[
https://jira.jboss.org/jira/browse/WELD-32?page=com.atlassian.jira.plugin...
]
Pete Muir commented on WELD-32:
-------------------------------
Nik, patch looks good, but clearly we need to deal with the prevention of misuse first
:-)
I'm still concerned that this approach can leak permissions - we need to get Anil to
review too.
Web Beans App Throws Exception In GlassFish v3 with Secutiry Mgr
Enabled.
-------------------------------------------------------------------------
Key: WELD-32
URL:
https://jira.jboss.org/jira/browse/WELD-32
Project: Weld
Issue Type: Bug
Components: GlassFish Integration
Affects Versions: 1.0.0.CR1
Environment: MACOS X, GlassFish v3
Reporter: Roger Kitain
Assignee: Nicklas Karlsson
Fix For: 1.0.1.CR1
Attachments: Reflections.txt, Reflections.txt, securereflection.patch
GlassFish v3 started with Security Mgr enabled.
Web Beans numberguess app deploys fine. But upon visiting the first page of the app:
1.
Aug 4, 2009 11:24:04 AM com.sun.enterprise.security.provider.BasePolicyWrapper$2
run
2.
INFO: JACC Policy Provider: Failed Permission Check,
context(webbeans-numberguess-jsf2/webbeans-numberguess-jsf2)-
permission((java.lang.reflect.ReflectPermission suppressAccessChecks))
3.
Aug 4, 2009 11:24:04 AM com.sun.faces.application.view.FaceletViewHandlingStrategy
handleRenderException
4.
SEVERE: Error Rendering View[/home.xhtml]
5.
javax.el.ELException: /home.xhtml @13,117 rendered="#{game.number gt
game.guess and game.guess ne 0}": java.security.AccessControlException: access denied
(java.lang.reflect.ReflectPermission suppressAccessChecks)
6.
at
com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:107)
7.
at
javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:190)
8.
at
javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:414)
9.
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1604)
10.
at javax.faces.render.Renderer.encodeChildren(Renderer.java:168)
11.
at
javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:846)
12.
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1610)
13.
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1613)
14.
at
com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:280)
15.
at
com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:126)
16.
at
com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:127)
17.
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:97)
18.
at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139)
19.
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:311)
20.
at sun.reflect.GeneratedMethodAccessor160.invoke(Unknown Source)
21.
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
22.
at java.lang.reflect.Method.invoke(Method.java:597)
23.
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:319)
24.
at java.security.AccessController.doPrivileged(Native Method)
25.
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
26.
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:352)
27.
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:209)
28.
at
org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1498)
29.
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:293)
30.
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:188)
31.
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
32.
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
33.
at
com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
34.
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
35.
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
36.
at
org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:338)
37.
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:237)
38.
at
com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:202)
39.
at
com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:752)
40.
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:660)
41.
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:911)
42.
at
com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:164)
43.
at
com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
44.
at
com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
45.
at
com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
46.
at
com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
47.
at
com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
48.
at
com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
49.
at com.sun.grizzly.NIOContext.execute(NIOContext.java:510)
50.
at
com.sun.grizzly.SelectorHandlerRunner.handleSelectedKey(SelectorHandlerRunner.java:357)
51.
at
com.sun.grizzly.SelectorHandlerRunner.handleSelectedKeys(SelectorHandlerRunner.java:257)
52.
at
com.sun.grizzly.SelectorHandlerRunner.doSelect(SelectorHandlerRunner.java:194)
53.
at
com.sun.grizzly.SelectorHandlerRunner.run(SelectorHandlerRunner.java:129)
54.
at
com.sun.grizzly.util.FixedThreadPool$BasicWorker.dowork(FixedThreadPool.java:379)
55.
at
com.sun.grizzly.util.FixedThreadPool$BasicWorker.run(FixedThreadPool.java:360)
56.
at java.lang.Thread.run(Thread.java:637)
57.
Caused by: java.security.AccessControlException: access denied
(java.lang.reflect.ReflectPermission suppressAccessChecks)
58.
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
59.
at
java.security.AccessController.checkPermission(AccessController.java:546)
60.
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
61.
at
java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
62.
at org.jboss.webbeans.util.Reflections.lookupMethod(Reflections.java:536)
63.
at org.jboss.webbeans.util.Reflections.lookupMethod(Reflections.java:513)
64.
at
org.jboss.webbeans.introspector.jlr.WBMethodImpl.invokeOnInstance(WBMethodImpl.java:196)
65.
at
org.jboss.webbeans.injection.MethodInjectionPoint.invokeOnInstance(MethodInjectionPoint.java:143)
66.
at
org.jboss.webbeans.bean.ProducerMethodBean.produceInstance(ProducerMethodBean.java:84)
67.
at
org.jboss.webbeans.bean.AbstractProducerBean.create(AbstractProducerBean.java:341)
68.
at
org.jboss.webbeans.context.DependentContext.get(DependentContext.java:82)
69.
at
org.jboss.webbeans.BeanManagerImpl.getReference(BeanManagerImpl.java:915)
70.
at
org.jboss.webbeans.BeanManagerImpl.getInjectableReference(BeanManagerImpl.java:953)
71.
at
org.jboss.webbeans.injection.FieldInjectionPoint.inject(FieldInjectionPoint.java:74)
72.
at
org.jboss.webbeans.bean.AbstractClassBean.injectBoundFields(AbstractClassBean.java:217)
73.
at org.jboss.webbeans.bean.SimpleBean.create(SimpleBean.java:121)
74.
at
org.jboss.webbeans.context.AbstractMapContext.get(AbstractMapContext.java:97)
75.
at
org.jboss.webbeans.bean.proxy.ClientProxyMethodHandler.getProxiedInstance(ClientProxyMethodHandler.java:127)
76.
at
org.jboss.webbeans.bean.proxy.ClientProxyMethodHandler.invoke(ClientProxyMethodHandler.java:96)
77.
at
org.jboss.webbeans.examples.numberguess.Game_$$_javassist_5.getNumber(Game_$$_javassist_5.java)
78.
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
79.
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
80.
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
81.
at java.lang.reflect.Method.invoke(Method.java:597)
82.
at javax.el.BeanELResolver.getValue(BeanELResolver.java:302)
83.
at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:175)
84.
at
com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:72)
85.
at com.sun.el.parser.AstValue.getValue(AstValue.java:116)
86.
at com.sun.el.parser.AstValue.getValue(AstValue.java:163)
87.
at com.sun.el.parser.AstGreaterThan.getValue(AstGreaterThan.java:54)
88.
at com.sun.el.parser.AstAnd.getValue(AstAnd.java:54)
89.
at com.sun.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:219)
90.
at
com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:102)
91.
... 50 more
92.
Aug 4, 2009 11:24:04 AM org.apache.catalina.core.StandardWrapperValve log
93.
WARNING: StandardWrapperValve[Faces Servlet]: PWC1406: Servlet.service() for
servlet Faces Servlet threw exception
94.
java.security.AccessControlException: access denied
(java.lang.reflect.ReflectPermission suppressAccessChecks)
95.
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
96.
at
java.security.AccessController.checkPermission(AccessController.java:546)
97.
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
98.
at
java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
99.
at org.jboss.webbeans.util.Reflections.lookupMethod(Reflections.java:536)
100.
at org.jboss.webbeans.util.Reflections.lookupMethod(Reflections.java:513)
101.
at
org.jboss.webbeans.introspector.jlr.WBMethodImpl.invokeOnInstance(WBMethodImpl.java:196)
102.
at
org.jboss.webbeans.injection.MethodInjectionPoint.invokeOnInstance(MethodInjectionPoint.java:143)
103.
at
org.jboss.webbeans.bean.ProducerMethodBean.produceInstance(ProducerMethodBean.java:84)
104.
at
org.jboss.webbeans.bean.AbstractProducerBean.create(AbstractProducerBean.java:341)
105.
at
org.jboss.webbeans.context.DependentContext.get(DependentContext.java:82)
106.
at
org.jboss.webbeans.BeanManagerImpl.getReference(BeanManagerImpl.java:915)
107.
at
org.jboss.webbeans.BeanManagerImpl.getInjectableReference(BeanManagerImpl.java:953)
108.
at
org.jboss.webbeans.injection.FieldInjectionPoint.inject(FieldInjectionPoint.java:74)
109.
at
org.jboss.webbeans.bean.AbstractClassBean.injectBoundFields(AbstractClassBean.java:217)
110.
at org.jboss.webbeans.bean.SimpleBean.create(SimpleBean.java:121)
111.
at
org.jboss.webbeans.context.AbstractMapContext.get(AbstractMapContext.java:97)
112.
at
org.jboss.webbeans.bean.proxy.ClientProxyMethodHandler.getProxiedInstance(ClientProxyMethodHandler.java:127)
113.
at
org.jboss.webbeans.bean.proxy.ClientProxyMethodHandler.invoke(ClientProxyMethodHandler.java:96)
114.
at
org.jboss.webbeans.examples.numberguess.Game_$$_javassist_5.getNumber(Game_$$_javassist_5.java)
115.
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
116.
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
117.
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
118.
at java.lang.reflect.Method.invoke(Method.java:597)
119.
at javax.el.BeanELResolver.getValue(BeanELResolver.java:302)
120.
at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:175)
121.
at
com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:72)
122.
at com.sun.el.parser.AstValue.getValue(AstValue.java:116)
123.
at com.sun.el.parser.AstValue.getValue(AstValue.java:163)
124.
at com.sun.el.parser.AstGreaterThan.getValue(AstGreaterThan.java:54)
125.
at com.sun.el.parser.AstAnd.getValue(AstAnd.java:54)
126.
at com.sun.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:219)
127.
at
com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:102)
128.
at
javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:190)
129.
at
javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:414)
130.
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1604)
131.
at javax.faces.render.Renderer.encodeChildren(Renderer.java:168)
132.
at
javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:846)
133.
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1610)
134.
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1613)
135.
at
com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:280)
136.
at
com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:126)
137.
at
com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:127)
138.
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:97)
139.
at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139)
140.
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:311)
141.
at sun.reflect.GeneratedMethodAccessor160.invoke(Unknown Source)
142.
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
143.
at java.lang.reflect.Method.invoke(Method.java:597)
144.
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:319)
145.
at java.security.AccessController.doPrivileged(Native Method)
146.
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
147.
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:352)
148.
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:209)
149.
at
org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1498)
150.
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:293)
151.
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:188)
152.
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
153.
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
154.
at
com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
155.
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
156.
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
157.
at
org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:338)
158.
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:237)
159.
at
com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:202)
160.
at
com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:752)
161.
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:660)
162.
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:911)
163.
at
com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:164)
164.
at
com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
165.
at
com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
166.
at
com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
167.
at
com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
168.
at
com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
169.
at
com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
170.
at com.sun.grizzly.NIOContext.execute(NIOContext.java:510)
171.
at
com.sun.grizzly.SelectorHandlerRunner.handleSelectedKey(SelectorHandlerRunner.java:357)
172.
at
com.sun.grizzly.SelectorHandlerRunner.handleSelectedKeys(SelectorHandlerRunner.java:257)
173.
at
com.sun.grizzly.SelectorHandlerRunner.doSelect(SelectorHandlerRunner.java:194)
174.
at
com.sun.grizzly.SelectorHandlerRunner.run(SelectorHandlerRunner.java:129)
175.
at
com.sun.grizzly.util.FixedThreadPool$BasicWorker.dowork(FixedThreadPool.java:379)
176.
at
com.sun.grizzly.util.FixedThreadPool$BasicWorker.run(FixedThreadPool.java:360)
177.
at java.lang.Thread.run(Thread.java:637)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira