[webbeans-issues] [JBoss JIRA] Commented: (WBRI-336) Web Beans App Throws Exception In GlassFish v3 with Secutiry Mgr Enabled.

Pete Muir (JIRA) jira-events at lists.jboss.org
Tue Aug 4 18:27:29 EDT 2009


    [ https://jira.jboss.org/jira/browse/WBRI-336?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12478943#action_12478943 ] 

Pete Muir commented on WBRI-336:
--------------------------------

Oh, and currently we are allowing public access to Reflections which is a big security hole. We need to consider how to restrict access to it.

> Web Beans App Throws Exception In GlassFish v3 with Secutiry Mgr Enabled.
> -------------------------------------------------------------------------
>
>                 Key: WBRI-336
>                 URL: https://jira.jboss.org/jira/browse/WBRI-336
>             Project: Web Beans
>          Issue Type: Bug
>    Affects Versions: 1.0.0.CR1
>         Environment: MACOS X,  GlassFish v3
>            Reporter: Roger Kitain
>         Attachments: Reflections.txt
>
>
> GlassFish v3 started with Security Mgr enabled.
> Web Beans numberguess app deploys fine.  But upon visiting the first page of the app:
>    1.
>       Aug 4, 2009 11:24:04 AM com.sun.enterprise.security.provider.BasePolicyWrapper$2 run
>    2.
>       INFO: JACC Policy Provider: Failed Permission Check, context(webbeans-numberguess-jsf2/webbeans-numberguess-jsf2)- permission((java.lang.reflect.ReflectPermission suppressAccessChecks))
>    3.
>       Aug 4, 2009 11:24:04 AM com.sun.faces.application.view.FaceletViewHandlingStrategy handleRenderException
>    4.
>       SEVERE: Error Rendering View[/home.xhtml]
>    5.
>       javax.el.ELException: /home.xhtml @13,117 rendered="#{game.number gt game.guess and game.guess ne 0}": java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
>    6.
>               at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:107)
>    7.
>               at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:190)
>    8.
>               at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:414)
>    9.
>               at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1604)
>   10.
>               at javax.faces.render.Renderer.encodeChildren(Renderer.java:168)
>   11.
>               at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:846)
>   12.
>               at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1610)
>   13.
>               at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1613)
>   14.
>               at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:280)
>   15.
>               at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:126)
>   16.
>               at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:127)
>   17.
>               at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:97)
>   18.
>               at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139)
>   19.
>               at javax.faces.webapp.FacesServlet.service(FacesServlet.java:311)
>   20.
>               at sun.reflect.GeneratedMethodAccessor160.invoke(Unknown Source)
>   21.
>               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>   22.
>               at java.lang.reflect.Method.invoke(Method.java:597)
>   23.
>               at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:319)
>   24.
>               at java.security.AccessController.doPrivileged(Native Method)
>   25.
>               at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
>   26.
>               at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:352)
>   27.
>               at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:209)
>   28.
>               at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1498)
>   29.
>               at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:293)
>   30.
>               at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:188)
>   31.
>               at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
>   32.
>               at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
>   33.
>               at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
>   34.
>               at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
>   35.
>               at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
>   36.
>               at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:338)
>   37.
>               at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:237)
>   38.
>               at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:202)
>   39.
>               at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:752)
>   40.
>               at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:660)
>   41.
>               at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:911)
>   42.
>               at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:164)
>   43.
>               at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
>   44.
>               at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
>   45.
>               at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
>   46.
>               at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
>   47.
>               at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
>   48.
>               at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
>   49.
>               at com.sun.grizzly.NIOContext.execute(NIOContext.java:510)
>   50.
>               at com.sun.grizzly.SelectorHandlerRunner.handleSelectedKey(SelectorHandlerRunner.java:357)
>   51.
>               at com.sun.grizzly.SelectorHandlerRunner.handleSelectedKeys(SelectorHandlerRunner.java:257)
>   52.
>               at com.sun.grizzly.SelectorHandlerRunner.doSelect(SelectorHandlerRunner.java:194)
>   53.
>               at com.sun.grizzly.SelectorHandlerRunner.run(SelectorHandlerRunner.java:129)
>   54.
>               at com.sun.grizzly.util.FixedThreadPool$BasicWorker.dowork(FixedThreadPool.java:379)
>   55.
>               at com.sun.grizzly.util.FixedThreadPool$BasicWorker.run(FixedThreadPool.java:360)
>   56.
>               at java.lang.Thread.run(Thread.java:637)
>   57.
>       Caused by: java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
>   58.
>               at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
>   59.
>               at java.security.AccessController.checkPermission(AccessController.java:546)
>   60.
>               at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>   61.
>               at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
>   62.
>               at org.jboss.webbeans.util.Reflections.lookupMethod(Reflections.java:536)
>   63.
>               at org.jboss.webbeans.util.Reflections.lookupMethod(Reflections.java:513)
>   64.
>               at org.jboss.webbeans.introspector.jlr.WBMethodImpl.invokeOnInstance(WBMethodImpl.java:196)
>   65.
>               at org.jboss.webbeans.injection.MethodInjectionPoint.invokeOnInstance(MethodInjectionPoint.java:143)
>   66.
>               at org.jboss.webbeans.bean.ProducerMethodBean.produceInstance(ProducerMethodBean.java:84)
>   67.
>               at org.jboss.webbeans.bean.AbstractProducerBean.create(AbstractProducerBean.java:341)
>   68.
>               at org.jboss.webbeans.context.DependentContext.get(DependentContext.java:82)
>   69.
>               at org.jboss.webbeans.BeanManagerImpl.getReference(BeanManagerImpl.java:915)
>   70.
>               at org.jboss.webbeans.BeanManagerImpl.getInjectableReference(BeanManagerImpl.java:953)
>   71.
>               at org.jboss.webbeans.injection.FieldInjectionPoint.inject(FieldInjectionPoint.java:74)
>   72.
>               at org.jboss.webbeans.bean.AbstractClassBean.injectBoundFields(AbstractClassBean.java:217)
>   73.
>               at org.jboss.webbeans.bean.SimpleBean.create(SimpleBean.java:121)
>   74.
>               at org.jboss.webbeans.context.AbstractMapContext.get(AbstractMapContext.java:97)
>   75.
>               at org.jboss.webbeans.bean.proxy.ClientProxyMethodHandler.getProxiedInstance(ClientProxyMethodHandler.java:127)
>   76.
>               at org.jboss.webbeans.bean.proxy.ClientProxyMethodHandler.invoke(ClientProxyMethodHandler.java:96)
>   77.
>               at org.jboss.webbeans.examples.numberguess.Game_$$_javassist_5.getNumber(Game_$$_javassist_5.java)
>   78.
>               at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>   79.
>               at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>   80.
>               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>   81.
>               at java.lang.reflect.Method.invoke(Method.java:597)
>   82.
>               at javax.el.BeanELResolver.getValue(BeanELResolver.java:302)
>   83.
>               at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:175)
>   84.
>               at com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:72)
>   85.
>               at com.sun.el.parser.AstValue.getValue(AstValue.java:116)
>   86.
>               at com.sun.el.parser.AstValue.getValue(AstValue.java:163)
>   87.
>               at com.sun.el.parser.AstGreaterThan.getValue(AstGreaterThan.java:54)
>   88.
>               at com.sun.el.parser.AstAnd.getValue(AstAnd.java:54)
>   89.
>               at com.sun.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:219)
>   90.
>               at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:102)
>   91.
>               ... 50 more
>   92.
>       Aug 4, 2009 11:24:04 AM org.apache.catalina.core.StandardWrapperValve log
>   93.
>       WARNING: StandardWrapperValve[Faces Servlet]: PWC1406: Servlet.service() for servlet Faces Servlet threw exception
>   94.
>       java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
>   95.
>               at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
>   96.
>               at java.security.AccessController.checkPermission(AccessController.java:546)
>   97.
>               at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>   98.
>               at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
>   99.
>               at org.jboss.webbeans.util.Reflections.lookupMethod(Reflections.java:536)
>  100.
>               at org.jboss.webbeans.util.Reflections.lookupMethod(Reflections.java:513)
>  101.
>               at org.jboss.webbeans.introspector.jlr.WBMethodImpl.invokeOnInstance(WBMethodImpl.java:196)
>  102.
>               at org.jboss.webbeans.injection.MethodInjectionPoint.invokeOnInstance(MethodInjectionPoint.java:143)
>  103.
>               at org.jboss.webbeans.bean.ProducerMethodBean.produceInstance(ProducerMethodBean.java:84)
>  104.
>               at org.jboss.webbeans.bean.AbstractProducerBean.create(AbstractProducerBean.java:341)
>  105.
>               at org.jboss.webbeans.context.DependentContext.get(DependentContext.java:82)
>  106.
>               at org.jboss.webbeans.BeanManagerImpl.getReference(BeanManagerImpl.java:915)
>  107.
>               at org.jboss.webbeans.BeanManagerImpl.getInjectableReference(BeanManagerImpl.java:953)
>  108.
>               at org.jboss.webbeans.injection.FieldInjectionPoint.inject(FieldInjectionPoint.java:74)
>  109.
>               at org.jboss.webbeans.bean.AbstractClassBean.injectBoundFields(AbstractClassBean.java:217)
>  110.
>               at org.jboss.webbeans.bean.SimpleBean.create(SimpleBean.java:121)
>  111.
>               at org.jboss.webbeans.context.AbstractMapContext.get(AbstractMapContext.java:97)
>  112.
>               at org.jboss.webbeans.bean.proxy.ClientProxyMethodHandler.getProxiedInstance(ClientProxyMethodHandler.java:127)
>  113.
>               at org.jboss.webbeans.bean.proxy.ClientProxyMethodHandler.invoke(ClientProxyMethodHandler.java:96)
>  114.
>               at org.jboss.webbeans.examples.numberguess.Game_$$_javassist_5.getNumber(Game_$$_javassist_5.java)
>  115.
>               at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>  116.
>               at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>  117.
>               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>  118.
>               at java.lang.reflect.Method.invoke(Method.java:597)
>  119.
>               at javax.el.BeanELResolver.getValue(BeanELResolver.java:302)
>  120.
>               at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:175)
>  121.
>               at com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:72)
>  122.
>               at com.sun.el.parser.AstValue.getValue(AstValue.java:116)
>  123.
>               at com.sun.el.parser.AstValue.getValue(AstValue.java:163)
>  124.
>               at com.sun.el.parser.AstGreaterThan.getValue(AstGreaterThan.java:54)
>  125.
>               at com.sun.el.parser.AstAnd.getValue(AstAnd.java:54)
>  126.
>               at com.sun.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:219)
>  127.
>               at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:102)
>  128.
>               at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:190)
>  129.
>               at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:414)
>  130.
>               at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1604)
>  131.
>               at javax.faces.render.Renderer.encodeChildren(Renderer.java:168)
>  132.
>               at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:846)
>  133.
>               at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1610)
>  134.
>               at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1613)
>  135.
>               at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:280)
>  136.
>               at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:126)
>  137.
>               at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:127)
>  138.
>               at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:97)
>  139.
>               at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139)
>  140.
>               at javax.faces.webapp.FacesServlet.service(FacesServlet.java:311)
>  141.
>               at sun.reflect.GeneratedMethodAccessor160.invoke(Unknown Source)
>  142.
>               at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>  143.
>               at java.lang.reflect.Method.invoke(Method.java:597)
>  144.
>               at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:319)
>  145.
>               at java.security.AccessController.doPrivileged(Native Method)
>  146.
>               at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
>  147.
>               at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:352)
>  148.
>               at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:209)
>  149.
>               at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1498)
>  150.
>               at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:293)
>  151.
>               at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:188)
>  152.
>               at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
>  153.
>               at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
>  154.
>               at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
>  155.
>               at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
>  156.
>               at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
>  157.
>               at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:338)
>  158.
>               at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:237)
>  159.
>               at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:202)
>  160.
>               at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:752)
>  161.
>               at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:660)
>  162.
>               at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:911)
>  163.
>               at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:164)
>  164.
>               at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
>  165.
>               at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
>  166.
>               at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
>  167.
>               at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
>  168.
>               at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
>  169.
>               at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
>  170.
>               at com.sun.grizzly.NIOContext.execute(NIOContext.java:510)
>  171.
>               at com.sun.grizzly.SelectorHandlerRunner.handleSelectedKey(SelectorHandlerRunner.java:357)
>  172.
>               at com.sun.grizzly.SelectorHandlerRunner.handleSelectedKeys(SelectorHandlerRunner.java:257)
>  173.
>               at com.sun.grizzly.SelectorHandlerRunner.doSelect(SelectorHandlerRunner.java:194)
>  174.
>               at com.sun.grizzly.SelectorHandlerRunner.run(SelectorHandlerRunner.java:129)
>  175.
>               at com.sun.grizzly.util.FixedThreadPool$BasicWorker.dowork(FixedThreadPool.java:379)
>  176.
>               at com.sun.grizzly.util.FixedThreadPool$BasicWorker.run(FixedThreadPool.java:360)
>  177.
>               at java.lang.Thread.run(Thread.java:637) 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        



More information about the weld-issues mailing list