[jboss-jira] [JBoss JIRA] Created: (JBAOP-762) Permission Issue (with AOP) in Applet Environment

Howard Gao (JIRA) jira-events at lists.jboss.org
Tue Jan 12 12:01:31 EST 2010 

Permission Issue (with AOP) in Applet Environment
-------------------------------------------------

                 Key: JBAOP-762
                 URL: https://jira.jboss.org/jira/browse/JBAOP-762
             Project: JBoss AOP
          Issue Type: Bug
      Security Level: Public (Everyone can see)
    Affects Versions: 1.5.6.GA
            Reporter: Howard Gao
             Fix For: 1.5.7.GA
         Attachments: java_console.out

Summary:

JBM client packed in an Applet. The client gets "java.util.PropertyPermission legacyParsing read" AccessControlException when trying to create a JMS connection.

Possible Reason:

The AccessControlContext was changed after JBM going through some AOP stack.

AOP version 1.5.6.GA


To reproduce this issue, I did the following:

1. create a simple applet. The applet create a button "DoWork". 
2. Pressing "DoWork" will cause the applet to do a jndi lookup for a connection factory and call creationConnection() on the factory.

In createConnection(), there is a method call on an AOP instrumented object:

createConnection()
{
   ...
   String wok = aopObj.doSomeWork("GoodWook");
   ...
}


The aopObj is a simple class with one method:

public class FakeInvokerLocatorWithAOP implements Serializable
{
    
   private static final long serialVersionUID = 2223089961647029627L;

   public String doSomeWork(String work)
   {
      return work + " done. : " + System.getProperty("legacyParsing");
   }

}

This class has an advice defined in AOP xml :

   <aspect class="org.jboss.jms.client.container.SimpleAspect" scope="PER_VM"/>

   <bind pointcut="execution(* org.jboss.jms.client.delegate.FakeInvokerLocatorWithAOP->doSomeWork(..))">
      <advice name="handleDoSomeWork" aspect="org.jboss.jms.client.container.SimpleAspect"/>
   </bind>

The Advice class SimpleAspect is very simple:

public class SimpleAspect {

	public Object handleDoSomeWork(Invocation inv) throws Throwable
	{
        String res = (String)inv.invokeNext();
        
        res = res + " with AOP";
        
        System.out.println("-----res: " + res);
	    
        return res;
	}
}

So if the call of aopObj.doSomeWork("GoodWook") is successful, the returned value should be something like:

"GoodWook done. " + <value of sys prop 'legacyParsing'> + " with AOP"

But the real situation is that I got the following exception: 

java.security.AccessControlException: access denied (java.util.PropertyPermission legacyParsing read)

Debugging shows that once the execution goes inside SimpleAspect.handleDoSomeWork(), the system's AccessControlContext has changed, but the SecurityManager remained same as before. This changed context doesn't allow the above permission.

I also checked the SimpleAspect's ProtectionDomain by 

PermissionCollection pcol = this.getClass().getProtectionDomain().getPermissions();

And this proctection domain's permissions implies the above permission, namely

pcol.implies(new PropertyPermission("legacyParsing", "read")) returns true.

Note: you may need to add the following permission to your java.policy in order to get protectionDomain at this point.

permission java.lang.RuntimePermission "getProtectionDomain";


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list