You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Daniel Kulp (JIRA)" <ji...@apache.org> on 2011/09/14 03:50:08 UTC
[jira] [Commented] (CXF-2683) client fails under java2 security
policy in spi.Provider.provider using FactoryFinder
[ https://issues.apache.org/jira/browse/CXF-2683?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13104156#comment-13104156 ]
Daniel Kulp commented on CXF-2683:
----------------------------------
I cannot reproduce the NPE with current , but there are definitely improvements needed. I've updated trunk (2.5) to use the AccessController for more areas. With that, I can run the wsdl_first example (both client and server) using a security policy of:
{code}
grant {
//needed to read the cxf-rt-frontend-jaxws jar to get the correct JAX-WS implementation
//as well as the jaxb implementation and likely things like SAAJ and Stax parsers
permission java.io.FilePermission "/home/dkulp/.m2/repository/-", "read";
//needed to be able to get the WSDL
permission java.io.FilePermission "/home/dkulp/working/cxf/distribution/src/main/release/samples/-", "read";
//required to publish
permission javax.xml.ws.WebServicePermission "publishEndpoint";
//general
permission java.util.PropertyPermission "line.separator", "read";
//XmlSchema fix needed (will bin in XmlSchema 2.0.1)
permission java.util.PropertyPermission "org.apache.ws.commons.*", "read";
//jetty - needed to open the server sockets and accept connections
permission java.util.PropertyPermission "org.eclipse.jetty.*", "read";
permission java.net.SocketPermission "*", "resolve";
permission java.net.SocketPermission "*", "listen";
permission java.net.SocketPermission "*", "accept";
//HTTPUrlConnection for clients
permission java.net.SocketPermission "*", "connect";
};
// stuff for JAXB
grant codeBase "file:/home/dkulp/.m2/repository/com/sun/xml/bind/-" {
permission java.util.PropertyPermission "mapAnyUriToUri", "read";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
//Spring related things
grant codeBase "file:/home/dkulp/.m2/repository/org/springframework/-" {
permission java.util.PropertyPermission "user.*", "read";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
grant codeBase "file:/home/dkulp/.m2/repository/org/apache/cxf/-" {
//various properties that we'll look for
permission java.util.PropertyPermission "org.apache.cxf.*", "read";
permission java.util.PropertyPermission "cxf.*", "read";
permission java.util.PropertyPermission "OASISCatalogManager.catalog.*", "read";
permission java.util.PropertyPermission "spring.validation.mode", "read";
permission java.util.PropertyPermission "user.dir", "read";
//permissions we need at runtime
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.util.PropertyPermission "http.proxyHost", "read";
//JAXB - doesn't do this one in a AccessController so we need to set it
permission java.util.PropertyPermission "mapAnyUriToUri", "read";
};
{code}
> client fails under java2 security policy in spi.Provider.provider using FactoryFinder
> -------------------------------------------------------------------------------------
>
> Key: CXF-2683
> URL: https://issues.apache.org/jira/browse/CXF-2683
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.2.6
> Environment: AIX JDK > java -fullversion
> java full version "J2RE 1.5.0 IBM AIX build pap32dev-20070201 (SR4)"
> Reporter: craig bordelon
> Fix For: 2.5
>
>
> i run the jaxws_async sample just fine out of the box.
> but i get various unhelpful errors below when I make adjustment to the ant cxfrun to add a java2 security setup. The errors dont help me with what permissions i need in the security policy.
> First i change the build.xml to:
> <!--<cxfrun classname="demo.hw.client.Client" param1="${basedir}/wsdl/he
> llo_world_async.wsdl" param2="${op}" param3="${param}"/>-->
> <cxfrun classname="demo.hw.client.Client" jvmarg1="-Djava.security.manag
> er" jvmarg2="-Djava.security.policy==my.policy" param1="${basedir}/wsdl/hello_wo
> rld_async.wsdl" param2="${op}" param3="${param}"/>
> and then if the my.policy file in the directory with build.xml has just
> grant {
> permission java.security.AllPermission;
> }
> I again have no problem running the "ant client" (while the "ant server" is running)
> I again have no problem if i have this policy (note the /common/bord/java/cxf/apache-cxf-2.2.6 is my $CXF_HOME)
> grant codeBase "file:/common/bord/java/cxf/apache-cxf-2.2.6/samples/jaxws_async/
> -" {
> permission java.security.AllPermission;
> }
> grant codeBase "file:/common/bord/java/cxf/apache-cxf-2.2.6/lib/-" {
> permission java.security.AllPermission;
> };
> Now, i cannot grant all permissions like this in my production container, so I need to determine the fine-grain permissions that will allow me to use CXF, so
> I comment out the first permission...AllPermission that i had under the file:...jaxws_async and when i run the ant client i get this unhelpful issue:
> client:
> [java] Exception in thread "main" java.lang.NullPointerException
> [java] at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFa
> ctory.java:91)
> [java] at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.
> java:205)
> [java] at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:148)
> [java] at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(P
> roviderImpl.java:65)
> [java] at javax.xml.ws.Service.<init>(Service.java:36)
> [java] at org.apache.hello_world_async_soap_http.SOAPService.<init>(SOA
> PService.java:48)
> [java] at demo.hw.client.Client.main(Client.java:53)
> [java] Java Result: 1
> Next, i put back the AllPermission for the jaxws_async and then comment out the permission ...AllPermission for the file:.../lib (the CXF_HOME/lib) and when i run the ant client i get this unhelpful issue
> client:
> [java] Exception in thread "main" javax.xml.ws.spi.FactoryFinder$Configurat
> ionError: Provider org.apache.axis2.jaxws.spi.Provider not found
> [java] at javax.xml.ws.spi.FactoryFinder$2.run(FactoryFinder.java:135)
> [java] at java.security.AccessController.doPrivileged(AccessController.
> java:193)
> [java] at javax.xml.ws.spi.FactoryFinder.doPrivileged(FactoryFinder.jav
> a:266)
> [java] at javax.xml.ws.spi.FactoryFinder.newInstance(FactoryFinder.java
> :122)
> [java] at javax.xml.ws.spi.FactoryFinder.access$200(FactoryFinder.java:
> 42)
> [java] at javax.xml.ws.spi.FactoryFinder$3.run(FactoryFinder.java:255)
> [java] at java.security.AccessController.doPrivileged(AccessController.
> java:193)
> [java] at javax.xml.ws.spi.FactoryFinder.doPrivileged(FactoryFinder.jav
> a:266)
> [java] at javax.xml.ws.spi.FactoryFinder.find(FactoryFinder.java:165)
> [java] at javax.xml.ws.spi.Provider.provider(Provider.java:39)
> [java] at javax.xml.ws.Service.<init>(Service.java:36)
> [java] at org.apache.hello_world_async_soap_http.SOAPService.<init>(SOA
> PService.java:48)
> [java] at demo.hw.client.Client.main(Client.java:53)
> [java] Java Result: 1
> So, I am really lost as to how to set up the java2 security permissions to grant just what i need to use CXF.... and there obviously seem to be bugs in the code as normally when a permission is missing one gets a clear Permission exception explaining the missing permission.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira