[jboss-jira] [JBoss JIRA] Updated: (JBRULES-760) Security problem in WebSphere with PackageCompilationData classloader
Carey Evans (JIRA)
jira-events at lists.jboss.org
Fri Mar 30 00:04:12 EDT 2007
[ http://jira.jboss.com/jira/browse/JBRULES-760?page=all ]
Carey Evans updated JBRULES-760:
--------------------------------
Attachment: jbrules-760.diff
PackageCompilationDataTest.java
Attached a diff from Subversion for the fix, and an inelegant JUnit test.
> Security problem in WebSphere with PackageCompilationData classloader
> ---------------------------------------------------------------------
>
> Key: JBRULES-760
> URL: http://jira.jboss.com/jira/browse/JBRULES-760
> Project: JBoss Rules
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Reteoo
> Affects Versions: 3.0.6
> Environment: WebSphere Application Server 6.0.2.17 Express with IBM JDK 1.4.2 SR5 on Windows Server 2003
> Reporter: Carey Evans
> Assigned To: Mark Proctor
> Attachments: jbrules-760.diff, PackageCompilationDataTest.java
>
>
> This problem is very similar to JBRULES-562, but affects classes loaded by org.drools.rule.PackageCompilationData.PackageClassLoader rather than org.drools.base.ClassFieldExtractorFactory. The symptoms are the same:
> [29/03/07 16:18:44:279 NZST] 00000034 SecurityManag W SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to Problem Determination Guide for further information.
> Permission:
> accessDeclaredMembers : access denied (java.lang.RuntimePermission accessDeclaredMembers)
> Code:
> BrowseCatalog.Rule_Bad_Rule_0 in {null code URL}
> Stack Trace:
> java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers)
> [...]
> at java.lang.Class.getDeclaredConstructor(Class.java(Compiled Code))
> at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:60)
> [...]
> at com.elasticpath.domain.rules.impl.PromotionRuleDelegateImpl.isFirstTimeBuyer(PromotionRuleDelegateImpl.java:975)
> at BrowseCatalog.Rule_Bad_Rule_0.eval1(Rule_Bad_Rule_0.java:16)
> at BrowseCatalog.Rule_Bad_Rule_0Eval1Invoker.evaluate(Rule_Bad_Rule_0Eval1Invoker.java:20)
> at org.drools.rule.EvalCondition.isAllowed(Unknown Source)
> [...]
> Code Base Location:
> [...]
> BrowseCatalog.Rule_Bad_Rule_0 : null code URL
> ClassLoader: org.drools.rule.PackageCompilationData$PackageClassLoader
> Permissions granted to CodeSource (null <no certificates>)
> {
> }
> BrowseCatalog.Rule_Bad_Rule_0Eval1Invoker : null code URL
> ClassLoader: org.drools.rule.PackageCompilationData$PackageClassLoader
> Permissions granted to CodeSource (null <no certificates>)
> {
> }
> I've made the same change to PackageCompilationData as was made to ClassFieldExtractorFactory, which has fixed the problem:
> --- drools-core/src/main/java/org/drools/rule/PackageCompilationData.java (revision 10605)
> +++ drools-core/src/main/java/org/drools/rule/PackageCompilationData.java (working copy)
> @@ -24,6 +24,9 @@
> import java.io.ObjectInput;
> import java.io.ObjectOutput;
> import java.io.ObjectOutputStream;
> +import java.security.AccessController;
> +import java.security.PrivilegedAction;
> +import java.security.ProtectionDomain;
> import java.util.ArrayList;
> import java.util.HashMap;
> import java.util.Iterator;
> @@ -47,6 +50,16 @@
> */
> private static final long serialVersionUID = -4351259299237235523L;
>
> + private static final ProtectionDomain PROTECTION_DOMAIN;
> +
> + static {
> + PROTECTION_DOMAIN = (ProtectionDomain) AccessController.doPrivileged( new PrivilegedAction() {
> + public Object run() {
> + return PackageCompilationData.class.getProtectionDomain();
> + }
> + } );
> + }
> +
> private Map invokerLookups = new HashMap();
>
> private Object AST;
> @@ -280,7 +293,8 @@
> return defineClass( name,
> clazzBytes,
> 0,
> - clazzBytes.length );
> + clazzBytes.length,
> + PROTECTION_DOMAIN );
> }
> }
>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list