http://jira.atlassian.com/browse/CONF-5955 
<http://jira.atlassian.com/browse/CONF-5955>, 
http://forum.hibernate.org/viewtopic.php?p=2190363). I know we are 
using ASM but maybe it also has a similar problem?
 
thanks
Steve

--
Steven Williams

Supervising Consultant

Object Consulting
Office: 8615 4500 Mob: 0439 898 668 Fax: 8615 4501
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
www.objectconsulting.com.au <http://www.objectconsulting.com.au>

consulting | development | training | support
our experience makes the difference



--
 ---
 Edson Tirelli
 Software Engineer - JBoss Rules Core Developer
 Office: +55 11 3124-6000
 Mobile: +55 11 9218-4151
 JBoss, a division of Red Hat @ www.jboss.com

 IT executives: Red Hat still #1 for value
 http://www.redhat.com/promo/vendor/ 


---------------------------------------------------------------------
To unsubscribe from this list please visit:

   http://xircles.codehaus.org/manage_email