[jboss-jira] [JBoss JIRA] Commented: (JBRULES-562) Security Permission problem in Websphere 6.1
Edson Tirelli (JIRA)
jira-events at jboss.com
Thu Nov 16 10:17:41 EST 2006
[ http://jira.jboss.com/jira/browse/JBRULES-562?page=comments#action_12347209 ]
Edson Tirelli commented on JBRULES-562:
---------------------------------------
Hi Michael and Edson,
I fixed the problem with the generated class files today. However I'm not sure yet whether I have broken something else.
Basically I pulled in the cglib code into ClassFieldExtractorFactory (file and patch attached).
That was all fine however I was getting a duplicate class error when running the pricing tests. So I changed ClassFieldExtractorCache to use a static cache rather than an instance. I did these changes in the middle of a meeting and then emailed the jars to a guy on my team who tested them so I wasn't really analysing the issues, just fixing them. Anyway just doing it tonight I don't get that problem so I will check again tomorrow.
cheers
Steve
+++ D:/drools-3.0.x/drools-core/src/main/java/org/drools/base/ClassFieldExtractorFactory.java (working copy)
@@ -18,6 +18,9 @@
import java.beans.IntrospectionException;
import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
import org.drools.RuntimeDroolsException;
import org.drools.asm.ClassWriter;
@@ -37,14 +40,40 @@
public class ClassFieldExtractorFactory {
- private static final String GETTER = "get";
+ private static final String GETTER = "get";
- private static final String BOOLEAN_GETTER = "is";
+ private static final String BOOLEAN_GETTER = "is";
- private static final String BASE_PACKAGE = "org/drools/base";
+ private static final String BASE_PACKAGE = "org/drools/base";
- private static final String BASE_EXTRACTOR = "org/drools/base/BaseClassFieldExtractor";
+ private static final String BASE_EXTRACTOR = "org/drools/base/BaseClassFieldExtractor";
+ private static Method DEFINE_CLASS;
+ private static final ProtectionDomain PROTECTION_DOMAIN;
+ static {
+ PROTECTION_DOMAIN = (ProtectionDomain) AccessController.doPrivileged( new PrivilegedAction() {
+ public Object run() {
+ return ClassFieldExtractorFactory.class.getProtectionDomain();
+ }
+ } );
+
+ AccessController.doPrivileged( new PrivilegedAction() {
+ public Object run() {
+ try {
+ Class loader = Class.forName( "java.lang.ClassLoader" ); // JVM crash w/o this
+ DEFINE_CLASS = loader.getDeclaredMethod( "defineClass",
+ new Class[]{String.class, byte[].class, Integer.TYPE, Integer.TYPE, ProtectionDomain.class} );
+ DEFINE_CLASS.setAccessible( true );
+ } catch ( ClassNotFoundException e ) {
+ throw new RuntimeDroolsException( e );
+ } catch ( NoSuchMethodException e ) {
+ throw new RuntimeDroolsException( e );
+ }
+ return null;
+ }
+ } );
+ }
+
public static BaseClassFieldExtractor getClassFieldExtractor(final Class clazz,
final String fieldName) {
try {
@@ -64,13 +93,17 @@
clazz.isInterface() );
// use bytes to get a class
ClassLoader parent = Thread.currentThread().getContextClassLoader();
- if( parent == null ) {
+ if ( parent == null ) {
parent = ClassFieldExtractorFactory.class.getClassLoader();
}
- final ByteArrayClassLoader classLoader = new ByteArrayClassLoader( parent );
- final Class newClass = classLoader.defineClass( className.replace( '/',
- '.' ),
- bytes );
+ // final ByteArrayClassLoader classLoader = new ByteArrayClassLoader( parent );
+ // final Class newClass = classLoader.defineClass( className.replace( '/',
+ // '.' ),
+ // bytes );
+ final Class newClass = defineClass( className.replace( '/',
+ '.' ),
+ bytes,
+ parent );
// instantiating target class
final Object[] params = {clazz, fieldName};
return (BaseClassFieldExtractor) newClass.getConstructors()[0].newInstance( params );
@@ -79,6 +112,14 @@
}
}
+ public static Class defineClass(String className,
+ byte[] b,
+ ClassLoader loader) throws Exception {
+ Object[] args = new Object[]{className, b, new Integer( 0 ), new Integer( b.length ), PROTECTION_DOMAIN};
+ return (Class) DEFINE_CLASS.invoke( loader,
+ args );
+ }
+
private static byte[] dump(final String originalClassName,
final String className,
final String getterName,
@@ -209,7 +250,7 @@
2 );
mv.visitEnd();
} else {
- String typeNotation = fieldType.isArray() ? typeName : "L"+typeName+";";
+ String typeNotation = fieldType.isArray() ? typeName : "L" + typeName + ";";
mv = cw.visitMethod( Opcodes.ACC_PUBLIC,
"getValue",
"(Ljava/lang/Object;)Ljava/lang/Object;",
> Security Permission problem in Websphere 6.1
> --------------------------------------------
>
> Key: JBRULES-562
> URL: http://jira.jboss.com/jira/browse/JBRULES-562
> Project: JBoss Rules
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Reteoo
> Affects Versions: 3.0.4
> Reporter: Edson Tirelli
> Assigned To: Edson Tirelli
> Fix For: 3.0.5
>
>
> FROM STEVE'S EMAIL:
> ----------------------
> Hi all,
> We are using WebSphere 6.1 with java security switched on and get the following error when we attempt to run drools:
> Permission:
> \D:\WS_STAGE2\ec_ejb\bin\au\gov\vic\dse\lx\ec\Message.class : Access denied ( java.io.FilePermission \D:\WS_STAGE2\ec_ejb\bin\au\gov\vic\dse\lx\ec\Message.class read)
> Code:
> org.drools.base.au.gov.vic.dse.lx.ec.Message$getStatus in {null code URL}
> Stack Trace:
> java.security.AccessControlException : Access denied (java.io.FilePermission \D:\WS_STAGE2\ec_ejb\bin\au\gov\vic\dse\lx\ec\Message.class read)
> at java.security.AccessController.checkPermission(AccessController.java:104)
> at java.lang.SecurityManager.checkPermission (SecurityManager.java:547)
> at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:189)
> at com.ibm.ws.classloader.SinglePathClassProvider.check(SinglePathClassProvider.java:444)
> at com.ibm.ws.classloader.SinglePathClassProvider.checkURL(SinglePathClassProvider.java:431)
> at com.ibm.ws.classloader.SinglePathClassProvider.getResource(SinglePathClassProvider.java:423)
> at com.ibm.ws.classloader.SinglePathClassProvider.getResourceAsStream(SinglePathClassProvider.java:458)
> at com.ibm.ws.classloader.CompoundClassLoader.localGetResourceAsStream(CompoundClassLoader.java:926)
> at com.ibm.ws.classloader.CompoundClassLoader.getResourceAsStream(CompoundClassLoader.java:887)
> at java.lang.Class.getResourceAsStream(Class.java:1124)
> at org.drools.util.asm.ClassFieldInspector.processClass (Unknown Source)
> at org.drools.util.asm.ClassFieldInspector.<init>(Unknown Source)
> at org.drools.base.BaseClassFieldExtractor.<init>(Unknown Source)
> at org.drools.base.au.gov.vic.dse.lx.ec.Message$getStatus .<init>(Unknown Source)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:67)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:521)
> at org.drools.base.ClassFieldExtractorFactory.getClassFieldExtractor (Unknown Source)
> at org.drools.base.ClassFieldExtractor.init(Unknown Source)
> at org.drools.base.ClassFieldExtractor.<init>(Unknown Source)
> at org.drools.base.ClassFieldExtractorCache.getExtractor (Unknown Source)
> at org.drools.semantics.java.RuleBuilder.getFieldExtractor(Unknown Source)
> at org.drools.semantics.java.RuleBuilder.build(Unknown Source)
> at org.drools.semantics.java.RuleBuilder.build (Unknown Source)
> at org.drools.semantics.java.RuleBuilder.build(Unknown Source)
> at org.drools.semantics.java.RuleBuilder.build(Unknown Source)
> at org.drools.compiler.PackageBuilder.addRule (Unknown Source)
> at org.drools.compiler.PackageBuilder.addPackage(Unknown Source)
> at org.drools.compiler.PackageBuilder.addPackageFromDrl(Unknown Source)
> at au.gov.vic.dse.lx.ec.DroolsTest.readRule (DroolsTest.java:62)
>
> It looks to me like the drools generated Message class (org.drools.base.au.gov.vic.dse.lx.ec.Message) is failing when it attempts to access the application Message.class via its getStatus method. We have added java.security.AllPermission everywhere we can think of (was.policy, app.policy, library.policy, server.policy) and it still does not work.
>
> Has anybody got drools working in a WebSphere environment (any version) with java security turned on?
>
> I noticed that there used to be a problem with cglib where the generated classes did not get the same protection domain as the cglib.jar (http://jira.atlassian.com/browse/CONF-5955 , http://forum.hibernate.org/viewtopic.php?p=2190363). I know we are using ASM but maybe it also has a similar problem?
>
> thanks
> Steve
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list