7:40 p.m.
Author: clebert.suconic(a)jboss.com
Date: 2011-10-10 20:40:11 -0400 (Mon, 10 Oct 2011)
New Revision: 11506
Removed:
branches/Branch_2_2_EAP/src/main/org/hornetq/utils/ClassloadingUtil.java
Modified:
branches/Branch_2_2_EAP/src/main/org/hornetq/core/logging/Logger.java
branches/Branch_2_2_EAP/src/main/org/hornetq/core/remoting/impl/ssl/SSLSupport.java
branches/Branch_2_2_EAP/src/main/org/hornetq/core/remoting/server/impl/RemotingServiceImpl.java
branches/Branch_2_2_EAP/src/main/org/hornetq/core/server/impl/HornetQServerImpl.java
branches/Branch_2_2_EAP/src/main/org/hornetq/jms/bridge/impl/JMSBridgeImpl.java
branches/Branch_2_2_EAP/src/main/org/hornetq/utils/XMLUtil.java
branches/Branch_2_2_EAP/tests/src/org/hornetq/tests/timing/core/journal/impl/NIOJournalImplTest.java
Log:
removing ClassLoadUtil for security reasons
Modified: branches/Branch_2_2_EAP/src/main/org/hornetq/core/logging/Logger.java
===================================================================
--- branches/Branch_2_2_EAP/src/main/org/hornetq/core/logging/Logger.java 2011-10-10
16:40:42 UTC (rev 11505)
+++ branches/Branch_2_2_EAP/src/main/org/hornetq/core/logging/Logger.java 2011-10-11
00:40:11 UTC (rev 11506)
@@ -13,13 +13,14 @@
package org.hornetq.core.logging;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import org.hornetq.core.logging.impl.JULLogDelegateFactory;
import org.hornetq.spi.core.logging.LogDelegate;
import org.hornetq.spi.core.logging.LogDelegateFactory;
-import org.hornetq.utils.ClassloadingUtil;
/**
*
@@ -81,7 +82,7 @@
if (className != null)
{
- delegateFactory = (LogDelegateFactory)
ClassloadingUtil.safeInitNewInstance(className);
+ delegateFactory = (LogDelegateFactory) safeInitNewInstance(className);
}
else
{
@@ -200,5 +201,47 @@
{
delegate.trace(message, t);
}
+
+ /** This seems duplicate code all over the place, but for security reasons we
can't let something like this to be open in a
+ * utility class, as it would be a door to load anything you like in a safe VM.
+ * For that reason any class trying to do a privileged block should do with the
AccessController directly.
+ * @param className
+ * @return
+ */
+ private static Object safeInitNewInstance(final String className)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<Object>()
+ {
+ public Object run()
+ {
+ ClassLoader loader = this.getClass().getClassLoader();
+ try
+ {
+ Class<?> clazz = loader.loadClass(className);
+ return clazz.newInstance();
+ }
+ catch (Throwable t)
+ {
+ try
+ {
+ loader = Thread.currentThread().getContextClassLoader();
+ if (loader != null)
+ return loader.loadClass(className).newInstance();
+ }
+ catch (RuntimeException e)
+ {
+ throw e;
+ }
+ catch (Exception e)
+ {
+ }
+ throw new IllegalArgumentException("Could not find class " +
className);
+ }
+ }
+ });
+ }
+
+
+
}
Modified:
branches/Branch_2_2_EAP/src/main/org/hornetq/core/remoting/impl/ssl/SSLSupport.java
===================================================================
---
branches/Branch_2_2_EAP/src/main/org/hornetq/core/remoting/impl/ssl/SSLSupport.java 2011-10-10
16:40:42 UTC (rev 11505)
+++
branches/Branch_2_2_EAP/src/main/org/hornetq/core/remoting/impl/ssl/SSLSupport.java 2011-10-11
00:40:11 UTC (rev 11506)
@@ -18,8 +18,10 @@
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
+import java.security.AccessController;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
+import java.security.PrivilegedAction;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
@@ -30,8 +32,6 @@
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
-import org.hornetq.utils.ClassloadingUtil;
-
/**
* @author <a href="mailto:jmesnil@redhat.com">Jeff Mesnil</a>
*
@@ -187,7 +187,7 @@
}
else
{
- URL url = ClassloadingUtil.findResource(storePath);
+ URL url = findResource(storePath);
if (url != null)
{
return url;
@@ -197,6 +197,41 @@
throw new Exception("Failed to find a store at " + storePath);
}
+
+ /** This seems duplicate code all over the place, but for security reasons we
can't let something like this to be open in a
+ * utility class, as it would be a door to load anything you like in a safe VM.
+ * For that reason any class trying to do a privileged block should do with the
AccessController directly.
+ */
+ private static URL findResource(final String resourceName)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<URL>()
+ {
+ public URL run()
+ {
+ ClassLoader loader = getClass().getClassLoader();
+ try
+ {
+ URL resource = loader.getResource(resourceName);
+ if (resource != null)
+ return resource;
+ }
+ catch (Throwable t)
+ {
+ }
+ loader = Thread.currentThread().getContextClassLoader();
+ if (loader == null)
+ return null;
+
+ URL resource = loader.getResource(resourceName);
+ if (resource != null)
+ return resource;
+
+ return null;
+ }
+ });
+ }
+
+
// Inner classes -------------------------------------------------
}
Modified:
branches/Branch_2_2_EAP/src/main/org/hornetq/core/remoting/server/impl/RemotingServiceImpl.java
===================================================================
---
branches/Branch_2_2_EAP/src/main/org/hornetq/core/remoting/server/impl/RemotingServiceImpl.java 2011-10-10
16:40:42 UTC (rev 11505)
+++
branches/Branch_2_2_EAP/src/main/org/hornetq/core/remoting/server/impl/RemotingServiceImpl.java 2011-10-11
00:40:11 UTC (rev 11506)
@@ -52,7 +52,6 @@
import org.hornetq.spi.core.remoting.BufferHandler;
import org.hornetq.spi.core.remoting.Connection;
import org.hornetq.spi.core.remoting.ConnectionLifeCycleListener;
-import org.hornetq.utils.ClassloadingUtil;
import org.hornetq.utils.ConfigurationHelper;
import org.hornetq.utils.HornetQThreadFactory;
@@ -122,7 +121,7 @@
{
try
{
- interceptors.add((Interceptor)
ClassloadingUtil.safeInitNewInstance(interceptorClass));
+ interceptors.add((Interceptor) safeInitNewInstance(interceptorClass));
}
catch (Exception e)
{
@@ -640,5 +639,45 @@
}
}
}
+
+
+ /** This seems duplicate code all over the place, but for security reasons we
can't let something like this to be open in a
+ * utility class, as it would be a door to load anything you like in a safe VM.
+ * For that reason any class trying to do a privileged block should do with the
AccessController directly.
+ */
+ private static Object safeInitNewInstance(final String className)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<Object>()
+ {
+ public Object run()
+ {
+ ClassLoader loader = getClass().getClassLoader();
+ try
+ {
+ Class<?> clazz = loader.loadClass(className);
+ return clazz.newInstance();
+ }
+ catch (Throwable t)
+ {
+ try
+ {
+ loader = Thread.currentThread().getContextClassLoader();
+ if (loader != null)
+ return loader.loadClass(className).newInstance();
+ }
+ catch (RuntimeException e)
+ {
+ throw e;
+ }
+ catch (Exception e)
+ {
+ }
+ throw new IllegalArgumentException("Could not find class " +
className);
+ }
+ }
+ });
+ }
+
+
}
\ No newline at end of file
Modified:
branches/Branch_2_2_EAP/src/main/org/hornetq/core/server/impl/HornetQServerImpl.java
===================================================================
---
branches/Branch_2_2_EAP/src/main/org/hornetq/core/server/impl/HornetQServerImpl.java 2011-10-10
16:40:42 UTC (rev 11505)
+++
branches/Branch_2_2_EAP/src/main/org/hornetq/core/server/impl/HornetQServerImpl.java 2011-10-11
00:40:11 UTC (rev 11506)
@@ -121,7 +121,6 @@
import org.hornetq.spi.core.protocol.RemotingConnection;
import org.hornetq.spi.core.protocol.SessionCallback;
import org.hornetq.spi.core.security.HornetQSecurityManager;
-import org.hornetq.utils.ClassloadingUtil;
import org.hornetq.utils.ExecutorFactory;
import org.hornetq.utils.HornetQThreadFactory;
import org.hornetq.utils.OrderedExecutorFactory;
@@ -1754,7 +1753,7 @@
private Object instantiateInstance(final String className)
{
- return ClassloadingUtil.safeInitNewInstance(className);
+ return safeInitNewInstance(className);
}
private static ClassLoader getThisClassLoader()
@@ -2098,5 +2097,43 @@
}
}
+ /** This seems duplicate code all over the place, but for security reasons we
can't let something like this to be open in a
+ * utility class, as it would be a door to load anything you like in a safe VM.
+ * For that reason any class trying to do a privileged block should do with the
AccessController directly.
+ */
+ private static Object safeInitNewInstance(final String className)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<Object>()
+ {
+ public Object run()
+ {
+ ClassLoader loader = getClass().getClassLoader();
+ try
+ {
+ Class<?> clazz = loader.loadClass(className);
+ return clazz.newInstance();
+ }
+ catch (Throwable t)
+ {
+ try
+ {
+ loader = Thread.currentThread().getContextClassLoader();
+ if (loader != null)
+ return loader.loadClass(className).newInstance();
+ }
+ catch (RuntimeException e)
+ {
+ throw e;
+ }
+ catch (Exception e)
+ {
+ }
+ throw new IllegalArgumentException("Could not find class " +
className);
+ }
+ }
+ });
+ }
+
+
}
Modified: branches/Branch_2_2_EAP/src/main/org/hornetq/jms/bridge/impl/JMSBridgeImpl.java
===================================================================
---
branches/Branch_2_2_EAP/src/main/org/hornetq/jms/bridge/impl/JMSBridgeImpl.java 2011-10-10
16:40:42 UTC (rev 11505)
+++
branches/Branch_2_2_EAP/src/main/org/hornetq/jms/bridge/impl/JMSBridgeImpl.java 2011-10-11
00:40:11 UTC (rev 11506)
@@ -14,6 +14,8 @@
package org.hornetq.jms.bridge.impl;
import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
@@ -54,7 +56,6 @@
import org.hornetq.jms.bridge.QualityOfServiceMode;
import org.hornetq.jms.client.HornetQMessage;
import org.hornetq.jms.client.HornetQSession;
-import org.hornetq.utils.ClassloadingUtil;
/**
*
@@ -943,7 +944,7 @@
{
try
{
- Object o =
ClassloadingUtil.safeInitNewInstance(transactionManagerLocatorClass);
+ Object o = safeInitNewInstance(transactionManagerLocatorClass);
Method m = o.getClass().getMethod(transactionManagerLocatorMethod);
tm = (TransactionManager)m.invoke(o);
}
@@ -2002,4 +2003,44 @@
}
}
}
+
+ /** This seems duplicate code all over the place, but for security reasons we
can't let something like this to be open in a
+ * utility class, as it would be a door to load anything you like in a safe VM.
+ * For that reason any class trying to do a privileged block should do with the
AccessController directly.
+ */
+ private static Object safeInitNewInstance(final String className)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<Object>()
+ {
+ public Object run()
+ {
+ ClassLoader loader = getClass().getClassLoader();
+ try
+ {
+ Class<?> clazz = loader.loadClass(className);
+ return clazz.newInstance();
+ }
+ catch (Throwable t)
+ {
+ try
+ {
+ loader = Thread.currentThread().getContextClassLoader();
+ if (loader != null)
+ return loader.loadClass(className).newInstance();
+ }
+ catch (RuntimeException e)
+ {
+ throw e;
+ }
+ catch (Exception e)
+ {
+ }
+
+ throw new IllegalArgumentException("Could not find class " +
className);
+ }
+ }
+ });
+ }
+
+
}
Deleted: branches/Branch_2_2_EAP/src/main/org/hornetq/utils/ClassloadingUtil.java
===================================================================
--- branches/Branch_2_2_EAP/src/main/org/hornetq/utils/ClassloadingUtil.java 2011-10-10
16:40:42 UTC (rev 11505)
+++ branches/Branch_2_2_EAP/src/main/org/hornetq/utils/ClassloadingUtil.java 2011-10-11
00:40:11 UTC (rev 11506)
@@ -1,79 +0,0 @@
-package org.hornetq.utils;
-
-import java.net.URL;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
-
-/**
-* A ClassloadingUtil *
-* @author <a href="mailto:hgao@redhat.com">Howard Gao</a>
-*/
-
-public class ClassloadingUtil
-{
- public static Object safeInitNewInstance(final String className)
- {
- return AccessController.doPrivileged(new PrivilegedAction<Object>()
- {
- public Object run()
- {
- ClassLoader loader = ClassloadingUtil.class.getClassLoader();
- try
- {
- Class<?> clazz = loader.loadClass(className);
- return clazz.newInstance();
- }
- catch (Throwable t)
- {
- try
- {
- loader = Thread.currentThread().getContextClassLoader();
- if (loader != null)
- return loader.loadClass(className).newInstance();
- }
- catch (RuntimeException e)
- {
- throw e;
- }
- catch (Exception e)
- {
- }
-
- throw new IllegalArgumentException("Could not find class " +
className);
- }
- }
- });
- }
-
- public static URL findResource(final String resourceName)
- {
- return AccessController.doPrivileged(new PrivilegedAction<URL>()
- {
- public URL run()
- {
- ClassLoader loader = ClassloadingUtil.class.getClassLoader();
- try
- {
- URL resource = loader.getResource(resourceName);
- if (resource != null)
- return resource;
- }
- catch (Throwable t)
- {
- }
-
- loader = Thread.currentThread().getContextClassLoader();
- if (loader == null)
- return null;
-
- URL resource = loader.getResource(resourceName);
- if (resource != null)
- return resource;
-
- return null;
- }
- });
- }
-
-}
-
Modified: branches/Branch_2_2_EAP/src/main/org/hornetq/utils/XMLUtil.java
===================================================================
--- branches/Branch_2_2_EAP/src/main/org/hornetq/utils/XMLUtil.java 2011-10-10 16:40:42
UTC (rev 11505)
+++ branches/Branch_2_2_EAP/src/main/org/hornetq/utils/XMLUtil.java 2011-10-11 00:40:11
UTC (rev 11506)
@@ -18,6 +18,8 @@
import java.io.StringReader;
import java.lang.reflect.Method;
import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.List;
@@ -481,7 +483,7 @@
{
SchemaFactory factory =
SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
- Schema schema = factory.newSchema(ClassloadingUtil.findResource(schemaFile));
+ Schema schema = factory.newSchema(findResource(schemaFile));
Validator validator = schema.newValidator();
// validate the DOM tree
@@ -529,6 +531,40 @@
return nodes;
}
+ /** This seems duplicate code all over the place, but for security reasons we
can't let something like this to be open in a
+ * utility class, as it would be a door to load anything you like in a safe VM.
+ * For that reason any class trying to do a privileged block should do with the
AccessController directly.
+ */
+ private static URL findResource(final String resourceName)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<URL>()
+ {
+ public URL run()
+ {
+ ClassLoader loader = getClass().getClassLoader();
+ try
+ {
+ URL resource = loader.getResource(resourceName);
+ if (resource != null)
+ return resource;
+ }
+ catch (Throwable t)
+ {
+ }
+
+ loader = Thread.currentThread().getContextClassLoader();
+ if (loader == null)
+ return null;
+
+ URL resource = loader.getResource(resourceName);
+ if (resource != null)
+ return resource;
+
+ return null;
+ }
+ });
+ }
+
// Inner classes
--------------------------------------------------------------------------------
}
Modified:
branches/Branch_2_2_EAP/tests/src/org/hornetq/tests/timing/core/journal/impl/NIOJournalImplTest.java
===================================================================
---
branches/Branch_2_2_EAP/tests/src/org/hornetq/tests/timing/core/journal/impl/NIOJournalImplTest.java 2011-10-10
16:40:42 UTC (rev 11505)
+++
branches/Branch_2_2_EAP/tests/src/org/hornetq/tests/timing/core/journal/impl/NIOJournalImplTest.java 2011-10-11
00:40:11 UTC (rev 11506)
@@ -31,7 +31,7 @@
{
private static final Logger log = Logger.getLogger(NIOJournalImplTest.class);
- protected String journalDir = System.getProperty("user.home") +
"/journal-test";
+ protected String journalDir = System.getProperty("java.io.tmpdir",
"/tmp") + "/journal-test";
@Override
protected SequentialFileFactory getFileFactory() throws Exception