[jboss-jira] [JBoss JIRA] (DROOLS-3429) Serialization of KiePackages fails when SecurityManager is enabled
Marcel Abou Khalil (Jira)
issues at jboss.org
Wed Dec 12 11:29:00 EST 2018
[ https://issues.jboss.org/browse/DROOLS-3429?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marcel Abou Khalil updated DROOLS-3429:
---------------------------------------
Description:
Our Drools setup:
- users write rules in a combination of DSL and Java code
- rules are compiled
- packages are stored in a database (rules are seldom changed but often ran)
This has been working fine but in order to improve security, we've enabled the SecurityManager. This throws an exception while trying to serialize the consequence part of the rule:
{code:java}
Caused by: java.io.NotSerializableException: com.redacted.Rule_Events_REDACTED61028857611DefaultConsequenceInvoker
- field (class "org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence", name: "delegate", type: "interface org.drools.core.spi.Consequence")
- object (class "org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence", org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence at 93071816)
- writeExternal data
- object (class "org.drools.core.definitions.rule.impl.RuleImpl", [Rule name=REDACTED, agendaGroup=end, salience=0, no-loop=true])
- writeExternal data
- object (class "org.drools.core.rule.JavaDialectRuntimeData", org.drools.core.rule.JavaDialectRuntimeData{...})
- custom writeObject data (class "java.util.HashMap")
- object (class "java.util.HashMap", {java=org.drools.core.rule.JavaDialectRuntimeData{...}, mvel=org.drools.core.rule.MVELDialectRuntimeData at b99ea6b2})
- writeExternal data
- root object (class "org.drools.core.rule.DialectRuntimeRegistry", org.drools.core.rule.DialectRuntimeRegistry at 2d9acae8)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1213)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1615)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1576)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1499)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1209)
at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:365)
at org.drools.core.definitions.rule.impl.RuleImpl.writeExternal(RuleImpl.java:180)
{code}
Possible cause:
Class {{RuleImpl}}, method {{writeExternal}} will write out {{null}} if the consequence is of type {{CompiledInvoker}}. But if the SecurityManager is enabled, the method {{wire}} will wrap the Consequence inside a {{SafeConsequence}}. A {{SafeConsequence}}, in contrast to the wrapped consequence is not a {{CompiledInvoker}}, so {{writeExternal}} will attempt to serialize it, instead of just writing {{null}} and fails.
was:
Our Drools setup:
- users write rules in a combination of DSL and Java code
- rules are compiled
- packages are stored in a database (rules are seldom changed but often ran)
This has been working fine but in order to improve security, we've enabled the SecurityManager. This throws an exception while trying to serialize the consequence part of the rule:
{code:java}
Caused by: java.io.NotSerializableException: com.redacted.Rule_Events_REDACTED61028857611DefaultConsequenceInvoker
- field (class "org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence", name: "delegate", type: "interface org.drools.core.spi.Consequence")
- object (class "org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence", org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence at 93071816)
- writeExternal data
- object (class "org.drools.core.definitions.rule.impl.RuleImpl", [Rule name=REDACTED, agendaGroup=end, salience=0, no-loop=true])
- writeExternal data
- object (class "org.drools.core.rule.JavaDialectRuntimeData", org.drools.core.rule.JavaDialectRuntimeData{...})
- custom writeObject data (class "java.util.HashMap")
- object (class "java.util.HashMap", {java=org.drools.core.rule.JavaDialectRuntimeData{...}, mvel=org.drools.core.rule.MVELDialectRuntimeData at b99ea6b2})
- writeExternal data
- root object (class "org.drools.core.rule.DialectRuntimeRegistry", org.drools.core.rule.DialectRuntimeRegistry at 2d9acae8)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1213)
at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1615)
at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1576)
at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1499)
at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1209)
at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:365)
at org.drools.core.definitions.rule.impl.RuleImpl.writeExternal(RuleImpl.java:180)
{code}
Possible cause:
Class
{code:java}
RuleImpl
{code}
, method
{code:java}
writeExternal
{code}
will write out
{code:java}
null
{code}
if the consequence is of type
{code:java}
CompiledInvoker
{code}
. But if the SecurityManager is enabled, the method
{code:java}
wire
{code}
will wrap the Consequence inside a
{code:java}
SafeConsequence
{code}
. A
{code:java}
SafeConsequence
{code}
is not a
{code:java}
CompiledInvoker
{code}
so
{code:java}
writeExternal
{code}
will attempt to serialize it, instead of just writing null and fails.
> Serialization of KiePackages fails when SecurityManager is enabled
> ------------------------------------------------------------------
>
> Key: DROOLS-3429
> URL: https://issues.jboss.org/browse/DROOLS-3429
> Project: Drools
> Issue Type: Bug
> Components: core engine
> Affects Versions: 6.5.0.Final, 7.15.0.Final
> Environment: Running with IBM JDK 1.8
> Reporter: Marcel Abou Khalil
> Assignee: Mario Fusco
> Priority: Major
>
> Our Drools setup:
> - users write rules in a combination of DSL and Java code
> - rules are compiled
> - packages are stored in a database (rules are seldom changed but often ran)
> This has been working fine but in order to improve security, we've enabled the SecurityManager. This throws an exception while trying to serialize the consequence part of the rule:
> {code:java}
> Caused by: java.io.NotSerializableException: com.redacted.Rule_Events_REDACTED61028857611DefaultConsequenceInvoker
> - field (class "org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence", name: "delegate", type: "interface org.drools.core.spi.Consequence")
> - object (class "org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence", org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence at 93071816)
> - writeExternal data
> - object (class "org.drools.core.definitions.rule.impl.RuleImpl", [Rule name=REDACTED, agendaGroup=end, salience=0, no-loop=true])
> - writeExternal data
> - object (class "org.drools.core.rule.JavaDialectRuntimeData", org.drools.core.rule.JavaDialectRuntimeData{...})
> - custom writeObject data (class "java.util.HashMap")
> - object (class "java.util.HashMap", {java=org.drools.core.rule.JavaDialectRuntimeData{...}, mvel=org.drools.core.rule.MVELDialectRuntimeData at b99ea6b2})
> - writeExternal data
> - root object (class "org.drools.core.rule.DialectRuntimeRegistry", org.drools.core.rule.DialectRuntimeRegistry at 2d9acae8)
> at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1213)
> at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1615)
> at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1576)
> at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1499)
> at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1209)
> at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:365)
> at org.drools.core.definitions.rule.impl.RuleImpl.writeExternal(RuleImpl.java:180)
> {code}
> Possible cause:
> Class {{RuleImpl}}, method {{writeExternal}} will write out {{null}} if the consequence is of type {{CompiledInvoker}}. But if the SecurityManager is enabled, the method {{wire}} will wrap the Consequence inside a {{SafeConsequence}}. A {{SafeConsequence}}, in contrast to the wrapped consequence is not a {{CompiledInvoker}}, so {{writeExternal}} will attempt to serialize it, instead of just writing {{null}} and fails.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list