[jboss-jira] [JBoss JIRA] Commented: (EJBTHREE-1587) SessionSpecContainer missing a privileged block
Anil Saldhana (JIRA)
jira-events at lists.jboss.org
Thu Nov 13 13:32:36 EST 2008
[ https://jira.jboss.org/jira/browse/EJBTHREE-1587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12438378#action_12438378 ]
Anil Saldhana commented on EJBTHREE-1587:
-----------------------------------------
This is an extremely dangerous set up.
ProtectionDomain (vfszip:/home/anil/jboss-5.0/jboss-head/testsuite/output/lib/security-ejb3.jar <no signer certificates>)
basically can be fixed by giving out the required permission (java.lang.RuntimePermission setContextClassLoader) to security-ejb3.jar
But the problem is that now user ejb3 beans can do Thread.currentThread().setContextClassLoader(mySuckyNewCL)
This is a dangerous security hole and not spec compliant. ;)
> SessionSpecContainer missing a privileged block
> -----------------------------------------------
>
> Key: EJBTHREE-1587
> URL: https://jira.jboss.org/jira/browse/EJBTHREE-1587
> Project: EJB 3.0
> Issue Type: Sub-task
> Reporter: Anil Saldhana
>
> ========================================================
> 11:54:33,442 ERROR [STDERR] access: access denied (java.lang.RuntimePermission setContextClassLoader)
> 11:54:33,443 ERROR [STDERR] java.lang.Exception: Stack trace
> 11:54:33,443 ERROR [STDERR] at java.lang.Thread.dumpStack(Thread.java:1158)
> 11:54:33,443 ERROR [STDERR] at java.security.AccessControlContext.checkPermission(AccessControlContext.java:253)
> 11:54:33,443 ERROR [STDERR] at java.security.AccessController.checkPermission(AccessController.java:427)
> 11:54:33,443 ERROR [STDERR] at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> 11:54:33,443 ERROR [STDERR] at java.lang.Thread.setContextClassLoader(Thread.java:1306)
> 11:54:33,443 ERROR [STDERR] at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:156)
> 11:54:33,443 ERROR [STDERR] at org.jboss.ejb3.proxy.handler.session.SessionSpecProxyInvocationHandlerBase.invoke(SessionSpecProxyInvocationHandlerBase.java:125)
> 11:54:33,443 ERROR [STDERR] at $Proxy228.invokeDelegate(Unknown Source)
> 11:54:33,443 ERROR [STDERR] at org.jboss.test.security.ejb3.RunAsSessionBean.invokeRunAs(RunAsSessionBean.java:56)
> 11:54:33,443 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 11:54:33,443 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> 11:54:33,443 ERROR [STDERR] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 11:54:33,443 ERROR [STDERR] at java.lang.reflect.Method.invoke(Method.java:585)
> 11:54:33,444 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
> 11:54:33,444 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
> 11:54:33,444 ERROR [STDERR] at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
> 11:54:33,444 ERROR [STDERR] at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:73)
> 11:54:33,444 ERROR [STDERR] at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:59)
> 11:54:33,444 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 11:54:33,444 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> 11:54:33,444 ERROR [STDERR] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 11:54:33,444 ERROR [STDERR] at java.lang.reflect.Method.invoke(Method.java:585)
> 11:54:33,444 ERROR [STDERR] at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
> 11:54:33,444 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 11:54:33,444 ERROR [STDERR] at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
> 11:54:33,444 ERROR [STDERR] at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_1600112134.invoke(InvocationContextInterceptor_z_fillMethod_1600112134.java)
> 11:54:33,444 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 11:54:33,444 ERROR [STDERR] at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
> 11:54:33,444 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 11:54:33,444 ERROR [STDERR] at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
> 11:54:33,444 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 11:54:33,444 ERROR [STDERR] at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
> 11:54:33,445 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 11:54:33,445 ERROR [STDERR] at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
> 11:54:33,445 ERROR [STDERR] at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190)
> 11:54:33,445 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 11:54:33,445 ERROR [STDERR] at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
> 11:54:33,445 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 11:54:33,445 ERROR [STDERR] at org.jboss.ejb3.security.RunAsSecurityInterceptorv2.invoke(RunAsSecurityInterceptorv2.java:87)
> 11:54:33,445 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 11:54:33,445 ERROR [STDERR] at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
> 11:54:33,445 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 11:54:33,445 ERROR [STDERR] at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
> 11:54:33,445 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 11:54:33,445 ERROR [STDERR] at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:65)
> 11:54:33,445 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 11:54:33,445 ERROR [STDERR] at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
> 11:54:33,445 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 11:54:33,445 ERROR [STDERR] at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:482)
> 11:54:33,445 ERROR [STDERR] at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:56)
> 11:54:33,445 ERROR [STDERR] at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
> 11:54:33,446 ERROR [STDERR] at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
> 11:54:33,446 ERROR [STDERR] at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:908)
> 11:54:33,446 ERROR [STDERR] at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:742)
> 11:54:33,446 ERROR [STDERR] at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:695)
> 11:54:33,446 ERROR [STDERR] at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:522)
> 11:54:33,446 ERROR [STDERR] at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:230)
> 11:54:33,446 ERROR [STDERR] access: access allowed (java.security.SecurityPermission getPolicy)
> 11:54:33,446 ERROR [STDERR] access: domain that failed ProtectionDomain (vfszip:/home/anil/jboss-5.0/jboss-head/testsuite/output/lib/security-ejb3.jar <no signer certificates>)
> null
> <no principals>
> =====================================================================
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list