You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by ka...@apache.org on 2014/03/28 10:44:38 UTC
svn commit: r1582655 - in /db/derby/code/trunk/java:
engine/org/apache/derby/impl/io/
testing/org/apache/derbyTesting/functionTests/tests/lang/
Author: kahatlen
Date: Fri Mar 28 09:44:37 2014
New Revision: 1582655
URL: http://svn.apache.org/r1582655
Log:
DERBY-5615: Permission problems with classpath subsubprotocol
Wrap CPFile's privileged operations in doPrivileged() so that
classpath databases can be accessed with a security manager.
Make more of the test cases in DatabaseClassLoadingTest and
NativeAuthenticationServiceTest run with a security manager.
Modified:
db/derby/code/trunk/java/engine/org/apache/derby/impl/io/CPFile.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/io/CPFile.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/io/CPFile.java?rev=1582655&r1=1582654&r2=1582655&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/io/CPFile.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/io/CPFile.java Fri Mar 28 09:44:37 2014
@@ -26,7 +26,12 @@ import org.apache.derby.io.StorageFile;
import java.io.InputStream;
import java.io.FileNotFoundException;
+import java.io.IOException;
import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
/**
* This class provides a class path based implementation of the StorageFile interface. It is used by the
@@ -90,30 +95,22 @@ class CPFile extends InputStreamFile
*/
public InputStream getInputStream( ) throws FileNotFoundException
{
- //System.out.println("HERE FOR " + toString());
- InputStream is = null;
- ClassLoader cl = Thread.currentThread().getContextClassLoader();
- if (cl != null)
- is = cl.getResourceAsStream(path);
-
- // don't assume the context class loader is tied
- // into the class loader that loaded this class.
- if (is == null)
- {
- cl = getClass().getClassLoader();
- // Javadoc indicates implementations can use
- // null as a return from Class.getClassLoader()
- // to indicate the system/bootstrap classloader.
- if (cl != null)
- is = cl.getResourceAsStream(path);
- else
- is = ClassLoader.getSystemResourceAsStream(path);
- }
-
- if (is == null)
- throw new FileNotFoundException(toString());
- return is;
-
+ URL url = getURL();
+
+ if (url == null) {
+ throw new FileNotFoundException(toString());
+ }
+
+ try {
+ return openStream(url);
+ } catch (FileNotFoundException fnf) {
+ throw fnf;
+ } catch (IOException ioe) {
+ FileNotFoundException fnf = new FileNotFoundException(toString());
+ fnf.initCause(ioe);
+ throw fnf;
+ }
+
} // end of getInputStream
/**
@@ -123,10 +120,10 @@ class CPFile extends InputStreamFile
*/
public URL getURL() {
- ClassLoader cl = Thread.currentThread().getContextClassLoader();
+ ClassLoader cl = getContextClassLoader(Thread.currentThread());
URL myURL;
if (cl != null) {
- myURL = cl.getResource(path);
+ myURL = getResource(cl, path);
if (myURL != null)
return myURL;
}
@@ -138,9 +135,51 @@ class CPFile extends InputStreamFile
// null as a return from Class.getClassLoader()
// to indicate the system/bootstrap classloader.
if (cl != null) {
- return cl.getResource(path);
+ return getResource(cl, path);
} else {
- return ClassLoader.getSystemResource(path);
+ return getSystemResource(path);
+ }
+ }
+
+ /** Privileged wrapper for {@code Thread.getContextClassLoader()}. */
+ private static ClassLoader getContextClassLoader(final Thread thread) {
+ return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
+ public ClassLoader run() {
+ return thread.getContextClassLoader();
+ }
+ });
+ }
+
+ /** Privileged wrapper for {@code ClassLoader.getResource(String)}. */
+ private static URL getResource(
+ final ClassLoader cl, final String name) {
+ return AccessController.doPrivileged(new PrivilegedAction<URL>() {
+ public URL run() {
+ return cl.getResource(name);
+ }
+ });
+ }
+
+ /** Privileged wrapper for {@code ClassLoader.getSystemResource(String)}. */
+ private static URL getSystemResource(final String name) {
+ return AccessController.doPrivileged(new PrivilegedAction<URL>() {
+ public URL run() {
+ return ClassLoader.getSystemResource(name);
+ }
+ });
+ }
+
+ /** Privileged wrapper for {@code URL.openStream()}. */
+ private static InputStream openStream(final URL url) throws IOException {
+ try {
+ return AccessController.doPrivileged(
+ new PrivilegedExceptionAction<InputStream>() {
+ public InputStream run() throws IOException {
+ return url.openStream();
+ }
+ });
+ } catch (PrivilegedActionException pae) {
+ throw (IOException) pae.getCause();
}
}
}
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java?rev=1582655&r1=1582654&r2=1582655&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java Fri Mar 28 09:44:37 2014
@@ -44,6 +44,7 @@ import javax.sql.DataSource;
import junit.framework.Test;
import junit.framework.TestSuite;
+import org.apache.derbyTesting.functionTests.util.PrivilegedFileOpsForTests;
import org.apache.derbyTesting.junit.BaseJDBCTestCase;
import org.apache.derbyTesting.junit.ClasspathSetup;
import org.apache.derbyTesting.junit.CleanDatabaseTestSetup;
@@ -114,17 +115,15 @@ public class DatabaseClassLoadingTest ex
suite.addTest(new DatabaseClassLoadingTest(orderedTests[i]));
}
- suite.addTest(SecurityManagerSetup.noSecurityManager(
- new DatabaseClassLoadingTest("testDatabaseInJar")));
+ suite.addTest(new DatabaseClassLoadingTest("testDatabaseInJar"));
// DERBY-2162: Only run this test case on platforms that support
// the URLClassLoader.close() method. Otherwise, we won't be able
// to delete the jar file afterwards.
if (ClasspathSetup.supportsClose()) {
- suite.addTest(SecurityManagerSetup.noSecurityManager(
- new ClasspathSetup(
+ suite.addTest(new ClasspathSetup(
new DatabaseClassLoadingTest("testDatabaseInClasspath"),
- SupportFilesSetup.getReadOnlyURL("dclt.jar"))));
+ SupportFilesSetup.getReadOnlyURL("dclt.jar")));
}
// No security manager because the test uses getClass().getClassLoader()
@@ -638,7 +637,8 @@ public class DatabaseClassLoadingTest ex
public void testDatabaseInJar() throws SQLException
{
File jarFile = SupportFilesSetup.getReadOnly("dclt.jar");
- String dbName = "jar:(" + jarFile.getAbsolutePath() + ")dbro";
+ String dbName = "jar:(" +
+ PrivilegedFileOpsForTests.getAbsolutePath(jarFile) + ")dbro";
DataSource ds = JDBCDataSource.getDataSource(dbName);
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java?rev=1582655&r1=1582654&r2=1582655&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java Fri Mar 28 09:44:37 2014
@@ -37,7 +37,6 @@ import org.apache.derbyTesting.junit.Cla
import org.apache.derbyTesting.junit.DatabaseChangeSetup;
import org.apache.derbyTesting.junit.JDBC;
import org.apache.derbyTesting.junit.JDBCDataSource;
-import org.apache.derbyTesting.junit.SecurityManagerSetup;
import org.apache.derbyTesting.junit.SupportFilesSetup;
import org.apache.derbyTesting.junit.SystemPropertyTestSetup;
import org.apache.derbyTesting.junit.TestConfiguration;
@@ -73,9 +72,6 @@ public class NativeAuthenticationService
private static final boolean DISABLE_AUTHORIZATION = true;
private static final boolean DONT_DISABLE_AUTH = false;
- private static final boolean DISABLE_JAVA_SECURITY = true;
- private static final boolean ENABLE_JAVA_SECURITY = false;
-
// fruits are legal users. nuts are not
private static final String DBO = "KIWI";
private static final String APPLE_USER = "APPLE";
@@ -158,7 +154,6 @@ public class NativeAuthenticationService
private final boolean _nativeAuthentication;
private final boolean _localAuthentication;
private final boolean _turnOffAuthenticationAndAuthorization;
- private final boolean _disableSecurityManager;
private String _credentialsDBPhysicalName;
@@ -184,8 +179,7 @@ public class NativeAuthenticationService
int credentialsDBLocation,
boolean nativeAuthentication,
boolean localAuthentication,
- boolean turnOffAuthenticationAndAuthorization,
- boolean disableSecurityManager
+ boolean turnOffAuthenticationAndAuthorization
)
{
super( "testAll" );
@@ -194,7 +188,6 @@ public class NativeAuthenticationService
_nativeAuthentication = nativeAuthentication;
_localAuthentication = localAuthentication;
_turnOffAuthenticationAndAuthorization = turnOffAuthenticationAndAuthorization;
- _disableSecurityManager = disableSecurityManager;
}
///////////////////////////////////////////////////////////////////////////////////
@@ -329,14 +322,11 @@ public class NativeAuthenticationService
String authOverrides = _turnOffAuthenticationAndAuthorization ?
"Authentication/Authorization turned OFF, " :
"Authentication/Authorization DEFAULT, ";
- String securityManager = _disableSecurityManager ?
- "SecurityManager OFF, " :
- "SecurityManager ON, ";
String embedded = isEmbedded() ?
"Embedded" :
"Client/Server";
- return "[ " + dbLocation + authType + local + authOverrides + securityManager + embedded + " ]";
+ return "[ " + dbLocation + authType + local + authOverrides + embedded + " ]";
}
/** Return true if the test is running embedded */
@@ -367,7 +357,7 @@ public class NativeAuthenticationService
(
(
new NativeAuthenticationServiceTest
- ( JAR_ENCRYPTED, NATIVE, LOCAL, DONT_DISABLE_AUTH, ENABLE_JAVA_SECURITY )
+ ( JAR_ENCRYPTED, NATIVE, LOCAL, DONT_DISABLE_AUTH )
).decorate( false )
);
}
@@ -413,7 +403,7 @@ public class NativeAuthenticationService
(
(
new NativeAuthenticationServiceTest
- ( NONE, NO_AUTH, SYSTEM_WIDE, DONT_DISABLE_AUTH, ENABLE_JAVA_SECURITY )
+ ( NONE, NO_AUTH, SYSTEM_WIDE, DONT_DISABLE_AUTH )
).decorate( clientServer )
);
@@ -424,14 +414,14 @@ public class NativeAuthenticationService
(
(
new NativeAuthenticationServiceTest
- ( FILE, NATIVE, LOCAL, DISABLE_AUTHORIZATION, ENABLE_JAVA_SECURITY )
+ ( FILE, NATIVE, LOCAL, DISABLE_AUTHORIZATION )
).decorate( clientServer )
);
suite.addTest
(
(
new NativeAuthenticationServiceTest
- ( FILE, NATIVE, LOCAL, DONT_DISABLE_AUTH, ENABLE_JAVA_SECURITY )
+ ( FILE, NATIVE, LOCAL, DONT_DISABLE_AUTH )
).decorate( clientServer )
);
@@ -442,14 +432,14 @@ public class NativeAuthenticationService
(
(
new NativeAuthenticationServiceTest
- ( FILE, NATIVE, SYSTEM_WIDE, DISABLE_AUTHORIZATION, ENABLE_JAVA_SECURITY )
+ ( FILE, NATIVE, SYSTEM_WIDE, DISABLE_AUTHORIZATION )
).decorate( clientServer )
);
suite.addTest
(
(
new NativeAuthenticationServiceTest
- ( FILE, NATIVE, SYSTEM_WIDE, DONT_DISABLE_AUTH, ENABLE_JAVA_SECURITY )
+ ( FILE, NATIVE, SYSTEM_WIDE, DONT_DISABLE_AUTH )
).decorate( clientServer )
);
@@ -466,14 +456,14 @@ public class NativeAuthenticationService
(
(
new NativeAuthenticationServiceTest
- ( JAR, NATIVE, SYSTEM_WIDE, DONT_DISABLE_AUTH, ENABLE_JAVA_SECURITY )
+ ( JAR, NATIVE, SYSTEM_WIDE, DONT_DISABLE_AUTH )
).decorate( clientServer )
);
suite.addTest
(
(
new NativeAuthenticationServiceTest
- ( JAR, NATIVE, LOCAL, DONT_DISABLE_AUTH, ENABLE_JAVA_SECURITY )
+ ( JAR, NATIVE, LOCAL, DONT_DISABLE_AUTH )
).decorate( clientServer )
);
@@ -484,14 +474,14 @@ public class NativeAuthenticationService
(
(
new NativeAuthenticationServiceTest
- ( CLASSPATH, NATIVE, SYSTEM_WIDE, DONT_DISABLE_AUTH, DISABLE_JAVA_SECURITY )
+ ( CLASSPATH, NATIVE, SYSTEM_WIDE, DONT_DISABLE_AUTH )
).decorate( clientServer )
);
suite.addTest
(
(
new NativeAuthenticationServiceTest
- ( CLASSPATH, NATIVE, LOCAL, DONT_DISABLE_AUTH, DISABLE_JAVA_SECURITY )
+ ( CLASSPATH, NATIVE, LOCAL, DONT_DISABLE_AUTH )
).decorate( clientServer )
);
}
@@ -512,8 +502,6 @@ public class NativeAuthenticationService
Test result = this;
- if ( _disableSecurityManager ) { result = SecurityManagerSetup.noSecurityManager( result ); }
-
//
// Putting the clientServer decorator on the inside allows the server-side
// embedded driver to be re-registered after engine shutdown. If you put
@@ -881,11 +869,8 @@ public class NativeAuthenticationService
// database accessed via jar subprotocol
vetProtocol( jarDBName( _credentialsDBLocation ) );
- //
- // We only use the classpath subprotocol if we are not running under a security manager.
- // We may be able to remove that restriction after DERBY-5615 is fixed.
- //
- if ( _disableSecurityManager ) { vetProtocol( classpathDBName() ); }
+ // database accessed via classpath subprotocol
+ vetProtocol( classpathDBName() );
}
///////////////////////////////////////////////////////////////////////////////////