]
Ivo Studensky updated JBTM-2577:
--------------------------------
Status: Pull Request Sent (was: Open)
CDR Input/Output streams need
SerializablePermission("enableSubclassImplementation") when Security Manager is
in force
----------------------------------------------------------------------------------------------------------------------
Key: JBTM-2577
URL:
https://issues.jboss.org/browse/JBTM-2577
Project: JBoss Transaction Manager
Issue Type: Bug
Components: JTS
Affects Versions: 5.2.8.Final
Reporter: Ivo Studensky
Assignee: Ivo Studensky
Since JDK 7u25 version {{org.omg.CORBA_2_3.portable.Output/InputStream}} classes need
extra permissions if Security Manager is enabled. Because of a previous vulnerability, it
now checks {{SerializablePermission("enableSubclassImplementation")}}. There is
a property flag to allow subclass instantiations without the security check
({{jdk.corba.allowOutputStreamSubclass=true}}), but this system property is subject to
removal in the future Java releases, according to my findings.
At the moment, our IIOP code fails (can be seen in iiop tests of WildFly testsuite) when
running with SM enabled.
See the following stacktraces:
{noformat}
at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:271)
at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
at org.omg.CORBA_2_3.portable.InputStream.checkPermission(InputStream.java:67)
at org.omg.CORBA_2_3.portable.InputStream.<init>(InputStream.java:84)
at
com.sun.corba.se.impl.encoding.WrapperInputStream.<init>(WrapperInputStream.java:74)
at com.sun.corba.se.impl.corba.TypeCodeImpl.read_value(TypeCodeImpl.java:1273)
at
com.sun.corba.se.impl.encoding.CDRInputStream_1_0.read_any(CDRInputStream_1_0.java:695)
at com.sun.corba.se.impl.encoding.CDRInputStream.read_any(CDRInputStream.java:238)
at
org.omg.CosTransactions.PropagationContextHelper.read(PropagationContextHelper.java:88)
at
com.arjuna.ArjunaOTS._ArjunaTransactionStub.get_txcontext(_ArjunaTransactionStub.java:387)
at
com.arjuna.ats.jts.orbspecific.javaidl.interceptors.interposition.InterpositionClientRequestInterceptorImpl.send_request(InterpositionClientRequestInterceptorImpl.java:223)
at
com.sun.corba.se.impl.interceptors.InterceptorInvoker.invokeClientInterceptorStartingPoint(InterceptorInvoker.java:245)
at
com.sun.corba.se.impl.interceptors.PIHandlerImpl.invokeClientPIStartingPoint(PIHandlerImpl.java:355)
at
com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.beginRequest(CorbaClientRequestDispatcherImpl.java:293)
at
com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.request(CorbaClientDelegateImpl.java:137)
at org.omg.CORBA.portable.ObjectImpl._request(ObjectImpl.java:449)
at org.omg.CosTransactions._ResourceStub.commit_one_phase(_ResourceStub.java:94)
at
com.arjuna.ats.internal.jts.resources.ResourceRecord.topLevelOnePhaseCommit(ResourceRecord.java:537)
at
com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2361)
at com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495)
- locked <0x360a> (a
com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple)
at
com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple.commit(ArjunaTransactionImple.java:375)
at com.arjuna.ats.internal.jts.ControlWrapper.commit(ControlWrapper.java:244)
at com.arjuna.ats.internal.jts.orbspecific.CurrentImple.commit(CurrentImple.java:247)
at com.arjuna.ats.jts.extensions.AtomicTransaction.commit(AtomicTransaction.java:276)
at
com.arjuna.ats.internal.jta.transaction.jts.TransactionImple.commitAndDisassociate(TransactionImple.java:1313)
at
com.arjuna.ats.internal.jta.transaction.jts.BaseTransaction.commit(BaseTransaction.java:130)
at
com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
at
org.jboss.tm.usertx.client.ServerVMClientUserTransaction.commit(ServerVMClientUserTransaction.java:178)
at
org.jboss.as.test.iiop.transaction.ClientEjb.testSynchronization(ClientEjb.java:65)
{noformat}
{noformat}
at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:271)
at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
at org.omg.CORBA_2_3.portable.InputStream.checkPermission(InputStream.java:67)
at org.omg.CORBA_2_3.portable.InputStream.<init>(InputStream.java:84)
at
com.sun.corba.se.impl.encoding.WrapperInputStream.<init>(WrapperInputStream.java:74)
at com.sun.corba.se.impl.corba.TypeCodeImpl.read_value(TypeCodeImpl.java:1273)
at com.sun.corba.se.impl.corba.TypeCodeImpl.copy(TypeCodeImpl.java:2018)
at com.sun.corba.se.impl.corba.TypeCodeImpl.copy(TypeCodeImpl.java:2054)
at com.sun.corba.se.impl.corba.AnyImpl.write_value(AnyImpl.java:610)
at
com.sun.corba.se.impl.interceptors.CDREncapsCodec.encodeImpl(CDREncapsCodec.java:173)
at
com.sun.corba.se.impl.interceptors.CDREncapsCodec.encode_value(CDREncapsCodec.java:119)
at
com.arjuna.ats.jts.orbspecific.javaidl.interceptors.interposition.InterpositionClientRequestInterceptorImpl.send_request(InterpositionClientRequestInterceptorImpl.java:280)
at
com.sun.corba.se.impl.interceptors.InterceptorInvoker.invokeClientInterceptorStartingPoint(InterceptorInvoker.java:245)
at
com.sun.corba.se.impl.interceptors.PIHandlerImpl.invokeClientPIStartingPoint(PIHandlerImpl.java:355)
at
com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.beginRequest(CorbaClientRequestDispatcherImpl.java:293)
at
com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.request(CorbaClientDelegateImpl.java:137)
at org.omg.CORBA.portable.ObjectImpl._request(ObjectImpl.java:449)
at
com.arjuna.ArjunaOTS._ArjunaTransactionStub.is_top_level_transaction(_ArjunaTransactionStub.java:193)
at com.arjuna.ats.jts.OTSManager.destroyControl(OTSManager.java:133)
at
com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple.destroyAction(ArjunaTransactionImple.java:2201)
at
com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple.commit(ArjunaTransactionImple.java:392)
at com.arjuna.ats.internal.jts.ControlWrapper.commit(ControlWrapper.java:244)
at com.arjuna.ats.internal.jts.orbspecific.CurrentImple.commit(CurrentImple.java:247)
at com.arjuna.ats.jts.extensions.AtomicTransaction.commit(AtomicTransaction.java:276)
at
com.arjuna.ats.internal.jta.transaction.jts.TransactionImple.commitAndDisassociate(TransactionImple.java:1313)
at
com.arjuna.ats.internal.jta.transaction.jts.BaseTransaction.commit(BaseTransaction.java:130)
at
com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
at
org.jboss.tm.usertx.client.ServerVMClientUserTransaction.commit(ServerVMClientUserTransaction.java:178)
at
org.jboss.as.test.iiop.transaction.ClientEjb.testSynchronization(ClientEjb.java:65)
{noformat}