You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/11/08 12:13:00 UTC

[jira] [Commented] (FELIX-5978) Felix framework unable to retrieve custom URL handlers when security is on

    [ https://issues.apache.org/jira/browse/FELIX-5978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16679665#comment-16679665 ] 

ASF GitHub Bot commented on FELIX-5978:
---------------------------------------

GitHub user timothyjward opened a pull request:

    https://github.com/apache/felix/pull/160

    [FELIX-5978] Ensure getClassLoader() is called in a safe way when sec…

    …urity is enabled
    
    Previously URLHandlers would explode when security was on because it didn't have permission to get the ClassLoader all the way down the stack
    
    Signed-off-by: Tim Ward <ti...@apache.org>

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/timothyjward/felix FELIX-5978

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/felix/pull/160.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #160
    
----
commit e30d80a31b03731fd1b67fb551d58b10741eb5d1
Author: Tim Ward <ti...@...>
Date:   2018-11-08T12:11:29Z

    [FELIX-5978] Ensure getClassLoader() is called in a safe way when security is enabled
    
    Previously URLHandlers would explode when security was on because it didn't have permission to get the ClassLoader all the way down the stack
    
    Signed-off-by: Tim Ward <ti...@apache.org>

----


> Felix framework unable to retrieve custom URL handlers when security is on
> --------------------------------------------------------------------------
>
>                 Key: FELIX-5978
>                 URL: https://issues.apache.org/jira/browse/FELIX-5978
>             Project: Felix
>          Issue Type: Bug
>    Affects Versions: framework-6.0.0, framework-6.0.1
>            Reporter: Timothy Ward
>            Priority: Critical
>             Fix For: framework-6.0.2
>
>
> When running with multiple frameworks in the same VM, custom URL Handlers, and OSGi security on there are a couple of problems:
>  
> Firstly, this security exception results in the custom URL handler being ignored. The framework should really be using a doPriv here.
> {code:java}
> java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at java.security.AccessController.checkPermission(AccessController.java:884)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1528)
> at java.lang.Class.getClassLoader(Class.java:683)
> at org.apache.felix.framework.URLHandlers.getFrameworkFromContext(URLHandlers.java:690)
> at org.apache.felix.framework.URLHandlersStreamHandlerProxy.getStreamHandlerService(URLHandlersStreamHandlerProxy.java:574)
> at org.apache.felix.framework.URLHandlersStreamHandlerProxy.toExternalForm(URLHandlersStreamHandlerProxy.java:474)
> at java.net.URL.toExternalForm(URL.java:929)
> at java.net.URL.toString(URL.java:915)
> at java.lang.ClassLoader.defineClassSourceLocation(ClassLoader.java:678)
> at java.lang.ClassLoader.defineClass(ClassLoader.java:762)
> at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.defineClass(BundleWiringImpl.java:2344)
> at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.defineClassParallel(BundleWiringImpl.java:2162)
> at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.findClass(BundleWiringImpl.java:2096)
> at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1565)
> at org.apache.felix.framework.BundleWiringImpl.access$300(BundleWiringImpl.java:79)
> at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1982)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
> at org.apache.felix.cm.impl.ConfigurationManager.configure(ConfigurationManager.java:758)
> {code}
> Secondly, the wrong framework is returned some of the time due to the logic of URLHandlers.getFrameworkContext() - in this method it assumes that there will be a bundle class loader on the stack, which is not true when the launcher is starting a bundle (the framework reflectively loads the Activator type which requires a URL check to set the security domain).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)