glassfish
  1. glassfish
  2. GLASSFISH-11367

@XmlAccessorType(XmlAccessType.FIELD) with Security Manager enabled

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Incomplete
    • Affects Version/s: V3
    • Fix Version/s: V3
    • Component/s: security
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: Linux

    • Issuezilla Id:
      11,367

      Description

      If I configure JAXB to access the class fields -
      @XmlAccessorType(XmlAccessType.FIELD) - instead of using getters&setters
      methods, Glassfish throws an exception during the data serialization. I am using
      the Jersey framework to expose web-services and the ability to serialize classes
      through its fields if a common requirement.

      If I disable to SecurityManager, everything works fine.

      I am not sure if there is a configuration somewhere to unleash the fields
      serialization, or other safe workaround - but IMO the behaviour of JAXB
      serialization should not be constraint by the security manager.

      I created a small project for testing this issue, it is attached to this report.

      How to test:

      1) Deploy the war file to Glassfish and open the below URL. It will fail due to
      the fields access issue.

      http://localhost:8080/JerseyTest/test

      2) Edit the file
      test/model/package-info.java

      and comment or remove the line:
      @XmlAccessorType(XmlAccessType.FIELD)

      3) build and redeploy the project:
      mvn compile package
      asadmin undeploy JerseyTest
      asadmin deploy target/JerseyTest.war

      4) refresh the test URL in your browser:
      http://localhost:8080/JerseyTest/test

      it will work now.

      Expected solution:

      1) A configuration through the asadmin CLI or via graphical interface - by
      poject is enough.

      2) Configuration instructions on how to allow FIELD access with Security Manager.

      3) a simple bug fix and normal operation

        Activity

        Hide
        felipegaucho added a comment -

        Please cancel this issue.

        The problem was: several framework out there uses reflection to inspect the
        classes, and we need to add a special security entry in the server.poliy to
        allow such frameworks to work with the security manager enabled, like:

        grant codeBase
        "file:$

        {com.sun.aas.installRoot}

        /domains/domain1/applications/arena-dwr/-"

        { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }

        ;

        This issue is reported everywhere, it seems more a lack of knowledge of the
        developers than a Glassfish problem. Anyway, a simple buttom in the
        configuration panel or CLI still may be a good idea.

        an example of the issue report:
        http://www.seamframework.org/Community/EnablingSecurityManagerInGlassfishV3Final

        Show
        felipegaucho added a comment - Please cancel this issue. The problem was: several framework out there uses reflection to inspect the classes, and we need to add a special security entry in the server.poliy to allow such frameworks to work with the security manager enabled, like: grant codeBase "file:$ {com.sun.aas.installRoot} /domains/domain1/applications/arena-dwr/-" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; } ; This issue is reported everywhere, it seems more a lack of knowledge of the developers than a Glassfish problem. Anyway, a simple buttom in the configuration panel or CLI still may be a good idea. an example of the issue report: http://www.seamframework.org/Community/EnablingSecurityManagerInGlassfishV3Final
        Hide
        kumarjayanti added a comment -

        marking invalid, please raise an RFE against admin submodule for the feature.

        Show
        kumarjayanti added a comment - marking invalid, please raise an RFE against admin submodule for the feature.

          People

          • Assignee:
            kumarjayanti
            Reporter:
            felipegaucho
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: