[jboss-jira] [JBoss JIRA] Updated: (JBRULES-760) Security problem in WebSphere with PackageCompilationData classloader

Carey Evans (JIRA) jira-events at lists.jboss.org
Fri Mar 30 00:04:12 EDT 2007 

     [ http://jira.jboss.com/jira/browse/JBRULES-760?page=all ]

Carey Evans updated JBRULES-760:
--------------------------------

    Attachment: jbrules-760.diff
                PackageCompilationDataTest.java

Attached a diff from Subversion for the fix, and an inelegant JUnit test.

> Security problem in WebSphere with PackageCompilationData classloader
> ---------------------------------------------------------------------
>
>                 Key: JBRULES-760
>                 URL: http://jira.jboss.com/jira/browse/JBRULES-760
>             Project: JBoss Rules
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Reteoo
>    Affects Versions: 3.0.6
>         Environment: WebSphere Application Server 6.0.2.17 Express with IBM JDK 1.4.2 SR5 on Windows Server 2003
>            Reporter: Carey Evans
>         Assigned To: Mark Proctor
>         Attachments: jbrules-760.diff, PackageCompilationDataTest.java
>
>
> This problem is very similar to JBRULES-562, but affects classes loaded by org.drools.rule.PackageCompilationData.PackageClassLoader rather than org.drools.base.ClassFieldExtractorFactory. The symptoms are the same:
> [29/03/07 16:18:44:279 NZST] 00000034 SecurityManag W   SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to Problem Determination Guide for further information.
> Permission:
>       accessDeclaredMembers : access denied (java.lang.RuntimePermission accessDeclaredMembers)
> Code:
>      BrowseCatalog.Rule_Bad_Rule_0  in  {null code URL}
> Stack Trace:
> java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers)
> [...]
> 	at java.lang.Class.getDeclaredConstructor(Class.java(Compiled Code))
> 	at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:60)
> [...]
> 	at com.elasticpath.domain.rules.impl.PromotionRuleDelegateImpl.isFirstTimeBuyer(PromotionRuleDelegateImpl.java:975)
> 	at BrowseCatalog.Rule_Bad_Rule_0.eval1(Rule_Bad_Rule_0.java:16)
> 	at BrowseCatalog.Rule_Bad_Rule_0Eval1Invoker.evaluate(Rule_Bad_Rule_0Eval1Invoker.java:20)
> 	at org.drools.rule.EvalCondition.isAllowed(Unknown Source)
> [...]
> Code Base Location:
> [...]
> BrowseCatalog.Rule_Bad_Rule_0 : null code URL
>   ClassLoader: org.drools.rule.PackageCompilationData$PackageClassLoader
>   Permissions granted to CodeSource (null <no certificates>)
>   {
>   }
> BrowseCatalog.Rule_Bad_Rule_0Eval1Invoker : null code URL
>   ClassLoader: org.drools.rule.PackageCompilationData$PackageClassLoader
>   Permissions granted to CodeSource (null <no certificates>)
>   {
>   }
> I've made the same change to PackageCompilationData as was made to ClassFieldExtractorFactory, which has fixed the problem:
> --- drools-core/src/main/java/org/drools/rule/PackageCompilationData.java	(revision 10605)
> +++ drools-core/src/main/java/org/drools/rule/PackageCompilationData.java	(working copy)
> @@ -24,6 +24,9 @@
>  import java.io.ObjectInput;
>  import java.io.ObjectOutput;
>  import java.io.ObjectOutputStream;
> +import java.security.AccessController;
> +import java.security.PrivilegedAction;
> +import java.security.ProtectionDomain;
>  import java.util.ArrayList;
>  import java.util.HashMap;
>  import java.util.Iterator;
> @@ -47,6 +50,16 @@
>       */
>      private static final long            serialVersionUID = -4351259299237235523L;
>  
> +    private static final ProtectionDomain PROTECTION_DOMAIN;
> +
> +    static {
> +        PROTECTION_DOMAIN = (ProtectionDomain) AccessController.doPrivileged( new PrivilegedAction() {
> +            public Object run() {
> +                return PackageCompilationData.class.getProtectionDomain();
> +            }
> +        } );
> +    }
> +
>      private Map                          invokerLookups   = new HashMap();
>  
>      private Object                       AST;
> @@ -280,7 +293,8 @@
>                      return defineClass( name,
>                                          clazzBytes,
>                                          0,
> -                                        clazzBytes.length );
> +                                        clazzBytes.length,
> +                                        PROTECTION_DOMAIN );
>                  }
>              }
>  

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list