[jbossts-issues] [JBoss JIRA] (JBTM-2577) CDR Input/Output streams need SerializablePermission("enableSubclassImplementation") when Security Manager is in force
Ivo Studensky (JIRA)
issues at jboss.org
Thu Dec 3 11:03:00 EST 2015
[ https://issues.jboss.org/browse/JBTM-2577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ivo Studensky updated JBTM-2577:
--------------------------------
Status: Pull Request Sent (was: Open)
> CDR Input/Output streams need SerializablePermission("enableSubclassImplementation") when Security Manager is in force
> ----------------------------------------------------------------------------------------------------------------------
>
> Key: JBTM-2577
> URL: https://issues.jboss.org/browse/JBTM-2577
> Project: JBoss Transaction Manager
> Issue Type: Bug
> Components: JTS
> Affects Versions: 5.2.8.Final
> Reporter: Ivo Studensky
> Assignee: Ivo Studensky
>
> Since JDK 7u25 version {{org.omg.CORBA_2_3.portable.Output/InputStream}} classes need extra permissions if Security Manager is enabled. Because of a previous vulnerability, it now checks {{SerializablePermission("enableSubclassImplementation")}}. There is a property flag to allow subclass instantiations without the security check ({{jdk.corba.allowOutputStreamSubclass=true}}), but this system property is subject to removal in the future Java releases, according to my findings.
> At the moment, our IIOP code fails (can be seen in iiop tests of WildFly testsuite) when running with SM enabled.
> See the following stacktraces:
> {noformat}
> at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:271)
> at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
> at org.omg.CORBA_2_3.portable.InputStream.checkPermission(InputStream.java:67)
> at org.omg.CORBA_2_3.portable.InputStream.<init>(InputStream.java:84)
> at com.sun.corba.se.impl.encoding.WrapperInputStream.<init>(WrapperInputStream.java:74)
> at com.sun.corba.se.impl.corba.TypeCodeImpl.read_value(TypeCodeImpl.java:1273)
> at com.sun.corba.se.impl.encoding.CDRInputStream_1_0.read_any(CDRInputStream_1_0.java:695)
> at com.sun.corba.se.impl.encoding.CDRInputStream.read_any(CDRInputStream.java:238)
> at org.omg.CosTransactions.PropagationContextHelper.read(PropagationContextHelper.java:88)
> at com.arjuna.ArjunaOTS._ArjunaTransactionStub.get_txcontext(_ArjunaTransactionStub.java:387)
> at com.arjuna.ats.jts.orbspecific.javaidl.interceptors.interposition.InterpositionClientRequestInterceptorImpl.send_request(InterpositionClientRequestInterceptorImpl.java:223)
> at com.sun.corba.se.impl.interceptors.InterceptorInvoker.invokeClientInterceptorStartingPoint(InterceptorInvoker.java:245)
> at com.sun.corba.se.impl.interceptors.PIHandlerImpl.invokeClientPIStartingPoint(PIHandlerImpl.java:355)
> at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.beginRequest(CorbaClientRequestDispatcherImpl.java:293)
> at com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.request(CorbaClientDelegateImpl.java:137)
> at org.omg.CORBA.portable.ObjectImpl._request(ObjectImpl.java:449)
> at org.omg.CosTransactions._ResourceStub.commit_one_phase(_ResourceStub.java:94)
> at com.arjuna.ats.internal.jts.resources.ResourceRecord.topLevelOnePhaseCommit(ResourceRecord.java:537)
> at com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2361)
> at com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495)
> - locked <0x360a> (a com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple)
> at com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple.commit(ArjunaTransactionImple.java:375)
> at com.arjuna.ats.internal.jts.ControlWrapper.commit(ControlWrapper.java:244)
> at com.arjuna.ats.internal.jts.orbspecific.CurrentImple.commit(CurrentImple.java:247)
> at com.arjuna.ats.jts.extensions.AtomicTransaction.commit(AtomicTransaction.java:276)
> at com.arjuna.ats.internal.jta.transaction.jts.TransactionImple.commitAndDisassociate(TransactionImple.java:1313)
> at com.arjuna.ats.internal.jta.transaction.jts.BaseTransaction.commit(BaseTransaction.java:130)
> at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
> at org.jboss.tm.usertx.client.ServerVMClientUserTransaction.commit(ServerVMClientUserTransaction.java:178)
> at org.jboss.as.test.iiop.transaction.ClientEjb.testSynchronization(ClientEjb.java:65)
> {noformat}
> {noformat}
> at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:271)
> at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
> at org.omg.CORBA_2_3.portable.InputStream.checkPermission(InputStream.java:67)
> at org.omg.CORBA_2_3.portable.InputStream.<init>(InputStream.java:84)
> at com.sun.corba.se.impl.encoding.WrapperInputStream.<init>(WrapperInputStream.java:74)
> at com.sun.corba.se.impl.corba.TypeCodeImpl.read_value(TypeCodeImpl.java:1273)
> at com.sun.corba.se.impl.corba.TypeCodeImpl.copy(TypeCodeImpl.java:2018)
> at com.sun.corba.se.impl.corba.TypeCodeImpl.copy(TypeCodeImpl.java:2054)
> at com.sun.corba.se.impl.corba.AnyImpl.write_value(AnyImpl.java:610)
> at com.sun.corba.se.impl.interceptors.CDREncapsCodec.encodeImpl(CDREncapsCodec.java:173)
> at com.sun.corba.se.impl.interceptors.CDREncapsCodec.encode_value(CDREncapsCodec.java:119)
> at com.arjuna.ats.jts.orbspecific.javaidl.interceptors.interposition.InterpositionClientRequestInterceptorImpl.send_request(InterpositionClientRequestInterceptorImpl.java:280)
> at com.sun.corba.se.impl.interceptors.InterceptorInvoker.invokeClientInterceptorStartingPoint(InterceptorInvoker.java:245)
> at com.sun.corba.se.impl.interceptors.PIHandlerImpl.invokeClientPIStartingPoint(PIHandlerImpl.java:355)
> at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.beginRequest(CorbaClientRequestDispatcherImpl.java:293)
> at com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.request(CorbaClientDelegateImpl.java:137)
> at org.omg.CORBA.portable.ObjectImpl._request(ObjectImpl.java:449)
> at com.arjuna.ArjunaOTS._ArjunaTransactionStub.is_top_level_transaction(_ArjunaTransactionStub.java:193)
> at com.arjuna.ats.jts.OTSManager.destroyControl(OTSManager.java:133)
> at com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple.destroyAction(ArjunaTransactionImple.java:2201)
> at com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple.commit(ArjunaTransactionImple.java:392)
> at com.arjuna.ats.internal.jts.ControlWrapper.commit(ControlWrapper.java:244)
> at com.arjuna.ats.internal.jts.orbspecific.CurrentImple.commit(CurrentImple.java:247)
> at com.arjuna.ats.jts.extensions.AtomicTransaction.commit(AtomicTransaction.java:276)
> at com.arjuna.ats.internal.jta.transaction.jts.TransactionImple.commitAndDisassociate(TransactionImple.java:1313)
> at com.arjuna.ats.internal.jta.transaction.jts.BaseTransaction.commit(BaseTransaction.java:130)
> at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
> at org.jboss.tm.usertx.client.ServerVMClientUserTransaction.commit(ServerVMClientUserTransaction.java:178)
> at org.jboss.as.test.iiop.transaction.ClientEjb.testSynchronization(ClientEjb.java:65)
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jbossts-issues
mailing list