You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Paul Nicolucci (JIRA)" <de...@myfaces.apache.org> on 2012/05/02 18:52:49 UTC
[jira] [Created] (MYFACES-3536) AccessControlException occurs when
using a CustomExceptionHandler to navigate to a page using the
NavigationHandler
Paul Nicolucci created MYFACES-3536:
---------------------------------------
Summary: AccessControlException occurs when using a CustomExceptionHandler to navigate to a page using the NavigationHandler
Key: MYFACES-3536
URL: https://issues.apache.org/jira/browse/MYFACES-3536
Project: MyFaces Core
Issue Type: Bug
Components: JSR-314
Affects Versions: 2.0.13
Environment: WebSphere Application Server Version 8.0 with Java2 Security enabled
Reporter: Paul Nicolucci
After fixing MYFACES-3530 I enabled Java2 Security in Websphere Application Server Version 8.0 and found the following issue related to using a custom Exception Handler to handle a ViewExpiredException.
When we Navigate to a page from the customer Exception Handler in the application the following exception occurs:
java.security.AccessControlException: Access denied org.osgi.framework.AdminPermission (id=65) resolve,resource)
at java.security.AccessController.checkPermission(AccessController.java:108)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:544)
at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:208)
at org.eclipse.osgi.framework.internal.core.BundleResourceHandler.checkAuthorization(BundleResourceHandler.java:289)
at org.eclipse.osgi.framework.internal.core.BundleResourceHandler.parseURL(BundleResourceHandler.java:128)
at java.net.URL.<init>(URL.java:608)
at java.net.URL.<init>(URL.java:476)
at java.net.URL.<init>(URL.java:425)
at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
at org.apache.xerces.impl.XMLEntityManager.startDTDEntity(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.setInputSource(Unknown Source)
at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl.parse(Unknown Source)
at javax.xml.parsers.SAXParser.parse(Unknown Source)
at org.apache.myfaces.view.facelets.compiler.SAXCompiler.doCompileViewMetadata(SAXCompiler.java:712)
at org.apache.myfaces.view.facelets.compiler.Compiler.compileViewMetadata(Compiler.java:126)
at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory._createViewMetadataFacelet(DefaultFaceletFactory.java:311)
at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory.getViewMetadataFacelet(DefaultFaceletFactory.java:394)
at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory.getViewMetadataFacelet(DefaultFaceletFactory.java:376)
at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage._getViewMetadataFacelet(FaceletViewDeclarationLanguage.java:1940)
at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage.access$000(FaceletViewDeclarationLanguage.java:129)
at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage$FaceletViewMetadata.createMetadataView(FaceletViewDeclarationLanguage.java:2049)
at org.apache.myfaces.application.NavigationHandlerImpl.handleNavigation(NavigationHandlerImpl.java:174)
at com.ibm.ws.jsf.fat.test.PM62254.ViewExpiredExceptionExceptionHandler.handle(ViewExpiredExceptionExceptionHandler.java:45) -> Application code
I've attached Exception.txt showing the full stack trace for reference. The exception looks to come from:
org.apache.myfaces.view.facelets.compiler.SAXCompiler.doCompileViewMetadata(SAXCompiler.java:712).
I've attached a suggested patch that wraps the offending code in an AccessController.doPrivileged block. I had to make the following changes to completely fix the problem:
1) Make the ViewMetadataHandler and SAXParser local variables final so they can be used within the doPrivileged block.
2) I had to create a secondary InputStream object "finalInputStream which is just a copy of the local "is" InputStream but is marked final so it can also be used within the doPrivileged block.
3) I also added a nested try/catch block that will catch the PrivilegedActionException and catches the SAXException/IOException and keeps the behavior we had before ( throwing IOException, throwing new FaceletException for the SAXException ). I had to do this since the doPrivileged block wraps the exceptions from parser.parse in a PrivilegedActionException.
4) The new code is only used if System.getSecurityManager() != null so there should be no performance ramifications if security is not enabled.
Please review and let me know if you are ok with my patch.
Thanks!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (MYFACES-3536) AccessControlException occurs
when using a CustomExceptionHandler to navigate to a page using the
NavigationHandler
Posted by "Mark Struberg (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/MYFACES-3536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13268654#comment-13268654 ]
Mark Struberg commented on MYFACES-3536:
----------------------------------------
patch looks ok to me.
> AccessControlException occurs when using a CustomExceptionHandler to navigate to a page using the NavigationHandler
> -------------------------------------------------------------------------------------------------------------------
>
> Key: MYFACES-3536
> URL: https://issues.apache.org/jira/browse/MYFACES-3536
> Project: MyFaces Core
> Issue Type: Bug
> Components: JSR-314
> Affects Versions: 2.0.13
> Environment: WebSphere Application Server Version 8.0 with Java2 Security enabled
> Reporter: Paul Nicolucci
> Attachments: Exception.txt, SAXCompiler.patch
>
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> After fixing MYFACES-3530 I enabled Java2 Security in Websphere Application Server Version 8.0 and found the following issue related to using a custom Exception Handler to handle a ViewExpiredException.
> When we Navigate to a page from the customer Exception Handler in the application the following exception occurs:
> java.security.AccessControlException: Access denied org.osgi.framework.AdminPermission (id=65) resolve,resource)
> at java.security.AccessController.checkPermission(AccessController.java:108)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:544)
> at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:208)
> at org.eclipse.osgi.framework.internal.core.BundleResourceHandler.checkAuthorization(BundleResourceHandler.java:289)
> at org.eclipse.osgi.framework.internal.core.BundleResourceHandler.parseURL(BundleResourceHandler.java:128)
> at java.net.URL.<init>(URL.java:608)
> at java.net.URL.<init>(URL.java:476)
> at java.net.URL.<init>(URL.java:425)
> at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
> at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
> at org.apache.xerces.impl.XMLEntityManager.startDTDEntity(Unknown Source)
> at org.apache.xerces.impl.XMLDTDScannerImpl.setInputSource(Unknown Source)
> at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source)
> at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
> at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
> at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
> at org.apache.xerces.jaxp.SAXParserImpl.parse(Unknown Source)
> at javax.xml.parsers.SAXParser.parse(Unknown Source)
> at org.apache.myfaces.view.facelets.compiler.SAXCompiler.doCompileViewMetadata(SAXCompiler.java:712)
> at org.apache.myfaces.view.facelets.compiler.Compiler.compileViewMetadata(Compiler.java:126)
> at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory._createViewMetadataFacelet(DefaultFaceletFactory.java:311)
> at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory.getViewMetadataFacelet(DefaultFaceletFactory.java:394)
> at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory.getViewMetadataFacelet(DefaultFaceletFactory.java:376)
> at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage._getViewMetadataFacelet(FaceletViewDeclarationLanguage.java:1940)
> at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage.access$000(FaceletViewDeclarationLanguage.java:129)
> at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage$FaceletViewMetadata.createMetadataView(FaceletViewDeclarationLanguage.java:2049)
> at org.apache.myfaces.application.NavigationHandlerImpl.handleNavigation(NavigationHandlerImpl.java:174)
> at com.ibm.ws.jsf.fat.test.PM62254.ViewExpiredExceptionExceptionHandler.handle(ViewExpiredExceptionExceptionHandler.java:45) -> Application code
> I've attached Exception.txt showing the full stack trace for reference. The exception looks to come from:
> org.apache.myfaces.view.facelets.compiler.SAXCompiler.doCompileViewMetadata(SAXCompiler.java:712).
> I've attached a suggested patch that wraps the offending code in an AccessController.doPrivileged block. I had to make the following changes to completely fix the problem:
> 1) Make the ViewMetadataHandler and SAXParser local variables final so they can be used within the doPrivileged block.
> 2) I had to create a secondary InputStream object "finalInputStream which is just a copy of the local "is" InputStream but is marked final so it can also be used within the doPrivileged block.
> 3) I also added a nested try/catch block that will catch the PrivilegedActionException and catches the SAXException/IOException and keeps the behavior we had before ( throwing IOException, throwing new FaceletException for the SAXException ). I had to do this since the doPrivileged block wraps the exceptions from parser.parse in a PrivilegedActionException.
> 4) The new code is only used if System.getSecurityManager() != null so there should be no performance ramifications if security is not enabled.
> Please review and let me know if you are ok with my patch.
> Thanks!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (MYFACES-3536) AccessControlException occurs
when using a CustomExceptionHandler to navigate to a page using the
NavigationHandler
Posted by "Paul Nicolucci (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/MYFACES-3536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13270794#comment-13270794 ]
Paul Nicolucci commented on MYFACES-3536:
-----------------------------------------
Thanks for taking a look Mark, can you commit the changes for me?
> AccessControlException occurs when using a CustomExceptionHandler to navigate to a page using the NavigationHandler
> -------------------------------------------------------------------------------------------------------------------
>
> Key: MYFACES-3536
> URL: https://issues.apache.org/jira/browse/MYFACES-3536
> Project: MyFaces Core
> Issue Type: Bug
> Components: JSR-314
> Affects Versions: 2.0.13
> Environment: WebSphere Application Server Version 8.0 with Java2 Security enabled
> Reporter: Paul Nicolucci
> Attachments: Exception.txt, SAXCompiler.patch
>
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> After fixing MYFACES-3530 I enabled Java2 Security in Websphere Application Server Version 8.0 and found the following issue related to using a custom Exception Handler to handle a ViewExpiredException.
> When we Navigate to a page from the customer Exception Handler in the application the following exception occurs:
> java.security.AccessControlException: Access denied org.osgi.framework.AdminPermission (id=65) resolve,resource)
> at java.security.AccessController.checkPermission(AccessController.java:108)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:544)
> at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:208)
> at org.eclipse.osgi.framework.internal.core.BundleResourceHandler.checkAuthorization(BundleResourceHandler.java:289)
> at org.eclipse.osgi.framework.internal.core.BundleResourceHandler.parseURL(BundleResourceHandler.java:128)
> at java.net.URL.<init>(URL.java:608)
> at java.net.URL.<init>(URL.java:476)
> at java.net.URL.<init>(URL.java:425)
> at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
> at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
> at org.apache.xerces.impl.XMLEntityManager.startDTDEntity(Unknown Source)
> at org.apache.xerces.impl.XMLDTDScannerImpl.setInputSource(Unknown Source)
> at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source)
> at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
> at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
> at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
> at org.apache.xerces.jaxp.SAXParserImpl.parse(Unknown Source)
> at javax.xml.parsers.SAXParser.parse(Unknown Source)
> at org.apache.myfaces.view.facelets.compiler.SAXCompiler.doCompileViewMetadata(SAXCompiler.java:712)
> at org.apache.myfaces.view.facelets.compiler.Compiler.compileViewMetadata(Compiler.java:126)
> at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory._createViewMetadataFacelet(DefaultFaceletFactory.java:311)
> at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory.getViewMetadataFacelet(DefaultFaceletFactory.java:394)
> at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory.getViewMetadataFacelet(DefaultFaceletFactory.java:376)
> at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage._getViewMetadataFacelet(FaceletViewDeclarationLanguage.java:1940)
> at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage.access$000(FaceletViewDeclarationLanguage.java:129)
> at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage$FaceletViewMetadata.createMetadataView(FaceletViewDeclarationLanguage.java:2049)
> at org.apache.myfaces.application.NavigationHandlerImpl.handleNavigation(NavigationHandlerImpl.java:174)
> at com.ibm.ws.jsf.fat.test.PM62254.ViewExpiredExceptionExceptionHandler.handle(ViewExpiredExceptionExceptionHandler.java:45) -> Application code
> I've attached Exception.txt showing the full stack trace for reference. The exception looks to come from:
> org.apache.myfaces.view.facelets.compiler.SAXCompiler.doCompileViewMetadata(SAXCompiler.java:712).
> I've attached a suggested patch that wraps the offending code in an AccessController.doPrivileged block. I had to make the following changes to completely fix the problem:
> 1) Make the ViewMetadataHandler and SAXParser local variables final so they can be used within the doPrivileged block.
> 2) I had to create a secondary InputStream object "finalInputStream which is just a copy of the local "is" InputStream but is marked final so it can also be used within the doPrivileged block.
> 3) I also added a nested try/catch block that will catch the PrivilegedActionException and catches the SAXException/IOException and keeps the behavior we had before ( throwing IOException, throwing new FaceletException for the SAXException ). I had to do this since the doPrivileged block wraps the exceptions from parser.parse in a PrivilegedActionException.
> 4) The new code is only used if System.getSecurityManager() != null so there should be no performance ramifications if security is not enabled.
> Please review and let me know if you are ok with my patch.
> Thanks!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (MYFACES-3536) AccessControlException occurs when
using a CustomExceptionHandler to navigate to a page using the
NavigationHandler
Posted by "Leonardo Uribe (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/MYFACES-3536?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leonardo Uribe resolved MYFACES-3536.
-------------------------------------
Resolution: Fixed
Fix Version/s: 2.1.8
2.0.14
Assignee: Leonardo Uribe
Thanks to Paul Nicolucci for provide this patch.
> AccessControlException occurs when using a CustomExceptionHandler to navigate to a page using the NavigationHandler
> -------------------------------------------------------------------------------------------------------------------
>
> Key: MYFACES-3536
> URL: https://issues.apache.org/jira/browse/MYFACES-3536
> Project: MyFaces Core
> Issue Type: Bug
> Components: JSR-314
> Affects Versions: 2.0.13
> Environment: WebSphere Application Server Version 8.0 with Java2 Security enabled
> Reporter: Paul Nicolucci
> Assignee: Leonardo Uribe
> Fix For: 2.0.14, 2.1.8
>
> Attachments: Exception.txt, SAXCompiler.patch
>
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> After fixing MYFACES-3530 I enabled Java2 Security in Websphere Application Server Version 8.0 and found the following issue related to using a custom Exception Handler to handle a ViewExpiredException.
> When we Navigate to a page from the customer Exception Handler in the application the following exception occurs:
> java.security.AccessControlException: Access denied org.osgi.framework.AdminPermission (id=65) resolve,resource)
> at java.security.AccessController.checkPermission(AccessController.java:108)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:544)
> at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:208)
> at org.eclipse.osgi.framework.internal.core.BundleResourceHandler.checkAuthorization(BundleResourceHandler.java:289)
> at org.eclipse.osgi.framework.internal.core.BundleResourceHandler.parseURL(BundleResourceHandler.java:128)
> at java.net.URL.<init>(URL.java:608)
> at java.net.URL.<init>(URL.java:476)
> at java.net.URL.<init>(URL.java:425)
> at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
> at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
> at org.apache.xerces.impl.XMLEntityManager.startDTDEntity(Unknown Source)
> at org.apache.xerces.impl.XMLDTDScannerImpl.setInputSource(Unknown Source)
> at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source)
> at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
> at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
> at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
> at org.apache.xerces.jaxp.SAXParserImpl.parse(Unknown Source)
> at javax.xml.parsers.SAXParser.parse(Unknown Source)
> at org.apache.myfaces.view.facelets.compiler.SAXCompiler.doCompileViewMetadata(SAXCompiler.java:712)
> at org.apache.myfaces.view.facelets.compiler.Compiler.compileViewMetadata(Compiler.java:126)
> at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory._createViewMetadataFacelet(DefaultFaceletFactory.java:311)
> at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory.getViewMetadataFacelet(DefaultFaceletFactory.java:394)
> at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory.getViewMetadataFacelet(DefaultFaceletFactory.java:376)
> at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage._getViewMetadataFacelet(FaceletViewDeclarationLanguage.java:1940)
> at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage.access$000(FaceletViewDeclarationLanguage.java:129)
> at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage$FaceletViewMetadata.createMetadataView(FaceletViewDeclarationLanguage.java:2049)
> at org.apache.myfaces.application.NavigationHandlerImpl.handleNavigation(NavigationHandlerImpl.java:174)
> at com.ibm.ws.jsf.fat.test.PM62254.ViewExpiredExceptionExceptionHandler.handle(ViewExpiredExceptionExceptionHandler.java:45) -> Application code
> I've attached Exception.txt showing the full stack trace for reference. The exception looks to come from:
> org.apache.myfaces.view.facelets.compiler.SAXCompiler.doCompileViewMetadata(SAXCompiler.java:712).
> I've attached a suggested patch that wraps the offending code in an AccessController.doPrivileged block. I had to make the following changes to completely fix the problem:
> 1) Make the ViewMetadataHandler and SAXParser local variables final so they can be used within the doPrivileged block.
> 2) I had to create a secondary InputStream object "finalInputStream which is just a copy of the local "is" InputStream but is marked final so it can also be used within the doPrivileged block.
> 3) I also added a nested try/catch block that will catch the PrivilegedActionException and catches the SAXException/IOException and keeps the behavior we had before ( throwing IOException, throwing new FaceletException for the SAXException ). I had to do this since the doPrivileged block wraps the exceptions from parser.parse in a PrivilegedActionException.
> 4) The new code is only used if System.getSecurityManager() != null so there should be no performance ramifications if security is not enabled.
> Please review and let me know if you are ok with my patch.
> Thanks!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira