You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Carsten Ziegeler (JIRA)" <ji...@apache.org> on 2018/09/12 14:18:00 UTC
[jira] [Reopened] (FELIX-5910) [ConfigAdmin] Set correct
AccessControlContext when firing events
[ https://issues.apache.org/jira/browse/FELIX-5910?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler reopened FELIX-5910:
-------------------------------------
Thanks, yes this looks like a SCR bug, it has to register the listener using the config admin bundle and therefore the listener is executed in the wrong bundle context
> [ConfigAdmin] Set correct AccessControlContext when firing events
> -----------------------------------------------------------------
>
> Key: FELIX-5910
> URL: https://issues.apache.org/jira/browse/FELIX-5910
> Project: Felix
> Issue Type: Bug
> Components: Configuration Admin
> Affects Versions: configadmin-1.9.4
> Environment: - Felix fwk 6.0.0
> - Felix security 2.6.0
> - Felix config admin 1.9.4 and 1.9.5-SNAPSHOT
> Reporter: Christoph Nölle
> Assignee: Carsten Ziegeler
> Priority: Major
> Fix For: configadmin-1.9.6
>
>
> ConfigAdmin requests a restricted set of permissions by means of a permissions.perm file, which must not restrict the permissions of other bundles to which it sends events. There is in fact a mechanism in place to prevent this, using the protection domain of the bundle, in the class ManagedServiceTracker (resolving the related issue https://issues.apache.org/jira/browse/FELIX-4362). However, the UpdateThread class does not use this mechanism; instead it explicitly sets an AccessControlContext based on its own protection domain, hence enforcing its own restricted set of permissions to the event listeners. Below are two examples of the resulting AccessControlExceptions I get... there is just one additional bundle in the stack trace, felix-scr, which has all permissions and can be ignored from the permissions point of view.
> By the way, removing the permissions.perm file from ConfigAdmin resolves the problem, confirming that the bug is indeed in ConfigAdmin.
> rg.slf4j.osgi-over-slf4j[org.apache.felix.configadmin.1.9.4] : [[org.osgi.service.cm.ConfigurationAdmin]]Unexpected problem delivering configuration event to [org.osgi.service.cm.ConfigurationListener, id=18, bundle=24/mvn:org.apache.felix/org.apache.felix.configadmin/1.9.4]
> java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")
> at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at java.base/java.security.AccessController.checkPermission(AccessController.java:895)
> at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
> at java.base/java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:2042)
> at java.base/java.lang.Class.getClassLoader(Class.java:807)
> at org.apache.felix.scr.impl.inject.methods.BaseMethod.findMethod(BaseMethod.java:158)
> at org.apache.felix.scr.impl.inject.methods.BaseMethod.access$400(BaseMethod.java:41)
> at org.apache.felix.scr.impl.inject.methods.BaseMethod$NotResolved.resolve(BaseMethod.java:602)
> at org.apache.felix.scr.impl.inject.methods.BaseMethod$NotResolved.methodExists(BaseMethod.java:626)
> at org.apache.felix.scr.impl.inject.methods.BaseMethod.methodExists(BaseMethod.java:528)
> at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:315)
> at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:307)
> at org.apache.felix.scr.impl.manager.SingleComponentManager.invokeModifiedMethod(SingleComponentManager.java:810)
> at org.apache.felix.scr.impl.manager.SingleComponentManager.modify(SingleComponentManager.java:765)
> at org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:683)
> at org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:647)
> at org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:435)
> at org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:288)
> at org.apache.felix.scr.impl.manager.RegionConfigurationSupport$1.configurationEvent(RegionConfigurationSupport.java:91)
> at org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:1667)
> at org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:1635)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:126)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:123)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:122)
> at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
> at java.base/java.lang.Thread.run(Thread.java:844)
> org.slf4j.osgi-over-slf4j[org.apache.felix.configadmin.1.9.4] : [[org.osgi.service.cm.ConfigurationAdmin]]Unexpected problem delivering configuration event to [org.osgi.service.cm.ConfigurationListener, id=18, bundle=24/mvn:org.apache.felix/org.apache.felix.configadmin/1.9.4]
> java.security.AccessControlException: access denied ("org.osgi.framework.ServicePermission" "java.lang.Runnable" "register")
> at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at java.base/java.security.AccessController.checkPermission(AccessController.java:895)
> at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
> at org.apache.felix.framework.BundleContextImpl.registerService(BundleContextImpl.java:322)
> at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:891)
> at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:877)
> at org.apache.felix.scr.impl.manager.RegistrationManager.changeRegistration(RegistrationManager.java:128)
> at org.apache.felix.scr.impl.manager.AbstractComponentManager.registerService(AbstractComponentManager.java:944)
> at org.apache.felix.scr.impl.manager.AbstractComponentManager.activateInternal(AbstractComponentManager.java:727)
> at org.apache.felix.scr.impl.manager.AbstractComponentManager.enableInternal(AbstractComponentManager.java:661)
> at org.apache.felix.scr.impl.manager.AbstractComponentManager.enable(AbstractComponentManager.java:427)
> at org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:440)
> at org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:288)
> at org.apache.felix.scr.impl.manager.RegionConfigurationSupport$1.configurationEvent(RegionConfigurationSupport.java:91)
> at org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:1667)
> at org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:1635)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:126)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:123)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:122)
> at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
> at java.base/java.lang.Thread.run(Thread.java:844)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)