[jboss-jira] [JBoss JIRA] Commented: (JASSIST-23) Java 2 Security ProtiectionDomain is not associated with new generated classes

Renat Zubairov (JIRA) jira-events at jboss.com
Tue Jul 18 08:37:11 EDT 2006 

    [ http://jira.jboss.com/jira/browse/JASSIST-23?page=comments#action_12339747 ] 
            
Renat Zubairov commented on JASSIST-23:
---------------------------------------

What I like about Javassist is a vibrant and visible community arround...
Anyway I found a solution for the problem and it is clear a very simple mistake made by authors of the CtClass object, when they are using classloader API they ignore security concerns, hence I had this problem now.
There are at least two methods defineClass, one is a complete security ignorance, another one is with specification of the ProtectionDomain.
I'll post a more proper solution shortly.

> Java 2 Security ProtiectionDomain is not associated with new generated classes
> ------------------------------------------------------------------------------
>
>                 Key: JASSIST-23
>                 URL: http://jira.jboss.com/jira/browse/JASSIST-23
>             Project: Javassist
>          Issue Type: Bug
>         Environment: IBM WebSphere 5.1 with J2EE Security ON, Javassist 3.0, Tapestry 4.1, HiveMind 1.1.1
>            Reporter: Renat Zubairov
>         Assigned To: Shigeru Chiba
>            Priority: Blocker
>         Attachments: exception.txt
>
>   Original Estimate: 3 hours
>  Remaining Estimate: 3 hours
>
> Classes that are generated using Javassist have no associated protection domain therefore it is not possible for JVM to assign permissions based on the static JAR files names, this is severe problem because it is not possible to grant permissions, hence all permissions are vorbidden, since that nothing works.
> Javassist is used by HiveMind to generate proxy classes for it's services, an see the stack trace (in attachment) the generated classes can't be associated with any ProtectionDomain, therefore 
> _any Javassist supported application is impossble to start under strict security in Java_.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list