[jboss-jira] [JBoss JIRA] Commented: (JBRULES-562) Security Permission problem in Websphere 6.1

Thursday, 16 November 2006


    [ http://jira.jboss.com/jira/browse/JBRULES-562?page=comments#action_12347209 ] 
            
Edson Tirelli commented on JBRULES-562:
---------------------------------------

Hi Michael and Edson,

I fixed the problem with the generated class files today. However I'm not sure yet
whether I have broken something else.

Basically I pulled in the cglib code into ClassFieldExtractorFactory (file and patch
attached).

That was all fine however I was getting a duplicate class error when running the pricing
tests. So I changed ClassFieldExtractorCache to use a static cache rather than an
instance. I did these changes in the middle of a meeting and then emailed the jars to a
guy on my team who tested them so I wasn't really analysing the issues, just fixing
them. Anyway just doing it tonight I don't get that problem so I will check again
tomorrow.


cheers
Steve


+++
D:/drools-3.0.x/drools-core/src/main/java/org/drools/base/ClassFieldExtractorFactory.java	(working
copy)
@@ -18,6 +18,9 @@
 
 import java.beans.IntrospectionException;
 import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 
 import org.drools.RuntimeDroolsException;
 import org.drools.asm.ClassWriter;
@@ -37,14 +40,40 @@
 
 public class ClassFieldExtractorFactory {
 
-    private static final String GETTER         = "get";
+    private static final String           GETTER         = "get";
 
-    private static final String BOOLEAN_GETTER = "is";
+    private static final String           BOOLEAN_GETTER = "is";
 
-    private static final String BASE_PACKAGE   = "org/drools/base";
+    private static final String           BASE_PACKAGE   = "org/drools/base";
 
-    private static final String BASE_EXTRACTOR =
"org/drools/base/BaseClassFieldExtractor";
+    private static final String           BASE_EXTRACTOR =
"org/drools/base/BaseClassFieldExtractor";
+    private static Method                 DEFINE_CLASS;
+    private static final ProtectionDomain PROTECTION_DOMAIN;
 
+    static {
+        PROTECTION_DOMAIN = (ProtectionDomain) AccessController.doPrivileged( new
PrivilegedAction() {
+            public Object run() {
+                return ClassFieldExtractorFactory.class.getProtectionDomain();
+            }
+        } );
+
+        AccessController.doPrivileged( new PrivilegedAction() {
+            public Object run() {
+                try {
+                    Class loader = Class.forName( "java.lang.ClassLoader" ); //
JVM crash w/o this
+                    DEFINE_CLASS = loader.getDeclaredMethod( "defineClass",
+                                                             new Class[]{String.class,
byte[].class, Integer.TYPE, Integer.TYPE, ProtectionDomain.class} );
+                    DEFINE_CLASS.setAccessible( true );
+                } catch ( ClassNotFoundException e ) {
+                    throw new RuntimeDroolsException( e );
+                } catch ( NoSuchMethodException e ) {
+                    throw new RuntimeDroolsException( e );
+                }
+                return null;
+            }
+        } );
+    }
+
     public static BaseClassFieldExtractor getClassFieldExtractor(final Class clazz,
                                                                  final String fieldName)
{
         try {
@@ -64,13 +93,17 @@
                                        clazz.isInterface() );
             // use bytes to get a class 
             ClassLoader parent = Thread.currentThread().getContextClassLoader();
-            if( parent == null ) {
+            if ( parent == null ) {
                 parent = ClassFieldExtractorFactory.class.getClassLoader();
             }
-            final ByteArrayClassLoader classLoader = new ByteArrayClassLoader( parent );
-            final Class newClass = classLoader.defineClass( className.replace(
'/',
-                                                                              
'.' ),
-                                                            bytes );
+            //            final ByteArrayClassLoader classLoader = new
ByteArrayClassLoader( parent );
+            //            final Class newClass = classLoader.defineClass(
className.replace( '/',
+            //                                                                           
   '.' ),
+            //                                                            bytes );
+            final Class newClass = defineClass( className.replace( '/',
+                                                                   '.' ),
+                                                bytes,
+                                                parent );
             // instantiating target class
             final Object[] params = {clazz, fieldName};
             return (BaseClassFieldExtractor) newClass.getConstructors()[0].newInstance(
params );
@@ -79,6 +112,14 @@
         }
     }
 
+    public static Class defineClass(String className,
+                                    byte[] b,
+                                    ClassLoader loader) throws Exception {
+        Object[] args = new Object[]{className, b, new Integer( 0 ), new Integer(
b.length ), PROTECTION_DOMAIN};
+        return (Class) DEFINE_CLASS.invoke( loader,
+                                            args );
+    }
+
     private static byte[] dump(final String originalClassName,
                                final String className,
                                final String getterName,
@@ -209,7 +250,7 @@
                           2 );
             mv.visitEnd();
         } else {
-            String typeNotation = fieldType.isArray() ? typeName :
"L"+typeName+";";
+            String typeNotation = fieldType.isArray() ? typeName : "L" +
typeName + ";";
             mv = cw.visitMethod( Opcodes.ACC_PUBLIC,
                                  "getValue",
                                  "(Ljava/lang/Object;)Ljava/lang/Object;",

...
 Security Permission problem in Websphere 6.1
 --------------------------------------------

                 Key: JBRULES-562
                 URL: http://jira.jboss.com/jira/browse/JBRULES-562
             Project: JBoss Rules
          Issue Type: Bug
      Security Level: Public(Everyone can see) 
          Components: Reteoo
    Affects Versions: 3.0.4
            Reporter: Edson Tirelli
         Assigned To: Edson Tirelli
             Fix For: 3.0.5


 FROM STEVE'S EMAIL:
 ----------------------
 Hi all,
 We are using WebSphere 6.1 with java security switched on and get the following error
when we attempt to run drools:
 Permission:
       \D:\WS_STAGE2\ec_ejb\bin\au\gov\vic\dse\lx\ec\Message.class : Access denied (
java.io.FilePermission \D:\WS_STAGE2\ec_ejb\bin\au\gov\vic\dse\lx\ec\Message.class read)
 Code:
      org.drools.base.au.gov.vic.dse.lx.ec.Message$getStatus  in  {null code URL}
 Stack Trace:
 java.security.AccessControlException : Access denied (java.io.FilePermission
\D:\WS_STAGE2\ec_ejb\bin\au\gov\vic\dse\lx\ec\Message.class read)
         at java.security.AccessController.checkPermission(AccessController.java:104)
         at java.lang.SecurityManager.checkPermission (SecurityManager.java:547)
         at
com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:189)
         at
com.ibm.ws.classloader.SinglePathClassProvider.check(SinglePathClassProvider.java:444)
         at
com.ibm.ws.classloader.SinglePathClassProvider.checkURL(SinglePathClassProvider.java:431)
         at
com.ibm.ws.classloader.SinglePathClassProvider.getResource(SinglePathClassProvider.java:423)
         at
com.ibm.ws.classloader.SinglePathClassProvider.getResourceAsStream(SinglePathClassProvider.java:458)
         at
com.ibm.ws.classloader.CompoundClassLoader.localGetResourceAsStream(CompoundClassLoader.java:926)
         at
com.ibm.ws.classloader.CompoundClassLoader.getResourceAsStream(CompoundClassLoader.java:887)
         at java.lang.Class.getResourceAsStream(Class.java:1124)
         at org.drools.util.asm.ClassFieldInspector.processClass (Unknown Source)
         at org.drools.util.asm.ClassFieldInspector.<init>(Unknown Source)
         at org.drools.base.BaseClassFieldExtractor.<init>(Unknown Source)
         at org.drools.base.au.gov.vic.dse.lx.ec.Message$getStatus .<init>(Unknown
Source)
         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
         at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:67)
         at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
         at java.lang.reflect.Constructor.newInstance(Constructor.java:521)
         at org.drools.base.ClassFieldExtractorFactory.getClassFieldExtractor (Unknown
Source)
         at org.drools.base.ClassFieldExtractor.init(Unknown Source)
         at org.drools.base.ClassFieldExtractor.<init>(Unknown Source)
         at org.drools.base.ClassFieldExtractorCache.getExtractor (Unknown Source)
         at org.drools.semantics.java.RuleBuilder.getFieldExtractor(Unknown Source)
         at org.drools.semantics.java.RuleBuilder.build(Unknown Source)
         at org.drools.semantics.java.RuleBuilder.build (Unknown Source)
         at org.drools.semantics.java.RuleBuilder.build(Unknown Source)
         at org.drools.semantics.java.RuleBuilder.build(Unknown Source)
         at org.drools.compiler.PackageBuilder.addRule (Unknown Source)
         at org.drools.compiler.PackageBuilder.addPackage(Unknown Source)
         at org.drools.compiler.PackageBuilder.addPackageFromDrl(Unknown Source)
         at au.gov.vic.dse.lx.ec.DroolsTest.readRule (DroolsTest.java:62)
  
 It looks to me like the drools generated Message class
(org.drools.base.au.gov.vic.dse.lx.ec.Message) is failing when it attempts to access the
application Message.class via its getStatus method. We have added
java.security.AllPermission everywhere we can think of (was.policy, app.policy,
library.policy, server.policy) and it still does not work.
  
 Has anybody got drools working in a WebSphere environment (any version) with java
security turned on?
  
 I noticed that there used to be a problem with cglib where the generated classes did not
get the same protection domain as the cglib.jar
(http://jira.atlassian.com/browse/CONF-5955 ,
http://forum.hibernate.org/viewtopic.php?p=2190363). I know we are using ASM but maybe it
also has a similar problem?
  
 thanks
 Steve 
-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

    

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-jira] [JBoss JIRA] Commented: (JBRULES-562) Security Permission problem in Websphere 6.1