You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by mc...@apache.org on 2010/04/24 21:26:02 UTC
svn commit: r937679 - in /myfaces:
core/trunk/impl/src/main/java/org/apache/myfaces/config/annotation/
shared/trunk_4.0.x/core/src/main/java/org/apache/myfaces/shared/util/
Author: mconcini
Date: Sat Apr 24 19:26:01 2010
New Revision: 937679
URL: http://svn.apache.org/viewvc?rev=937679&view=rev
Log:
MYFACES-2673 - Java2 security problems in 2.0.0
Modified:
myfaces/core/trunk/impl/src/main/java/org/apache/myfaces/config/annotation/DefaultLifecycleProviderFactory.java
myfaces/core/trunk/impl/src/main/java/org/apache/myfaces/config/annotation/LifecycleProviderFactory.java
myfaces/shared/trunk_4.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassLoaderUtils.java
myfaces/shared/trunk_4.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassUtils.java
Modified: myfaces/core/trunk/impl/src/main/java/org/apache/myfaces/config/annotation/DefaultLifecycleProviderFactory.java
URL: http://svn.apache.org/viewvc/myfaces/core/trunk/impl/src/main/java/org/apache/myfaces/config/annotation/DefaultLifecycleProviderFactory.java?rev=937679&r1=937678&r2=937679&view=diff
==============================================================================
--- myfaces/core/trunk/impl/src/main/java/org/apache/myfaces/config/annotation/DefaultLifecycleProviderFactory.java (original)
+++ myfaces/core/trunk/impl/src/main/java/org/apache/myfaces/config/annotation/DefaultLifecycleProviderFactory.java Sat Apr 24 19:26:01 2010
@@ -20,6 +20,9 @@ package org.apache.myfaces.config.annota
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.discovery.resource.ClassLoaders;
@@ -28,6 +31,7 @@ import org.apache.commons.discovery.Reso
import org.apache.myfaces.buildtools.maven2.plugin.builder.annotation.JSFWebConfigParam;
import org.apache.myfaces.shared_impl.util.ClassUtils;
+import javax.faces.FacesException;
import javax.faces.context.ExternalContext;
import javax.naming.Context;
import javax.naming.InitialContext;
@@ -123,49 +127,97 @@ public class DefaultLifecycleProviderFac
}
- private boolean resolveLifecycleProviderFromService(ExternalContext externalContext) {
- ClassLoader classLoader = ClassUtils.getContextClassLoader();
- ClassLoaders loaders = new ClassLoaders();
- loaders.put(classLoader);
- loaders.put(this.getClass().getClassLoader());
- DiscoverServiceNames dsn = new DiscoverServiceNames(loaders);
- ResourceNameIterator iter = dsn.findResourceNames(LIFECYCLE_PROVIDER);
- while (iter.hasNext()) {
- String className = iter.nextResourceName();
- try
- {
- Object obj = createClass(className, externalContext);
- if (DiscoverableLifecycleProvider.class.isAssignableFrom(obj.getClass())) {
- DiscoverableLifecycleProvider discoverableLifecycleProvider =
- (DiscoverableLifecycleProvider) obj;
- if (discoverableLifecycleProvider.isAvailable()) {
- LIFECYCLE_PROVIDER_INSTANCE = discoverableLifecycleProvider;
- return true;
- }
- }
- }
- catch (ClassNotFoundException e)
- {
- // ignore
- }
- catch (NoClassDefFoundError e)
- {
- // ignore
- }
- catch (InstantiationException e)
- {
- log.log(Level.SEVERE, "", e);
- }
- catch (IllegalAccessException e)
+ private boolean resolveLifecycleProviderFromService(
+ ExternalContext externalContext)
+ {
+ boolean returnValue = false;
+ final ExternalContext extContext = externalContext;
+ try
+ {
+ if (System.getSecurityManager() != null)
{
- log.log(Level.SEVERE, "", e);
+ returnValue = AccessController.doPrivileged(new java.security.PrivilegedExceptionAction<Boolean>()
+ {
+ public Boolean run() throws ClassNotFoundException,
+ NoClassDefFoundError,
+ InstantiationException,
+ IllegalAccessException,
+ InvocationTargetException,
+ PrivilegedActionException
+ {
+ ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
+ ClassLoaders loaders = new ClassLoaders();
+ loaders.put(classLoader);
+ loaders.put(this.getClass().getClassLoader());
+ DiscoverServiceNames dsn = new DiscoverServiceNames(loaders);
+ ResourceNameIterator iter = dsn.findResourceNames(LIFECYCLE_PROVIDER);
+ while (iter.hasNext())
+ {
+ String className = iter.nextResourceName();
+ Object obj = createClass(className,extContext);
+ if (DiscoverableLifecycleProvider.class.isAssignableFrom(obj.getClass()))
+ {
+ DiscoverableLifecycleProvider discoverableLifecycleProvider = (DiscoverableLifecycleProvider) obj;
+ if (discoverableLifecycleProvider.isAvailable())
+ {
+ LIFECYCLE_PROVIDER_INSTANCE = discoverableLifecycleProvider;
+ return (Boolean) true;
+ }
+ }
+ }
+ return (Boolean) false;
+ }
+ });
}
- catch (InvocationTargetException e)
+ else
{
- log.log(Level.SEVERE, "", e);
+ ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
+ ClassLoaders loaders = new ClassLoaders();
+ loaders.put(classLoader);
+ loaders.put(this.getClass().getClassLoader());
+ DiscoverServiceNames dsn = new DiscoverServiceNames(loaders);
+ ResourceNameIterator iter = dsn.findResourceNames(LIFECYCLE_PROVIDER);
+ while (iter.hasNext())
+ {
+ String className = iter.nextResourceName();
+ Object obj = createClass(className, externalContext);
+ if (DiscoverableLifecycleProvider.class.isAssignableFrom(obj.getClass()))
+ {
+ DiscoverableLifecycleProvider discoverableLifecycleProvider = (DiscoverableLifecycleProvider) obj;
+ if (discoverableLifecycleProvider.isAvailable())
+ {
+ LIFECYCLE_PROVIDER_INSTANCE = discoverableLifecycleProvider;
+ return true;
+ }
+ }
+ }
}
}
- return false;
+ catch (ClassNotFoundException e)
+ {
+ // ignore
+ }
+ catch (NoClassDefFoundError e)
+ {
+ // ignore
+ }
+ catch (InstantiationException e)
+ {
+ log.log(Level.SEVERE, "", e);
+ }
+ catch (IllegalAccessException e)
+ {
+ log.log(Level.SEVERE, "", e);
+ }
+ catch (InvocationTargetException e)
+ {
+ log.log(Level.SEVERE, "", e);
+ }
+ catch (PrivilegedActionException e)
+ {
+ throw new FacesException(e);
+ }
+ return returnValue;
}
private Object createClass(String className, ExternalContext externalContext)
Modified: myfaces/core/trunk/impl/src/main/java/org/apache/myfaces/config/annotation/LifecycleProviderFactory.java
URL: http://svn.apache.org/viewvc/myfaces/core/trunk/impl/src/main/java/org/apache/myfaces/config/annotation/LifecycleProviderFactory.java?rev=937679&r1=937678&r2=937679&view=diff
==============================================================================
--- myfaces/core/trunk/impl/src/main/java/org/apache/myfaces/config/annotation/LifecycleProviderFactory.java (original)
+++ myfaces/core/trunk/impl/src/main/java/org/apache/myfaces/config/annotation/LifecycleProviderFactory.java Sat Apr 24 19:26:01 2010
@@ -18,9 +18,13 @@
*/
package org.apache.myfaces.config.annotation;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+
import org.apache.commons.discovery.tools.DiscoverSingleton;
+import javax.faces.FacesException;
import javax.faces.context.ExternalContext;
@@ -32,10 +36,36 @@ public abstract class LifecycleProviderF
public static LifecycleProviderFactory getLifecycleProviderFactory()
{
LifecycleProviderFactory instance = INSTANCE;
- if (instance != null) {
+ if (instance != null)
+ {
return instance;
}
- return (LifecycleProviderFactory) DiscoverSingleton.find(LifecycleProviderFactory.class, FACTORY_DEFAULT);
+ LifecycleProviderFactory lpf = null;
+ try
+ {
+
+ if (System.getSecurityManager() != null)
+ {
+ lpf = (LifecycleProviderFactory) AccessController.doPrivileged(new java.security.PrivilegedExceptionAction<Object>()
+ {
+ public Object run() throws PrivilegedActionException
+ {
+ return DiscoverSingleton.find(
+ LifecycleProviderFactory.class,
+ FACTORY_DEFAULT);
+ }
+ });
+ }
+ else
+ {
+ lpf = (LifecycleProviderFactory) DiscoverSingleton.find(LifecycleProviderFactory.class, FACTORY_DEFAULT);
+ }
+ }
+ catch (PrivilegedActionException pae)
+ {
+ throw new FacesException(pae);
+ }
+ return lpf;
}
Modified: myfaces/shared/trunk_4.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassLoaderUtils.java
URL: http://svn.apache.org/viewvc/myfaces/shared/trunk_4.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassLoaderUtils.java?rev=937679&r1=937678&r2=937679&view=diff
==============================================================================
--- myfaces/shared/trunk_4.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassLoaderUtils.java (original)
+++ myfaces/shared/trunk_4.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassLoaderUtils.java Sat Apr 24 19:26:01 2010
@@ -26,6 +26,9 @@ import java.io.InputStreamReader;
import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
@@ -36,6 +39,8 @@ import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.faces.FacesException;
+
/**
* Utility methods for accessing classes and resources using an appropriate
* class loader.
@@ -208,12 +213,34 @@ public final class ClassLoaderUtils
}
/**
- * Dynamically accesses the current context class loader.
+ * Dynamically accesses the current context class loader.
+ * Includes a check for priviledges against java2 security
+ * to ensure no security related exceptions are encountered.
* Returns null if there is no per-thread context class loader.
*/
public static ClassLoader getContextClassLoader()
{
- return Thread.currentThread().getContextClassLoader();
+ if (System.getSecurityManager() != null)
+ {
+ try {
+ ClassLoader cl = AccessController.doPrivileged(new PrivilegedExceptionAction<ClassLoader>()
+ {
+ public ClassLoader run() throws PrivilegedActionException
+ {
+ return Thread.currentThread().getContextClassLoader();
+ }
+ });
+ return cl;
+ }
+ catch (PrivilegedActionException pae)
+ {
+ throw new FacesException(pae);
+ }
+ }
+ else
+ {
+ return Thread.currentThread().getContextClassLoader();
+ }
}
/**
Modified: myfaces/shared/trunk_4.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassUtils.java
URL: http://svn.apache.org/viewvc/myfaces/shared/trunk_4.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassUtils.java?rev=937679&r1=937678&r2=937679&view=diff
==============================================================================
--- myfaces/shared/trunk_4.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassUtils.java (original)
+++ myfaces/shared/trunk_4.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassUtils.java Sat Apr 24 19:26:01 2010
@@ -406,26 +406,7 @@ public final class ClassUtils
*/
public static ClassLoader getContextClassLoader()
{
- if (System.getSecurityManager() != null)
- {
- try {
- ClassLoader cl = AccessController.doPrivileged(new PrivilegedExceptionAction<ClassLoader>()
- {
- public ClassLoader run() throws PrivilegedActionException
- {
- return Thread.currentThread().getContextClassLoader();
- }
- });
- return cl;
- }
- catch (PrivilegedActionException pae)
- {
- throw new FacesException(pae);
- }
- }
- else
- {
- return Thread.currentThread().getContextClassLoader();
- }
+ // call into the same method on ClassLoaderUtils. no need for duplicate code maintenance.
+ return ClassLoaderUtils.getContextClassLoader();
}
}