[jboss-remoting-issues] [JBoss JIRA] Commented: (JBREM-1058) SocketServerInvoker is missing a privileged block

Ron Sigal (JIRA) jira-events at lists.jboss.org
Thu Nov 20 03:05:36 EST 2008 

    [ https://jira.jboss.org/jira/browse/JBREM-1058?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12439041#action_12439041 ] 

Ron Sigal commented on JBREM-1058:
----------------------------------

The problem arises when an instance of java.beans.PropertyEditorManager tries to find a property editor for a field in an instance of org.jboss.remoting.ServerInvoker (or a subclass). Suppose that that field is "mbeanServer", which has type javax.management.MBeanServer.   Then PropertyEditorManager passes javax.management.MBeanServer.class to java.beans.Introspector.instantiate(), which calls java.lang.Class.getClassLoader() on javax.management.MBeanServer.class, and Class.getClassLoader() checks for the RuntimePermission "getClassLoader" permission *IF*, according to the javadoc,

  "the caller's class loader is not null and the caller's class loader is not the same as or an ancestor of the class loader for the class whose class loader is requested",

i.e., if the classloader of java.beans.PropertyEditorManager is not the same or an ancestor of the classloader of javax.management.MBeanServer.

The "mbeanServer" field is just an example - I'm not sure which class is causing the problem.  In any case, the problem doesn't arise when the code is called in the Remoting security manager unit tests.  It would be possible to create a pure Remoting test case for this problem, but it would entail adding several permissions, e.g. the "createClassLoader" RuntimePermission, to the minimal security policy file used for those tests.  Instead, I'll let the AS security test suite test the solution for this issue, which is invoked by running

  ant tests-security-manager
  
in the AS testsuite directory.

For future reference, I've attached two files that nearly constitute a pure Remoting test case for this issue..

Note that org.jboss.util.propertyeditor.PropertyEditors.mapJavaBeanProperties() is called from the following Remoting classes:

  * org.jboss.remoting.transport.rmi.RMIServerInvoker
  * org.jboss.remoting.transport.socket.MicroSocketClientInvoker
  * org.jboss.remoting.transport.socket.SocketServerInvoker

All of these calls have been replaced by a call to org.jboss.remoting.util.SecurityUtility.mapJavaBeanProperties().

> SocketServerInvoker is missing a privileged block
> -------------------------------------------------
>
>                 Key: JBREM-1058
>                 URL: https://jira.jboss.org/jira/browse/JBREM-1058
>             Project: JBoss Remoting
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: transport
>    Affects Versions: 2.5.0.SP1 (Flounder)
>            Reporter: Anil Saldhana
>            Assignee: Ron Sigal
>             Fix For: 2.5.0.SP2 (Flounder) 
>
>         Attachments: PropertyEditorSecurityTestCase.java
>
>
> ===========================================
> 12:50:14,672 ERROR [STDERR] access: access denied (java.lang.RuntimePermission getClassLoader)
> 12:50:14,672 ERROR [STDERR] java.lang.Exception: Stack trace
> 12:50:14,672 ERROR [STDERR]     at java.lang.Thread.dumpStack(Thread.java:1158)
> 12:50:14,672 ERROR [STDERR]     at java.security.AccessControlContext.checkPermission(AccessControlContext.java:253)
> 12:50:14,672 ERROR [STDERR]     at java.security.AccessController.checkPermission(AccessController.java:427)
> 12:50:14,672 ERROR [STDERR]     at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> 12:50:14,672 ERROR [STDERR]     at java.lang.ClassLoader.getParent(ClassLoader.java:1224)
> 12:50:14,672 ERROR [STDERR]     at org.jboss.util.loading.DelegatingClassLoader.loadClass(DelegatingClassLoader.java:92)
> 12:50:14,672 ERROR [STDERR]     at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
> 12:50:14,672 ERROR [STDERR]     at java.beans.Introspector.instantiate(Introspector.java:1453)
> 12:50:14,673 ERROR [STDERR]     at java.beans.PropertyEditorManager.findEditor(PropertyEditorManager.java:91)
> 12:50:14,673 ERROR [STDERR]     at org.jboss.util.propertyeditor.PropertyEditors.mapJavaBeanProperties(PropertyEditors.java:369)
> 12:50:14,673 ERROR [STDERR]     at org.jboss.remoting.transport.socket.SocketServerInvoker.setup(SocketServerInvoker.java:204)
> 12:50:14,673 ERROR [STDERR]     at org.jboss.remoting.transport.bisocket.BisocketServerInvoker.setup(BisocketServerInvoker.java:651)
> 12:50:14,673 ERROR [STDERR]     at org.jboss.remoting.ServerInvoker.create(ServerInvoker.java:949)
> 12:50:14,673 ERROR [STDERR]     at org.jboss.remoting.transport.Connector.init(Connector.java:432)
> ========================================================
> The SocketServerInvoker needs to deal with the property managers in a priv block.   Line 204

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-remoting-issues mailing list