[jboss-dev-forums] [Design of POJO Server] - Re: VFS Permissions - JBMICROCONT-149

adrian@jboss.org do-not-reply at jboss.com
Thu Nov 6 14:23:08 EST 2008 

"adrian at jboss.org" wrote : 
  | An alternative solution is to change the way the VFSClassLoaderPolicy determines
  | the code source. i.e. instead of returning the vfs url we could hack it to return
  | a normal url.
  | 
  | ...
  | 
  | An alternative solution would be to allow you to specify the codeSourceURL to use
  | for the classloader as a parameter when you create it.
  | 

I just tried a third alternative which is to delay the installation of the policy and
security manager and make it run in new security.xml bootstrap file.

This does work, I've committed it, obviously haven't enabled it by default
so committing it isn't a problem. :-)

To enable it change conf/bootstrap.xml

  |    <url>classloader.xml</url>
  | +   <url>security.xml</url>
  |    <url>aop.xml</url>
  | 

But there's some issues that need resolving.

1) POLICY FILE

You need to create a proper security policy file. The one I added
in server/xxx/conf/java.policy gives everybody all permissions.

I got as far as this:


  | grant codebase "file:/home/ejort/development/jboss-head/build/output/jboss-5.0.0.GA/bin/run.jar" {
  |         permission java.security.AllPermission;
  | };
  | 
  | grant codebase "file:/home/ejort/development/jboss-head/build/output/jboss-5.0.0.GA/lib/-" {
  |         permission java.security.AllPermission;
  | };
  | 
  | grant codebase "vfszip:/home/ejort/development/jboss-head/build/output/jboss-5.0.0.GA/lib/-" {
  |         permission java.security.AllPermission;
  | };
  | 

But there's other code in deployers and deploy that needs to have
the AllPermission. The default policy also needs defining to have
sensible rights.

2) The above shows an annoying feature.
We access things in JBOSS_HOME/lib using both the file: and vfszip urls
depending on whether the jars are loaded by the NoAnnotationURLClassLoader
or a VFSClassLoaderPolicy.

3) I could change the file: urls above to use the system properties,
but not the vfszip url. We don't have system properties for the vfs versions
of the urls.

4) There's some issue at shutdown where I try to uninstall the security manager
that I haven't investigated.


  | 19:37:51,453 WARN  [StartStopLifecycleAction] Error during stop for SecurityPolicy
  | java.security.AccessControlException: access denied (java.lang.RuntimePermission setSecurityManager)
  |         at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
  |         at java.security.AccessController.checkPermission(AccessController.java:427)
  |         at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
  |         at java.lang.System.setSecurityManager0(System.java:253)
  |         at java.lang.System.setSecurityManager(System.java:245)
  |         at org.jboss.system.server.security.SecurityPolicy.stop(SecurityPolicy.java:97)
  | 

I guess the shutdown hooks run with different rights so it needs to be a
privileged block?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4187495#4187495

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4187495

More information about the jboss-dev-forums mailing list