[jboss-jira] [JBoss JIRA] (DROOLS-3429) Serialization of KiePackages fails when SecurityManager is enabled

Tibor Zimányi (Jira) issues at jboss.org
Fri Dec 21 05:52:00 EST 2018 

    [ https://issues.jboss.org/browse/DROOLS-3429?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13677013#comment-13677013 ] 

Tibor Zimányi edited comment on DROOLS-3429 at 12/21/18 5:51 AM:
-----------------------------------------------------------------

Hi [~aboukhal], I cannot reproduce the problem based on your description. I created a test class [1], then I added AllPermission permission to my java.policy file, added "-Djava.security.manager" flag to the test run and it works. As you can see from the test class I also tried to add the policy programmatically, with same results. Could you please check the test if it matches your case? If not, could you please provide a reproducer? Maybe my test class might help you with developing one. I ran the test using master branch and 7.14.x branch both with Oracle JDK 8 and IBM JDK 8.

[1] https://gist.github.com/baldimir/c8fa9773439ec08f7ae17ac35a522b61


was (Author: tzimanyi):
Hi [~aboukhal], I cannot reproduce the problem based on your descripton. I created a test class [1], then I added AllPermission permission to my java.policy file, added "-Djava.security.manager" flag to the test run and it works. As you can see from the test class I also tried to add the policy programatically, with same results. Could you please check the test if it matches your case? If not, could you please provide a reproducer? Maybe my test class might help you with developing one. I ran the test using master branch and 7.14.x branch both with Oracle JDK 8 and IBM JDK 8.

[1] https://gist.github.com/baldimir/c8fa9773439ec08f7ae17ac35a522b61

> Serialization of KiePackages fails when SecurityManager is enabled
> ------------------------------------------------------------------
>
>                 Key: DROOLS-3429
>                 URL: https://issues.jboss.org/browse/DROOLS-3429
>             Project: Drools
>          Issue Type: Bug
>          Components: core engine
>    Affects Versions: 6.5.0.Final, 7.15.0.Final
>         Environment: Running with IBM JDK 1.8
>            Reporter: Marcel Abou Khalil
>            Assignee: Mario Fusco
>            Priority: Major
>
> Our Drools setup:
> - users write rules in a combination of DSL and Java code
> - rules are compiled
> - packages are stored in a database (rules are seldom changed but often ran)
> This has been working fine but in order to improve security, we've enabled the SecurityManager. This throws an exception while trying to serialize the consequence part of the rule:
> {code:java}
> Caused by: java.io.NotSerializableException: com.redacted.Rule_Events_REDACTED61028857611DefaultConsequenceInvoker
> 	- field (class "org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence", name: "delegate", type: "interface org.drools.core.spi.Consequence")
> 	- object (class "org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence", org.drools.core.definitions.rule.impl.RuleImpl$SafeConsequence at 93071816)
> 	- writeExternal data
> 	- object (class "org.drools.core.definitions.rule.impl.RuleImpl", [Rule name=REDACTED, agendaGroup=end, salience=0, no-loop=true])
> 	- writeExternal data
> 	- object (class "org.drools.core.rule.JavaDialectRuntimeData", org.drools.core.rule.JavaDialectRuntimeData{...})
> 	- custom writeObject data (class "java.util.HashMap")
> 	- object (class "java.util.HashMap", {java=org.drools.core.rule.JavaDialectRuntimeData{...}, mvel=org.drools.core.rule.MVELDialectRuntimeData at b99ea6b2})
> 	- writeExternal data
> 	- root object (class "org.drools.core.rule.DialectRuntimeRegistry", org.drools.core.rule.DialectRuntimeRegistry at 2d9acae8)
> 	at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1213)
> 	at java.io.ObjectOutputStream.defaultWriteFields(ObjectOutputStream.java:1615)
> 	at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1576)
> 	at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1499)
> 	at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1209)
> 	at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:365)
> 	at org.drools.core.definitions.rule.impl.RuleImpl.writeExternal(RuleImpl.java:180)
> {code}
> Possible cause:
> Class {{RuleImpl}}, method {{writeExternal}} will write out {{null}} if the consequence is of type {{CompiledInvoker}}. But if the SecurityManager is enabled, the method {{wire}} will wrap the Consequence inside a {{SafeConsequence}}. A {{SafeConsequence}}, in contrast to the wrapped consequence is not a {{CompiledInvoker}}, so {{writeExternal}} will attempt to serialize it, instead of just writing {{null}} and fails.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list