[jboss-jira] [JBoss JIRA] Commented: (JBAOP-762) Permission Issue (with AOP) in Applet Environment

Howard Gao (JIRA) jira-events at lists.jboss.org
Tue Jan 12 12:10:30 EST 2010 

    [ https://jira.jboss.org/jira/browse/JBAOP-762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12503698#action_12503698 ] 

Howard Gao commented on JBAOP-762:
----------------------------------


To run the test, first start a JBoss 4.x server with JBM (using the jboss-messaging-client.jar and jboss-messaging.jar in the test).
Then start a web server (for example tomcat 6). Deploy the applet to tomcate webapp/ROOT. Open a browser (firefox or Google Chrome) and 
go to the following address:

http://localhost:8585/mqapplet.html

the browser will download the applet and run it (you should choose to trust the applet). When the applet's GUI shows up, click the DoWork button and watch the output of java console.

> Permission Issue (with AOP) in Applet Environment
> -------------------------------------------------
>
>                 Key: JBAOP-762
>                 URL: https://jira.jboss.org/jira/browse/JBAOP-762
>             Project: JBoss AOP
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: 1.5.6.GA
>            Reporter: Howard Gao
>             Fix For: 1.5.7.GA
>
>         Attachments: applet-aop.tar.gz, java_console.out
>
>
> Summary:
> JBM client packed in an Applet. The client gets "java.util.PropertyPermission legacyParsing read" AccessControlException when trying to create a JMS connection.
> Possible Reason:
> The AccessControlContext was changed after JBM going through some AOP stack.
> AOP version 1.5.6.GA
> To reproduce this issue, I did the following:
> 1. create a simple applet. The applet create a button "DoWork". 
> 2. Pressing "DoWork" will cause the applet to do a jndi lookup for a connection factory and call creationConnection() on the factory.
> In createConnection(), there is a method call on an AOP instrumented object:
> createConnection()
> {
>    ...
>    String wok = aopObj.doSomeWork("GoodWook");
>    ...
> }
> The aopObj is a simple class with one method:
> public class FakeInvokerLocatorWithAOP implements Serializable
> {
>     
>    private static final long serialVersionUID = 2223089961647029627L;
>    public String doSomeWork(String work)
>    {
>       return work + " done. : " + System.getProperty("legacyParsing");
>    }
> }
> This class has an advice defined in AOP xml :
>    <aspect class="org.jboss.jms.client.container.SimpleAspect" scope="PER_VM"/>
>    <bind pointcut="execution(* org.jboss.jms.client.delegate.FakeInvokerLocatorWithAOP->doSomeWork(..))">
>       <advice name="handleDoSomeWork" aspect="org.jboss.jms.client.container.SimpleAspect"/>
>    </bind>
> The Advice class SimpleAspect is very simple:
> public class SimpleAspect {
> 	public Object handleDoSomeWork(Invocation inv) throws Throwable
> 	{
>         String res = (String)inv.invokeNext();
>         
>         res = res + " with AOP";
>         
>         System.out.println("-----res: " + res);
> 	    
>         return res;
> 	}
> }
> So if the call of aopObj.doSomeWork("GoodWook") is successful, the returned value should be something like:
> "GoodWook done. " + <value of sys prop 'legacyParsing'> + " with AOP"
> But the real situation is that I got the following exception: 
> java.security.AccessControlException: access denied (java.util.PropertyPermission legacyParsing read)
> Debugging shows that once the execution goes inside SimpleAspect.handleDoSomeWork(), the system's AccessControlContext has changed, but the SecurityManager remained same as before. This changed context doesn't allow the above permission.
> I also checked the SimpleAspect's ProtectionDomain by 
> PermissionCollection pcol = this.getClass().getProtectionDomain().getPermissions();
> And this proctection domain's permissions implies the above permission, namely
> pcol.implies(new PropertyPermission("legacyParsing", "read")) returns true.
> Note: you may need to add the following permission to your java.policy in order to get protectionDomain at this point.
> permission java.lang.RuntimePermission "getProtectionDomain";

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list