Re: [jboss-dev-forums] [JBoss Microcontainer Development] - Testing jboss-reflect with a SecurityManager enabled - jboss-dev-forums

Thursday, 25 March 2010

Adrian Brock [http://community.jboss.org/people/adrian%40jboss.org] replied to the
discussion

"Testing jboss-reflect with a SecurityManager enabled"

To view the discussion, visit: http://community.jboss.org/message/534062#534062

--------------------------------------------------------------
...
 Kabir Khan wrote:

 This has been committed against  https://jira.jboss.org/jira/browse/JBREFLECT-109
https://jira.jboss.org/jira/browse/JBREFLECT-109. 

 I did not need the extra permissions in ContainerTestPlugin, all that was needed was a
IntrospectionEnumTestCase.properties:

 test.Permission.0=java.lang.RuntimePermission,
accessClassInPackage.sun.reflect.annotation

 Without that I got this

 java.security.AccessControlException: access denied (java.lang.RuntimePermission
accessClassInPackage.sun.reflect.annotation)
 at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
 at java.security.AccessController.checkPermission(AccessController.java:546)
 at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
 at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
 at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:327)
 at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
 at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:398)
 at java.lang.Class.forName0(Native Method)
 at java.lang.Class.forName(Class.java:247)
 at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:604)
 <snip/>

 at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351)
 at java.util.HashMap.readObject(HashMap.java:1030)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:974)
 at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1849)
 at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
 at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
 at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1947)
 at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1871)
 at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
 at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
 at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351)
 at org.jboss.test.AbstractTestCase.deserialize(AbstractTestCase.java:352)
 at
org.jboss.test.classinfo.test.AbstractClassInfoTest.access$0(AbstractClassInfoTest.java:1)
 at
org.jboss.test.classinfo.test.AbstractClassInfoTest$1.run(AbstractClassInfoTest.java:100)
 at java.security.AccessController.doPrivileged(Native Method)
 at
org.jboss.test.classinfo.test.AbstractClassInfoTest.testBasics(AbstractClassInfoTest.java:96)
 at org.jboss.test.classinfo.test.ClassInfoEnumTest.testEnum(ClassInfoEnumTest.java:71)
 at
org.jboss.test.classinfo.test.ClassInfoEnumTest.testEnumFieldAnnotation(ClassInfoEnumTest.java:64)
That actually looks like a bug to me.

We are assuming that the annotations cached in InheritableAnnotationsHolder can be
Serialized, but
there's no guarantee in the spec that Annotations are Serializable.

It just so happens that the ones Sun implements are, but it obviously fails to Serialize
them if you have a
SecurityManager enabled due to the package restriction.

In a different JDK they might not even be Serializable.

More correctly we should reget the annotations during the readObject() processing rather
than serializing them,
or probably, just let the the state revert back to UNKNOWN_ANNOTATIONS_*.

--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/534062#534062]

Start a new discussion in JBoss Microcontainer Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&...]

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: [jboss-dev-forums] [JBoss Microcontainer Development] - Testing jboss-reflect with a SecurityManager enabled