[jboss-jira] [JBoss JIRA] (AS7-3744) AccessControlException because of SerializableClass.callReadObject

David Lloyd (JIRA) jira-events at lists.jboss.org
Mon Feb 13 18:02:00 EST 2012 

    [ https://issues.jboss.org/browse/AS7-3744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12666211#comment-12666211 ] 

David Lloyd commented on AS7-3744:
----------------------------------

I think the fix just masks the real problem, which has to do with some race condition in the JDK having to do with non-trivial protection domains.

The proposed patch concept introduces a real security risk that allows anyone to bypass access control even if a security manager is present, and also defeats the security restrictions upon the serialized object itself, so the patch will definitely not make it upstream as-is.  If the problem relates to protection domain depth, than an acceptable version of the patch (which would perform a permission check before acquiring an access-privileged SerializableClass instance) would likely suffer from the same problem.
                
> AccessControlException because of SerializableClass.callReadObject
> ------------------------------------------------------------------
>
>                 Key: AS7-3744
>                 URL: https://issues.jboss.org/browse/AS7-3744
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Remoting
>    Affects Versions: 7.1.0.Final
>         Environment: Fedora 16
>            Reporter: Will Reichert
>            Assignee: David Lloyd
>            Priority: Blocker
>
> see https://community.jboss.org/message/716366#716366 for details.
> Invoking an EJB from a remote client throws an AccessControlException after 60+ successful invocations despite AllPermission in the policy file. The patch we developed in the discussion was to modify org/jboss/marshalling/reflect/SerializableClass.callReadObject(...) to use a privileged action. The workaround passed the tests in jboss-marshalling and worked for the remote EJB invocation (over 100,000 successful invocations before stopping test). 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list