[jbossts-issues] [JBoss JIRA] (JBTM-2577) CDR Input/Output streams need SerializablePermission("enableSubclassImplementation") when Security Manager is in force

Ivo Studensky (JIRA) issues at jboss.org
Thu Dec 3 10:51:00 EST 2015 

Ivo Studensky created JBTM-2577:
-----------------------------------

             Summary: CDR Input/Output streams need SerializablePermission("enableSubclassImplementation") when Security Manager is in force
                 Key: JBTM-2577
                 URL: https://issues.jboss.org/browse/JBTM-2577
             Project: JBoss Transaction Manager
          Issue Type: Bug
          Components: JTS
    Affects Versions: 5.2.8.Final
            Reporter: Ivo Studensky
            Assignee: Ivo Studensky


Since JDK 7u25 version {{org.omg.CORBA_2_3.portable.Output/InputStream}} classes need extra permissions if Security Manager is enabled. Because of a previous vulnerability, it now checks {{SerializablePermission("enableSubclassImplementation")}}. There is a property flag to allow subclass instantiations without the security check ({{jdk.corba.allowOutputStreamSubclass=true}}), but this system property is subject to removal in the future Java releases, according to my findings.

At the moment, our IIOP code fails (can be seen in iiop tests of WildFly testsuite) when running with SM enabled.

See the following stacktraces:
{noformat}
	  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:271)
	  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
	  at org.omg.CORBA_2_3.portable.InputStream.checkPermission(InputStream.java:67)
	  at org.omg.CORBA_2_3.portable.InputStream.<init>(InputStream.java:84)
	  at com.sun.corba.se.impl.encoding.WrapperInputStream.<init>(WrapperInputStream.java:74)
	  at com.sun.corba.se.impl.corba.TypeCodeImpl.read_value(TypeCodeImpl.java:1273)
	  at com.sun.corba.se.impl.encoding.CDRInputStream_1_0.read_any(CDRInputStream_1_0.java:695)
	  at com.sun.corba.se.impl.encoding.CDRInputStream.read_any(CDRInputStream.java:238)
	  at org.omg.CosTransactions.PropagationContextHelper.read(PropagationContextHelper.java:88)
	  at com.arjuna.ArjunaOTS._ArjunaTransactionStub.get_txcontext(_ArjunaTransactionStub.java:387)
	  at com.arjuna.ats.jts.orbspecific.javaidl.interceptors.interposition.InterpositionClientRequestInterceptorImpl.send_request(InterpositionClientRequestInterceptorImpl.java:223)
	  at com.sun.corba.se.impl.interceptors.InterceptorInvoker.invokeClientInterceptorStartingPoint(InterceptorInvoker.java:245)
	  at com.sun.corba.se.impl.interceptors.PIHandlerImpl.invokeClientPIStartingPoint(PIHandlerImpl.java:355)
	  at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.beginRequest(CorbaClientRequestDispatcherImpl.java:293)
	  at com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.request(CorbaClientDelegateImpl.java:137)
	  at org.omg.CORBA.portable.ObjectImpl._request(ObjectImpl.java:449)
	  at org.omg.CosTransactions._ResourceStub.commit_one_phase(_ResourceStub.java:94)
	  at com.arjuna.ats.internal.jts.resources.ResourceRecord.topLevelOnePhaseCommit(ResourceRecord.java:537)
	  at com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2361)
	  at com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495)
	  - locked <0x360a> (a com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple)
	  at com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple.commit(ArjunaTransactionImple.java:375)
	  at com.arjuna.ats.internal.jts.ControlWrapper.commit(ControlWrapper.java:244)
	  at com.arjuna.ats.internal.jts.orbspecific.CurrentImple.commit(CurrentImple.java:247)
	  at com.arjuna.ats.jts.extensions.AtomicTransaction.commit(AtomicTransaction.java:276)
	  at com.arjuna.ats.internal.jta.transaction.jts.TransactionImple.commitAndDisassociate(TransactionImple.java:1313)
	  at com.arjuna.ats.internal.jta.transaction.jts.BaseTransaction.commit(BaseTransaction.java:130)
	  at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
	  at org.jboss.tm.usertx.client.ServerVMClientUserTransaction.commit(ServerVMClientUserTransaction.java:178)
	  at org.jboss.as.test.iiop.transaction.ClientEjb.testSynchronization(ClientEjb.java:65)
{noformat}

{noformat}
	  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:271)
	  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
	  at org.omg.CORBA_2_3.portable.InputStream.checkPermission(InputStream.java:67)
	  at org.omg.CORBA_2_3.portable.InputStream.<init>(InputStream.java:84)
	  at com.sun.corba.se.impl.encoding.WrapperInputStream.<init>(WrapperInputStream.java:74)
	  at com.sun.corba.se.impl.corba.TypeCodeImpl.read_value(TypeCodeImpl.java:1273)
	  at com.sun.corba.se.impl.corba.TypeCodeImpl.copy(TypeCodeImpl.java:2018)
	  at com.sun.corba.se.impl.corba.TypeCodeImpl.copy(TypeCodeImpl.java:2054)
	  at com.sun.corba.se.impl.corba.AnyImpl.write_value(AnyImpl.java:610)
	  at com.sun.corba.se.impl.interceptors.CDREncapsCodec.encodeImpl(CDREncapsCodec.java:173)
	  at com.sun.corba.se.impl.interceptors.CDREncapsCodec.encode_value(CDREncapsCodec.java:119)
	  at com.arjuna.ats.jts.orbspecific.javaidl.interceptors.interposition.InterpositionClientRequestInterceptorImpl.send_request(InterpositionClientRequestInterceptorImpl.java:280)
	  at com.sun.corba.se.impl.interceptors.InterceptorInvoker.invokeClientInterceptorStartingPoint(InterceptorInvoker.java:245)
	  at com.sun.corba.se.impl.interceptors.PIHandlerImpl.invokeClientPIStartingPoint(PIHandlerImpl.java:355)
	  at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.beginRequest(CorbaClientRequestDispatcherImpl.java:293)
	  at com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.request(CorbaClientDelegateImpl.java:137)
	  at org.omg.CORBA.portable.ObjectImpl._request(ObjectImpl.java:449)
	  at com.arjuna.ArjunaOTS._ArjunaTransactionStub.is_top_level_transaction(_ArjunaTransactionStub.java:193)
	  at com.arjuna.ats.jts.OTSManager.destroyControl(OTSManager.java:133)
	  at com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple.destroyAction(ArjunaTransactionImple.java:2201)
	  at com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple.commit(ArjunaTransactionImple.java:392)
	  at com.arjuna.ats.internal.jts.ControlWrapper.commit(ControlWrapper.java:244)
	  at com.arjuna.ats.internal.jts.orbspecific.CurrentImple.commit(CurrentImple.java:247)
	  at com.arjuna.ats.jts.extensions.AtomicTransaction.commit(AtomicTransaction.java:276)
	  at com.arjuna.ats.internal.jta.transaction.jts.TransactionImple.commitAndDisassociate(TransactionImple.java:1313)
	  at com.arjuna.ats.internal.jta.transaction.jts.BaseTransaction.commit(BaseTransaction.java:130)
	  at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
	  at org.jboss.tm.usertx.client.ServerVMClientUserTransaction.commit(ServerVMClientUserTransaction.java:178)
	  at org.jboss.as.test.iiop.transaction.ClientEjb.testSynchronization(ClientEjb.java:65)
{noformat}



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jbossts-issues mailing list