[jboss-jira] [JBoss JIRA] Created: (JBRULES-760) Security problem in WebSphere with PackageCompilationData classloader
Carey Evans (JIRA)
jira-events at lists.jboss.org
Thu Mar 29 23:57:59 EDT 2007
Security problem in WebSphere with PackageCompilationData classloader
---------------------------------------------------------------------
Key: JBRULES-760
URL: http://jira.jboss.com/jira/browse/JBRULES-760
Project: JBoss Rules
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Reteoo
Affects Versions: 3.0.6
Environment: WebSphere Application Server 6.0.2.17 Express with IBM JDK 1.4.2 SR5 on Windows Server 2003
Reporter: Carey Evans
Assigned To: Mark Proctor
This problem is very similar to JBRULES-562, but affects classes loaded by org.drools.rule.PackageCompilationData.PackageClassLoader rather than org.drools.base.ClassFieldExtractorFactory. The symptoms are the same:
[29/03/07 16:18:44:279 NZST] 00000034 SecurityManag W SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to Problem Determination Guide for further information.
Permission:
accessDeclaredMembers : access denied (java.lang.RuntimePermission accessDeclaredMembers)
Code:
BrowseCatalog.Rule_Bad_Rule_0 in {null code URL}
Stack Trace:
java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers)
[...]
at java.lang.Class.getDeclaredConstructor(Class.java(Compiled Code))
at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:60)
[...]
at com.elasticpath.domain.rules.impl.PromotionRuleDelegateImpl.isFirstTimeBuyer(PromotionRuleDelegateImpl.java:975)
at BrowseCatalog.Rule_Bad_Rule_0.eval1(Rule_Bad_Rule_0.java:16)
at BrowseCatalog.Rule_Bad_Rule_0Eval1Invoker.evaluate(Rule_Bad_Rule_0Eval1Invoker.java:20)
at org.drools.rule.EvalCondition.isAllowed(Unknown Source)
[...]
Code Base Location:
[...]
BrowseCatalog.Rule_Bad_Rule_0 : null code URL
ClassLoader: org.drools.rule.PackageCompilationData$PackageClassLoader
Permissions granted to CodeSource (null <no certificates>)
{
}
BrowseCatalog.Rule_Bad_Rule_0Eval1Invoker : null code URL
ClassLoader: org.drools.rule.PackageCompilationData$PackageClassLoader
Permissions granted to CodeSource (null <no certificates>)
{
}
I've made the same change to PackageCompilationData as was made to ClassFieldExtractorFactory, which has fixed the problem:
--- drools-core/src/main/java/org/drools/rule/PackageCompilationData.java (revision 10605)
+++ drools-core/src/main/java/org/drools/rule/PackageCompilationData.java (working copy)
@@ -24,6 +24,9 @@
import java.io.ObjectInput;
import java.io.ObjectOutput;
import java.io.ObjectOutputStream;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
@@ -47,6 +50,16 @@
*/
private static final long serialVersionUID = -4351259299237235523L;
+ private static final ProtectionDomain PROTECTION_DOMAIN;
+
+ static {
+ PROTECTION_DOMAIN = (ProtectionDomain) AccessController.doPrivileged( new PrivilegedAction() {
+ public Object run() {
+ return PackageCompilationData.class.getProtectionDomain();
+ }
+ } );
+ }
+
private Map invokerLookups = new HashMap();
private Object AST;
@@ -280,7 +293,8 @@
return defineClass( name,
clazzBytes,
0,
- clazzBytes.length );
+ clazzBytes.length,
+ PROTECTION_DOMAIN );
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list