You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@openjpa.apache.org by Kevin Sutter <kw...@gmail.com> on 2007/03/13 13:55:56 UTC

Java 2 Security testing?

Just curious,
Has there been any testing with Java 2 Security enabled and OpenJPA?  I'm
hitting a semi-intermittent problem (it doesn't seem to show up on all
machines) which results in an NPE coming out of the
javax.persistence.Persistence.createEntityManager method.  I know we have no
control over this specific piece of code, but I'm wondering whether we need
some doPriv blocks elsewhere in the code path.  I reviewed the JIRA Issues
and didn't see anything related to this.  Before I go further, I thought I
would check to see if there's been any other experiences with Java 2
Security.  Thanks.

Kevin

P.S.  Here's the call stack if you are interested...

Caused by: java.lang.NullPointerException
    at java.io.Win32CanonicalPathComponentRetriever.nextComponent(
Win32CanonicalPath.java:318)
    at java.io.Win32CanonicalPath.equals(Win32CanonicalPath.java:117)
    at java.io.FilePermission.impliesIgnoreMask(FilePermission.java:373)
    at java.io.FilePermissionCollection.implies(FilePermission.java:763)
    at
org.eclipse.osgi.framework.internal.core.ConditionalPermissionSet.implies(
ConditionalPermissionSet.java:224)
    at
org.eclipse.osgi.framework.internal.core.BundleCombinedPermissions.implies(
BundleCombinedPermissions.java:124)
    at java.security.ProtectionDomain.implies(ProtectionDomain.java:225)
    at java.security.AccessController.checkPermission(AccessController.java
:94)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
    at com.ibm.ws.security.core.SecurityManager.checkPermission(
SecurityManager.java:189)
    at java.lang.SecurityManager.checkRead(SecurityManager.java:886)
    at java.io.File.exists(File.java:726)
    at org.apache.openjpa.lib.meta.URLMetaDataIterator.getFile(
URLMetaDataIterator.java:68)
    at org.apache.openjpa.lib.meta.XMLMetaDataParser.parse(
XMLMetaDataParser.java:311)
    at org.apache.openjpa.lib.meta.XMLMetaDataParser.parse(
XMLMetaDataParser.java:289)
    at org.apache.openjpa.lib.meta.XMLMetaDataParser.parse(
XMLMetaDataParser.java:263)
    at
org.apache.openjpa.persistence.PersistenceProductDerivation$ConfigurationParser.parse
(PersistenceProductDerivation.java:419)
    at
org.apache.openjpa.persistence.PersistenceProductDerivation.parseResources(
PersistenceProductDerivation.java:287)
    at org.apache.openjpa.persistence.PersistenceProductDerivation.load(
PersistenceProductDerivation.java:254)
    at org.apache.openjpa.persistence.PersistenceProductDerivation.load(
PersistenceProductDerivation.java:152)
    at
org.apache.openjpa.persistence.PersistenceProviderImpl.createEntityManagerFactory
(PersistenceProviderImpl.java:66)
    at
org.apache.openjpa.persistence.PersistenceProviderImpl.createEntityManagerFactory
(PersistenceProviderImpl.java:78)
    at javax.persistence.Persistence.createEntityManagerFactory(
Persistence.java:83)
    at javax.persistence.Persistence.createEntityManagerFactory(
Persistence.java:60)

Re: Java 2 Security testing?

Posted by Kevin Sutter <kw...@gmail.com>.

Marc,

On 3/13/07, Marc Prud'hommeaux <mp...@apache.org> wrote:
>
> Kevin-
>
> I don't think we've done extensive stand-alone testing with security
> enabled, but we have people using OpenJPA in so many different exotic
> containers with their attendant security settings, that I'd be a
> little surprised if there were essential doPriv checks that were
> missing.


I agree.  This is kind of convoluted environment.  We have WebSphere
6.1with Spring (not sure of the version) and OpenJPA
0.9.7 nightly.

The fact that it is an intermittent NPE from
> "java.io.Win32CanonicalPathComponentRetriever" gives me a little
> pause. Which JVM did you test on?


Maybe intermittent isn't the right word.  It's really where we run into the
problem on one machine and not another.  But, the visual inspection
indicates that the environments are the same.  The current testing is with
the IBM JDK 5.0 SR3.  We will also check out the latest SR4 and the Sun JDK
to see if the results change.

Also, it'd be nice to figure out what that file name being passed to
> File.exists() is. A println on the file name in
> URLMetaDataIterator.getFile() might show that it is a string with
> such crazy characters that it triggers some other bug with Windows
> file handing.


Good idea.  I was assuming that it was a standard file (ie. persistence.xml).
Let me try that as well.

Kevin


On Mar 13, 2007, at 5:55 AM, Kevin Sutter wrote:
>
> > Just curious,
> > Has there been any testing with Java 2 Security enabled and
> > OpenJPA?  I'm
> > hitting a semi-intermittent problem (it doesn't seem to show up on all
> > machines) which results in an NPE coming out of the
> > javax.persistence.Persistence.createEntityManager method.  I know
> > we have no
> > control over this specific piece of code, but I'm wondering whether
> > we need
> > some doPriv blocks elsewhere in the code path.  I reviewed the JIRA
> > Issues
> > and didn't see anything related to this.  Before I go further, I
> > thought I
> > would check to see if there's been any other experiences with Java 2
> > Security.  Thanks.
> >
> > Kevin
> >
> > P.S.  Here's the call stack if you are interested...
> >
> > Caused by: java.lang.NullPointerException
> >    at java.io.Win32CanonicalPathComponentRetriever.nextComponent(
> > Win32CanonicalPath.java:318)
> >    at java.io.Win32CanonicalPath.equals(Win32CanonicalPath.java:117)
> >    at java.io.FilePermission.impliesIgnoreMask(FilePermission.java:
> > 373)
> >    at java.io.FilePermissionCollection.implies(FilePermission.java:
> > 763)
> >    at
> > org.eclipse.osgi.framework.internal.core.ConditionalPermissionSet.impl
> > ies(
> > ConditionalPermissionSet.java:224)
> >    at
> > org.eclipse.osgi.framework.internal.core.BundleCombinedPermissions.imp
> > lies(
> > BundleCombinedPermissions.java:124)
> >    at java.security.ProtectionDomain.implies(ProtectionDomain.java:
> > 225)
> >    at java.security.AccessController.checkPermission
> > (AccessController.java
> > :94)
> >    at java.lang.SecurityManager.checkPermission
> > (SecurityManager.java:547)
> >    at com.ibm.ws.security.core.SecurityManager.checkPermission(
> > SecurityManager.java:189)
> >    at java.lang.SecurityManager.checkRead(SecurityManager.java:886)
> >    at java.io.File.exists(File.java:726)
> >    at org.apache.openjpa.lib.meta.URLMetaDataIterator.getFile(
> > URLMetaDataIterator.java:68)
> >    at org.apache.openjpa.lib.meta.XMLMetaDataParser.parse(
> > XMLMetaDataParser.java:311)
> >    at org.apache.openjpa.lib.meta.XMLMetaDataParser.parse(
> > XMLMetaDataParser.java:289)
> >    at org.apache.openjpa.lib.meta.XMLMetaDataParser.parse(
> > XMLMetaDataParser.java:263)
> >    at
> > org.apache.openjpa.persistence.PersistenceProductDerivation
> > $ConfigurationParser.parse
> > (PersistenceProductDerivation.java:419)
> >    at
> > org.apache.openjpa.persistence.PersistenceProductDerivation.parseResou
> > rces(
> > PersistenceProductDerivation.java:287)
> >    at
> > org.apache.openjpa.persistence.PersistenceProductDerivation.load(
> > PersistenceProductDerivation.java:254)
> >    at
> > org.apache.openjpa.persistence.PersistenceProductDerivation.load(
> > PersistenceProductDerivation.java:152)
> >    at
> > org.apache.openjpa.persistence.PersistenceProviderImpl.createEntityMan
> > agerFactory
> > (PersistenceProviderImpl.java:66)
> >    at
> > org.apache.openjpa.persistence.PersistenceProviderImpl.createEntityMan
> > agerFactory
> > (PersistenceProviderImpl.java:78)
> >    at javax.persistence.Persistence.createEntityManagerFactory(
> > Persistence.java:83)
> >    at javax.persistence.Persistence.createEntityManagerFactory(
> > Persistence.java:60)
>
>

Re: Java 2 Security testing?

Posted by Marc Prud'hommeaux <mp...@apache.org>.

Kevin-

I don't think we've done extensive stand-alone testing with security  
enabled, but we have people using OpenJPA in so many different exotic  
containers with their attendant security settings, that I'd be a  
little surprised if there were essential doPriv checks that were  
missing.

The fact that it is an intermittent NPE from  
"java.io.Win32CanonicalPathComponentRetriever" gives me a little  
pause. Which JVM did you test on?

Also, it'd be nice to figure out what that file name being passed to  
File.exists() is. A println on the file name in  
URLMetaDataIterator.getFile() might show that it is a string with  
such crazy characters that it triggers some other bug with Windows  
file handing.



On Mar 13, 2007, at 5:55 AM, Kevin Sutter wrote:

> Just curious,
> Has there been any testing with Java 2 Security enabled and  
> OpenJPA?  I'm
> hitting a semi-intermittent problem (it doesn't seem to show up on all
> machines) which results in an NPE coming out of the
> javax.persistence.Persistence.createEntityManager method.  I know  
> we have no
> control over this specific piece of code, but I'm wondering whether  
> we need
> some doPriv blocks elsewhere in the code path.  I reviewed the JIRA  
> Issues
> and didn't see anything related to this.  Before I go further, I  
> thought I
> would check to see if there's been any other experiences with Java 2
> Security.  Thanks.
>
> Kevin
>
> P.S.  Here's the call stack if you are interested...
>
> Caused by: java.lang.NullPointerException
>    at java.io.Win32CanonicalPathComponentRetriever.nextComponent(
> Win32CanonicalPath.java:318)
>    at java.io.Win32CanonicalPath.equals(Win32CanonicalPath.java:117)
>    at java.io.FilePermission.impliesIgnoreMask(FilePermission.java: 
> 373)
>    at java.io.FilePermissionCollection.implies(FilePermission.java: 
> 763)
>    at
> org.eclipse.osgi.framework.internal.core.ConditionalPermissionSet.impl 
> ies(
> ConditionalPermissionSet.java:224)
>    at
> org.eclipse.osgi.framework.internal.core.BundleCombinedPermissions.imp 
> lies(
> BundleCombinedPermissions.java:124)
>    at java.security.ProtectionDomain.implies(ProtectionDomain.java: 
> 225)
>    at java.security.AccessController.checkPermission 
> (AccessController.java
> :94)
>    at java.lang.SecurityManager.checkPermission 
> (SecurityManager.java:547)
>    at com.ibm.ws.security.core.SecurityManager.checkPermission(
> SecurityManager.java:189)
>    at java.lang.SecurityManager.checkRead(SecurityManager.java:886)
>    at java.io.File.exists(File.java:726)
>    at org.apache.openjpa.lib.meta.URLMetaDataIterator.getFile(
> URLMetaDataIterator.java:68)
>    at org.apache.openjpa.lib.meta.XMLMetaDataParser.parse(
> XMLMetaDataParser.java:311)
>    at org.apache.openjpa.lib.meta.XMLMetaDataParser.parse(
> XMLMetaDataParser.java:289)
>    at org.apache.openjpa.lib.meta.XMLMetaDataParser.parse(
> XMLMetaDataParser.java:263)
>    at
> org.apache.openjpa.persistence.PersistenceProductDerivation 
> $ConfigurationParser.parse
> (PersistenceProductDerivation.java:419)
>    at
> org.apache.openjpa.persistence.PersistenceProductDerivation.parseResou 
> rces(
> PersistenceProductDerivation.java:287)
>    at  
> org.apache.openjpa.persistence.PersistenceProductDerivation.load(
> PersistenceProductDerivation.java:254)
>    at  
> org.apache.openjpa.persistence.PersistenceProductDerivation.load(
> PersistenceProductDerivation.java:152)
>    at
> org.apache.openjpa.persistence.PersistenceProviderImpl.createEntityMan 
> agerFactory
> (PersistenceProviderImpl.java:66)
>    at
> org.apache.openjpa.persistence.PersistenceProviderImpl.createEntityMan 
> agerFactory
> (PersistenceProviderImpl.java:78)
>    at javax.persistence.Persistence.createEntityManagerFactory(
> Persistence.java:83)
>    at javax.persistence.Persistence.createEntityManagerFactory(
> Persistence.java:60)