[
http://jira.jboss.com/jira/browse/JASSIST-23?page=comments#action_12340715 ]
Renat Zubairov commented on JASSIST-23:
---------------------------------------
Actually HiveMind is using convinience methods that are located inside CtClass class. I
have fixed the problem already, and testted how it works, however the problem I don't
know what will be the best solution for the problem, there is several alternatives:
1. Let the client decide which ProtectionDomain should be used during the classloading -
make this decision mandatory for all clients
2. Let clients decide wherever they want to have a new classes associated with
ProtectionDomain or not - potential securty problem
3. Associate all classes loaded by the Javassist with the Javassist protection domain
I would prefer to declare old method as deprecated, and declare additional method with
ProtectionDomain as parameter, then clients can decide which protection domain they want
to use.
P.S. As soon you will decide I can submit this fix either directly to SCV or as patch file
and trigger changes in the Hivemind project
Java 2 Security ProtiectionDomain is not associated with new
generated classes
------------------------------------------------------------------------------
Key: JASSIST-23
URL:
http://jira.jboss.com/jira/browse/JASSIST-23
Project: Javassist
Issue Type: Bug
Environment: IBM WebSphere 5.1 with J2EE Security ON, Javassist 3.0, Tapestry
4.1, HiveMind 1.1.1
Reporter: Renat Zubairov
Assigned To: Shigeru Chiba
Priority: Blocker
Attachments: exception.txt
Original Estimate: 3 hours
Remaining Estimate: 3 hours
Classes that are generated using Javassist have no associated protection domain therefore
it is not possible for JVM to assign permissions based on the static JAR files names, this
is severe problem because it is not possible to grant permissions, hence all permissions
are vorbidden, since that nothing works.
Javassist is used by HiveMind to generate proxy classes for it's services, an see the
stack trace (in attachment) the generated classes can't be associated with any
ProtectionDomain, therefore
_any Javassist supported application is impossble to start under strict security in
Java_.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira