[
http://jira.jboss.com/jira/browse/JASSIST-23?page=comments#action_12340731 ]
Renat Zubairov commented on JASSIST-23:
---------------------------------------
I'm in my office today, therefore that's a details of what I've found:
1. The problem causing method in my case is method public Class toClass(CtClass ct,
ClassLoader loader) in the ClassPool class, I think it worth to create another method with
similar signature but with protection domain as additional parameter.In the attachments
you can find a fixed version of the ClassPool class with additional method public Class
toClass(CtClass ct, ClassLoader loader, ProtectionDomain protectionDomain), I've
updated the old method and javadoc to both of them.
2. Potentially unsafe methods are also used in following places:
a. Loader class - in the method Class findClass(String name) - there class is loaded
without ProtectionDomain association
b. util.proxy.FactoryHelper in the method public static Class toClass(ClassFile cf,
ClassLoader loader) - the same ussage as in ClassPool, I don't understand why there is
similar method needed
c. tools.web.Viewer in the method Class findClass(String name) - probably minor utility
but still.
Java 2 Security ProtiectionDomain is not associated with new
generated classes
------------------------------------------------------------------------------
Key: JASSIST-23
URL:
http://jira.jboss.com/jira/browse/JASSIST-23
Project: Javassist
Issue Type: Bug
Environment: IBM WebSphere 5.1 with J2EE Security ON, Javassist 3.0, Tapestry
4.1, HiveMind 1.1.1
Reporter: Renat Zubairov
Assigned To: Shigeru Chiba
Priority: Blocker
Attachments: ClassPool.java, exception.txt
Original Estimate: 3 hours
Remaining Estimate: 3 hours
Classes that are generated using Javassist have no associated protection domain therefore
it is not possible for JVM to assign permissions based on the static JAR files names, this
is severe problem because it is not possible to grant permissions, hence all permissions
are vorbidden, since that nothing works.
Javassist is used by HiveMind to generate proxy classes for it's services, an see the
stack trace (in attachment) the generated classes can't be associated with any
ProtectionDomain, therefore
_any Javassist supported application is impossble to start under strict security in
Java_.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira