You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Justin Bertram (JIRA)" <ji...@apache.org> on 2015/11/20 23:53:11 UTC

[jira] [Resolved] (ARTEMIS-294) Make ServiceUtils loads its services within doPrivileged block

     [ https://issues.apache.org/jira/browse/ARTEMIS-294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Justin Bertram resolved ARTEMIS-294.
------------------------------------
    Resolution: Fixed

> Make ServiceUtils loads its services within doPrivileged block
> --------------------------------------------------------------
>
>                 Key: ARTEMIS-294
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-294
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 1.1.0
>            Reporter: Jeff Mesnil
>            Assignee: Justin Bertram
>             Fix For: 1.1.1
>
>
> We have tests that fails when the JVM is running a Security Manager.
> {noformat}
> 1) IJ000604: Throwable while attempting to get a new connection: null: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/opt/buildAgent/work/6da23a4ee9951677/dist/target/wildfly-10.0.0.CR5-SNAPSHOT/modules/system/layers/base/org/wildfly/extension/messaging-activemq/main/wildfly-messaging-activemq-10.0.0.CR5-SNAPSHOT.jar" "read")" in code source "(vfs:/content/DefaultJMSConnectionFactoryTest.jar <no signer certificates>)" of "null")
>     at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273)
>     at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
>     at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
>     at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:377)
>     at java.util.zip.ZipFile.<init>(ZipFile.java:210)
>     at java.util.zip.ZipFile.<init>(ZipFile.java:149)
>     at java.util.jar.JarFile.<init>(JarFile.java:166)
>     at java.util.jar.JarFile.<init>(JarFile.java:103)
>     at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:93)
>     at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:69)
>     at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99)
>     at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
>     at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150)
>     at java.net.URL.openStream(URL.java:1038)
>     at java.util.ServiceLoader.parse(ServiceLoader.java:304)
>     at java.util.ServiceLoader.access$200(ServiceLoader.java:185)
>     at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357)
>     at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323)
>     at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396)
>     at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395)
>     at java.security.AccessController.doPrivileged(Native Method)
>     at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398)
>     at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
>     at org.apache.activemq.artemis.service.extensions.ServiceUtils.setActiveMQXAResourceWrapperFactory(ServiceUtils.java:72)
>     at org.apache.activemq.artemis.service.extensions.ServiceUtils.getActiveMQXAResourceWrapperFactory(ServiceUtils.java:40)
>     at org.apache.activemq.artemis.service.extensions.ServiceUtils.wrapXAResource(ServiceUtils.java:46)
>     at org.apache.activemq.artemis.ra.ActiveMQRAManagedConnection.getXAResource(ActiveMQRAManagedConnection.java:480)
>     at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.createConnectionListener(TxConnectionManagerImpl.java:715)
>     at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1345)
>     at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:501)
>     at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getTransactionNewConnection(AbstractPool.java:717)
>     at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:614)
>     at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:603)
>     at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430)
>     at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:761)
>     at org.apache.activemq.artemis.ra.ActiveMQRASessionFactoryImpl.allocateConnection(ActiveMQRASessionFactoryImpl.java:853)
>     at org.apache.activemq.artemis.ra.ActiveMQRASessionFactoryImpl.createSession(ActiveMQRASessionFactoryImpl.java:520)
>    ...
> {noformat}
> After debugging, the issue is in the RA's ServiceUtils that loads its services outside a AccessController.doPriviledged block. Depending on who's requesting the RA's managed connection, it may not have the required permissions to load the services.
> In addition, the ServiceUtils loads its services using the TCCL and caches its activeMQXAResourceWrapperFactory instance.
> Depending on who's requesting a managed connection, the TCCL might differ. It'd be better to use the ServiceUtils's own class loader instead.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)