[jboss-jira] [JBoss JIRA] Updated: (JBAOP-762) Permission Issue (with AOP) in Applet Environment
Howard Gao (JIRA)
jira-events at lists.jboss.org
Tue Jan 12 12:06:31 EST 2010
[ https://jira.jboss.org/jira/browse/JBAOP-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Howard Gao updated JBAOP-762:
-----------------------------
Attachment: applet-aop.tar.gz
test case uploaded, please see readme on how to build it. Basically all you need to build is run
ant clean
ant
> Permission Issue (with AOP) in Applet Environment
> -------------------------------------------------
>
> Key: JBAOP-762
> URL: https://jira.jboss.org/jira/browse/JBAOP-762
> Project: JBoss AOP
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: 1.5.6.GA
> Reporter: Howard Gao
> Fix For: 1.5.7.GA
>
> Attachments: applet-aop.tar.gz, java_console.out
>
>
> Summary:
> JBM client packed in an Applet. The client gets "java.util.PropertyPermission legacyParsing read" AccessControlException when trying to create a JMS connection.
> Possible Reason:
> The AccessControlContext was changed after JBM going through some AOP stack.
> AOP version 1.5.6.GA
> To reproduce this issue, I did the following:
> 1. create a simple applet. The applet create a button "DoWork".
> 2. Pressing "DoWork" will cause the applet to do a jndi lookup for a connection factory and call creationConnection() on the factory.
> In createConnection(), there is a method call on an AOP instrumented object:
> createConnection()
> {
> ...
> String wok = aopObj.doSomeWork("GoodWook");
> ...
> }
> The aopObj is a simple class with one method:
> public class FakeInvokerLocatorWithAOP implements Serializable
> {
>
> private static final long serialVersionUID = 2223089961647029627L;
> public String doSomeWork(String work)
> {
> return work + " done. : " + System.getProperty("legacyParsing");
> }
> }
> This class has an advice defined in AOP xml :
> <aspect class="org.jboss.jms.client.container.SimpleAspect" scope="PER_VM"/>
> <bind pointcut="execution(* org.jboss.jms.client.delegate.FakeInvokerLocatorWithAOP->doSomeWork(..))">
> <advice name="handleDoSomeWork" aspect="org.jboss.jms.client.container.SimpleAspect"/>
> </bind>
> The Advice class SimpleAspect is very simple:
> public class SimpleAspect {
> public Object handleDoSomeWork(Invocation inv) throws Throwable
> {
> String res = (String)inv.invokeNext();
>
> res = res + " with AOP";
>
> System.out.println("-----res: " + res);
>
> return res;
> }
> }
> So if the call of aopObj.doSomeWork("GoodWook") is successful, the returned value should be something like:
> "GoodWook done. " + <value of sys prop 'legacyParsing'> + " with AOP"
> But the real situation is that I got the following exception:
> java.security.AccessControlException: access denied (java.util.PropertyPermission legacyParsing read)
> Debugging shows that once the execution goes inside SimpleAspect.handleDoSomeWork(), the system's AccessControlContext has changed, but the SecurityManager remained same as before. This changed context doesn't allow the above permission.
> I also checked the SimpleAspect's ProtectionDomain by
> PermissionCollection pcol = this.getClass().getProtectionDomain().getPermissions();
> And this proctection domain's permissions implies the above permission, namely
> pcol.implies(new PropertyPermission("legacyParsing", "read")) returns true.
> Note: you may need to add the following permission to your java.policy in order to get protectionDomain at this point.
> permission java.lang.RuntimePermission "getProtectionDomain";
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list