glassfish
  1. glassfish
  2. GLASSFISH-15299

Running with Sec Mgr Enabled: need property support handled by glassfish

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1_b33
    • Fix Version/s: 3.1_b36
    • Component/s: security
    • Labels:
      None
    • Environment:

      Solaris 10, Ultra 45, Glassfish 3.1 b33, JDK1.6_022

      Description

      DESCRIPTION:
      Using Glassfish with security manager enabled, if we run some CTS tests, we are seeing errors that shuld probably be handled on the glassfish server side. The following permissions have been encountered and are needed in the server.policy file - without these permissions, GF will not allow some common behavior to work.

      The permissions in question are:
      permission javax.management.MBeanServerPermission "findMBeanServer";
      permission java.lang.RuntimePermission "createSecurityManager";

      If we add these to server.policy then our tests work but without them our tests fail. It has been suggested that the tests are doing common tasks that average users should be able to do and that is why its believed some level of support needs to be done on the GF server side.

      See attached for stacktrace details.

      WORK AROUND:
      ------------
      The work around is to manually add these properties to the server.policy file.

      ADDITIONAL PERMS:
      -----------------
      The following properties are also needed in server.policy and it is not clear if these ought to be configured (ie. added to server.policy) in the CTS config step or if these perms should be handled in Glassfish side.
      These additional properties are:

      permission javax.security.jacc.EJBMethodPermission SecEjbHelloBasic
      sayHelloBasic,ServiceEndpoint,java.lang.String)
      (see details for this perm in attached file: server.log.EJBMethodPermission )

      -phendley

      1. server.log.EJBMethodPermission
        59 kB
        phendley
      2. server.log.err3
        8 kB
        phendley
      3. server.log.err4
        8 kB
        phendley
      4. server.log.stacktraces
        396 kB
        phendley

        Activity

        Hide
        mzh777 added a comment -

        Hi Dhiru, The issue is affecting CTS tests. Can you assign this to someone in CTS team?

        Show
        mzh777 added a comment - Hi Dhiru, The issue is affecting CTS tests. Can you assign this to someone in CTS team?
        Hide
        phendley added a comment -

        More permission failures uncovered. See the stack trace in the 3rd and 4th attachments of the server.log file. See server.log.err3 and server.log.err4 in which the following permission seems to be missing:
        permission((javax.security.jacc.EJBMethodPermission
        WSSecEjbHelloBasicSSL
        sayHelloBasic,ServiceEndpoint,java.lang.String))

        permission((javax.security.jacc.EJBMethodPermission
        WSSecEjbHelloBasicSSL
        sayHelloBasic,ServiceEndpoint,java.lang.String)

        It's not clear if these perms need to be handled by CTS config or if it should be handled by Glassfish. See attached files for stacktrace details on these perms.

        -phendley

        Show
        phendley added a comment - More permission failures uncovered. See the stack trace in the 3rd and 4th attachments of the server.log file. See server.log.err3 and server.log.err4 in which the following permission seems to be missing: permission((javax.security.jacc.EJBMethodPermission WSSecEjbHelloBasicSSL sayHelloBasic,ServiceEndpoint,java.lang.String)) permission((javax.security.jacc.EJBMethodPermission WSSecEjbHelloBasicSSL sayHelloBasic,ServiceEndpoint,java.lang.String) It's not clear if these perms need to be handled by CTS config or if it should be handled by Glassfish. See attached files for stacktrace details on these perms. -phendley
        Hide
        Nithya Ramakrishnan added a comment -

        The EJBMethodPermission are app-specific and cannot be granted by the Glassfish server.policy. The failures imply that the client does not have enough permissions for invoking the method.

        The java.lang.RuntimePermission "createSecurityManager"; cannot be granted in Glassfish server.policy and has to be handled by the CTS config. For the javax.management.MBeanServerPermission "findMBeanServer"; , can you please raise an issue with the admin/jmx team to investigate if this permission can be added to server.policy.

        We are closing this issue. If you think that EJBMethodPermission cannot occur because the client uses the right credentials, please raise another issue with the steps to reproduce.

        Show
        Nithya Ramakrishnan added a comment - The EJBMethodPermission are app-specific and cannot be granted by the Glassfish server.policy. The failures imply that the client does not have enough permissions for invoking the method. The java.lang.RuntimePermission "createSecurityManager"; cannot be granted in Glassfish server.policy and has to be handled by the CTS config. For the javax.management.MBeanServerPermission "findMBeanServer"; , can you please raise an issue with the admin/jmx team to investigate if this permission can be added to server.policy. We are closing this issue. If you think that EJBMethodPermission cannot occur because the client uses the right credentials, please raise another issue with the steps to reproduce.
        Hide
        Nithya Ramakrishnan added a comment -

        Please see the comments above.

        Show
        Nithya Ramakrishnan added a comment - Please see the comments above.
        Hide
        Nithya Ramakrishnan added a comment -

        Paul,

        Can you please provide us the stack trace corressponding to the permission java.lang.RuntimePermission "createSecurityManager"; failure? We shall try to locate the source of the error in this case.

        As mentioned previously, for the permission javax.management.MBeanServerPermission "findMBeanServer"; , please raise an issue with the admin/JMX team for investigation wrt that.

        Show
        Nithya Ramakrishnan added a comment - Paul, Can you please provide us the stack trace corressponding to the permission java.lang.RuntimePermission "createSecurityManager"; failure? We shall try to locate the source of the error in this case. As mentioned previously, for the permission javax.management.MBeanServerPermission "findMBeanServer"; , please raise an issue with the admin/JMX team for investigation wrt that.
        Hide
        Nithya Ramakrishnan added a comment -

        Since the RuntimePermission for createSecurityManager seems to originate from the Webcontainer code, reopening this issue and assigning to the webcontainer team to investigate :

        [#|2010-12-23T09:01:48.284-0500|WARNING|glassfish3.1|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=15;_ThreadName=Thread-1;|java.security.AccessControlException: access denied (java.lang.RuntimePermission createSecurityManager)
        java.security.AccessControlException: access denied (java.lang.RuntimePermission createSecurityManager)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
        at java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at java.lang.SecurityManager.<init>(SecurityManager.java:282)
        at org.apache.catalina.core.StandardContext$MySecurityManager.<init>(StandardContext.java:7362)
        at org.apache.catalina.core.StandardContext$MySecurityManager.<init>(StandardContext.java:7362)
        at org.apache.catalina.core.StandardContext.<init>(StandardContext.java:167)
        at com.sun.enterprise.web.pwc.PwcWebModule.<init>(PwcWebModule.java:54)
        at com.sun.enterprise.web.WebModule.<init>(WebModule.java:186)
        at com.sun.enterprise.web.EmbeddedWebContainer.createContext(EmbeddedWebContainer.java:190)
        at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1794)
        at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1629)
        at com.sun.enterprise.web.WebApplication.start(WebApplication.java:100)
        at org.glassfish.internal.data.EngineRef.start(EngineRef.java:130)
        at org.glassfish.internal.data.ModuleInfo.start(ModuleInfo.java:269)
        at org.glassfish.internal.data.ApplicationInfo.start(ApplicationInfo.java:290)
        at com.sun.enterprise.v3.server.ApplicationLifecycle.deploy(ApplicationLifecycle.java:461)
        at com.sun.enterprise.v3.server.ApplicationLifecycle.deploy(ApplicationLifecycle.java:240)
        at com.sun.ejb.containers.EjbContainerUtilImpl.deployEJBTimerService(EjbContainerUtilImpl.java:547)
        at com.sun.ejb.containers.EjbContainerUtilImpl.getEJBTimerService(EjbContainerUtilImpl.java:289)
        at com.sun.ejb.containers.EjbContainerUtilImpl.getEJBTimerService(EjbContainerUtilImpl.java:284)
        at com.sun.ejb.containers.EjbContainerUtilImpl.getEJBTimerService(EjbContainerUtilImpl.java:269)
        at com.sun.ejb.EjbNamingReferenceManagerImpl.getEJBContextObject(EjbNamingReferenceManagerImpl.java:230)
        at com.sun.enterprise.container.common.impl.ComponentEnvManagerImpl$EjbContextProxy.create(ComponentEnvManagerImpl.java:911)
        at com.sun.enterprise.naming.impl.GlassfishNamingManagerImpl.lookup(GlassfishNamingManagerImpl.java:771)
        at com.sun.enterprise.naming.impl.GlassfishNamingManagerImpl.lookup(GlassfishNamingManagerImpl.java:740)
        at com.sun.enterprise.naming.impl.JavaURLContext.lookup(JavaURLContext.java:166)
        at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:538)
        at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:491)
        at javax.naming.InitialContext.lookup(InitialContext.java:392)
        at javax.naming.InitialContext.lookup(InitialContext.java:392)
        at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl._inject(InjectionManagerImpl.java:597)
        at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.inject(InjectionManagerImpl.java:468)
        at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.injectInstance(InjectionManagerImpl.java:173)
        at com.sun.ejb.containers.BaseContainer.injectEjbInstance(BaseContainer.java:1691)
        at com.sun.ejb.containers.AbstractSingletonContainer.createSingletonEJB(AbstractSingletonContainer.java:504)
        at com.sun.ejb.containers.AbstractSingletonContainer.access$100(AbstractSingletonContainer.java:79)
        at com.sun.ejb.containers.AbstractSingletonContainer$SingletonContextFactory.create(AbstractSingletonContainer.java:717)
        at com.sun.ejb.containers.AbstractSingletonContainer.instantiateSingletonInstance(AbstractSingletonContainer.java:449)
        at org.glassfish.ejb.startup.SingletonLifeCycleManager.initializeSingleton(SingletonLifeCycleManager.java:216)
        at org.glassfish.ejb.startup.SingletonLifeCycleManager.initializeSingleton(SingletonLifeCycleManager.java:177)
        at com.sun.ejb.containers.AbstractSingletonContainer.checkInit(AbstractSingletonContainer.java:421)
        at com.sun.ejb.containers.CMCSingletonContainer._getContext(CMCSingletonContainer.java:117)
        at com.sun.ejb.containers.BaseContainer.getContext(BaseContainer.java:2528)
        at com.sun.ejb.containers.BaseContainer.preInvoke(BaseContainer.java:1895)
        at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:205)
        at com.sun.ejb.containers.EJBObjectInvocationHandlerDelegate.invoke(EJBObjectInvocationHandlerDelegate.java:79)
        at $Proxy188.add(Unknown Source)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.sun.corba.ee.impl.presentation.rmi.ReflectiveTie.dispatchToMethod(ReflectiveTie.java:144)
        at com.sun.corba.ee.impl.presentation.rmi.ReflectiveTie._invoke(ReflectiveTie.java:174)
        at com.sun.corba.ee.impl.protocol.CorbaServerRequestDispatcherImpl.dispatchToServant(CorbaServerRequestDispatcherImpl.java:528)
        at com.sun.corba.ee.impl.protocol.CorbaServerRequestDispatcherImpl.dispatch(CorbaServerRequestDispatcherImpl.java:199)
        at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequestRequest(CorbaMessageMediatorImpl.java:1624)
        at com.sun.corba.ee.impl.protocol.SharedCDRClientRequestDispatcherImpl.marshalingComplete(SharedCDRClientRequestDispatcherImpl.java:126)
        at com.sun.corba.ee.impl.protocol.CorbaClientDelegateImpl.invoke(CorbaClientDelegateImpl.java:243)
        at com.sun.corba.ee.impl.presentation.rmi.StubInvocationHandlerImpl.privateInvoke(StubInvocationHandlerImpl.java:200)
        at com.sun.corba.ee.impl.presentation.rmi.StubInvocationHandlerImpl.invoke(StubInvocationHandlerImpl.java:152)
        at com.sun.corba.ee.impl.presentation.rmi.codegen.CodegenStubBase.invoke(CodegenStubBase.java:227)
        at com.sun.ts.tests.ejb30.common.helloejbjar._HelloRemoteIF_Remote_DynamicStub.add(com/sun/ts/tests/ejb30/common/helloejbjar/_HelloRemoteIF_Remote_DynamicStub.java)
        at com.sun.ts.tests.ejb30.common.helloejbjar._HelloRemoteIF_Wrapper.add(com/sun/ts/tests/ejb30/common/helloejbjar/_HelloRemoteIF_Wrapper.java)
        at com.sun.ts.tests.ejb30.assembly.appres.common.AppResTest.beanPostConstruct(AppResTest.java:114)
        at com.sun.ts.tests.ejb30.assembly.appres.common.TestServletBase2.postConstruct(TestServletBase2.java:42)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl$3.run(InjectionManagerImpl.java:728)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.invokeLifecycleMethod(InjectionManagerImpl.java:722)
        at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.inject(InjectionManagerImpl.java:492)
        at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.injectInstance(InjectionManagerImpl.java:146)
        at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.injectInstance(InjectionManagerImpl.java:132)
        at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.createManagedObject(InjectionManagerImpl.java:311)
        at com.sun.enterprise.web.WebContainer.createServletInstance(WebContainer.java:701)
        at com.sun.enterprise.web.WebModule.createServletInstance(WebModule.java:1943)
        at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1263)
        at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1240)
        at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5025)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:5317)
        at com.sun.enterprise.web.WebModule.start(WebModule.java:497)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:917)
        at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:148)
        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:170)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:899)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:753)
        at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1981)
        at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1629)
        at com.sun.enterprise.web.WebApplication.start(WebApplication.java:100)
        at org.glassfish.internal.data.EngineRef.start(EngineRef.java:130)
        at org.glassfish.internal.data.ModuleInfo.start(ModuleInfo.java:269)
        at org.glassfish.internal.data.ApplicationInfo.start(ApplicationInfo.java:290)
        at com.sun.enterprise.v3.server.ApplicationLifecycle.deploy(ApplicationLifecycle.java:461)
        at com.sun.enterprise.v3.server.ApplicationLifecycle.deploy(ApplicationLifecycle.java:240)
        at org.glassfish.deployment.admin.DeployCommand.execute(DeployCommand.java:370)
        at com.sun.enterprise.v3.admin.CommandRunnerImpl$1.execute(CommandRunnerImpl.java:359)
        at com.sun.enterprise.v3.admin.CommandRunnerImpl.doCommand(CommandRunnerImpl.java:369)
        at com.sun.enterprise.v3.admin.CommandRunnerImpl.doCommand(CommandRunnerImpl.java:1080)
        at com.sun.enterprise.v3.admin.CommandRunnerImpl.access$1200(CommandRunnerImpl.java:95)
        at com.sun.enterprise.v3.admin.CommandRunnerImpl$ExecutionContext.execute(CommandRunnerImpl.java:1260)
        at org.glassfish.deployment.autodeploy.AutoOperation.run(AutoOperation.java:145)
        at org.glassfish.deployment.autodeploy.AutoDeployer.deploy(AutoDeployer.java:577)
        at org.glassfish.deployment.autodeploy.AutoDeployer.deployAll(AutoDeployer.java:463)
        at org.glassfish.deployment.autodeploy.AutoDeployer.run(AutoDeployer.java:395)
        at org.glassfish.deployment.autodeploy.AutoDeployer.run(AutoDeployer.java:380)
        at org.glassfish.deployment.autodeploy.AutoDeployService$1.run(AutoDeployService.java:213)
        at java.util.TimerThread.mainLoop(Timer.java:512)
        at java.util.TimerThread.run(Timer.java:462)

        Show
        Nithya Ramakrishnan added a comment - Since the RuntimePermission for createSecurityManager seems to originate from the Webcontainer code, reopening this issue and assigning to the webcontainer team to investigate : [#|2010-12-23T09:01:48.284-0500|WARNING|glassfish3.1|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=15;_ThreadName=Thread-1;|java.security.AccessControlException: access denied (java.lang.RuntimePermission createSecurityManager) java.security.AccessControlException: access denied (java.lang.RuntimePermission createSecurityManager) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.<init>(SecurityManager.java:282) at org.apache.catalina.core.StandardContext$MySecurityManager.<init>(StandardContext.java:7362) at org.apache.catalina.core.StandardContext$MySecurityManager.<init>(StandardContext.java:7362) at org.apache.catalina.core.StandardContext.<init>(StandardContext.java:167) at com.sun.enterprise.web.pwc.PwcWebModule.<init>(PwcWebModule.java:54) at com.sun.enterprise.web.WebModule.<init>(WebModule.java:186) at com.sun.enterprise.web.EmbeddedWebContainer.createContext(EmbeddedWebContainer.java:190) at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1794) at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1629) at com.sun.enterprise.web.WebApplication.start(WebApplication.java:100) at org.glassfish.internal.data.EngineRef.start(EngineRef.java:130) at org.glassfish.internal.data.ModuleInfo.start(ModuleInfo.java:269) at org.glassfish.internal.data.ApplicationInfo.start(ApplicationInfo.java:290) at com.sun.enterprise.v3.server.ApplicationLifecycle.deploy(ApplicationLifecycle.java:461) at com.sun.enterprise.v3.server.ApplicationLifecycle.deploy(ApplicationLifecycle.java:240) at com.sun.ejb.containers.EjbContainerUtilImpl.deployEJBTimerService(EjbContainerUtilImpl.java:547) at com.sun.ejb.containers.EjbContainerUtilImpl.getEJBTimerService(EjbContainerUtilImpl.java:289) at com.sun.ejb.containers.EjbContainerUtilImpl.getEJBTimerService(EjbContainerUtilImpl.java:284) at com.sun.ejb.containers.EjbContainerUtilImpl.getEJBTimerService(EjbContainerUtilImpl.java:269) at com.sun.ejb.EjbNamingReferenceManagerImpl.getEJBContextObject(EjbNamingReferenceManagerImpl.java:230) at com.sun.enterprise.container.common.impl.ComponentEnvManagerImpl$EjbContextProxy.create(ComponentEnvManagerImpl.java:911) at com.sun.enterprise.naming.impl.GlassfishNamingManagerImpl.lookup(GlassfishNamingManagerImpl.java:771) at com.sun.enterprise.naming.impl.GlassfishNamingManagerImpl.lookup(GlassfishNamingManagerImpl.java:740) at com.sun.enterprise.naming.impl.JavaURLContext.lookup(JavaURLContext.java:166) at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:538) at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:491) at javax.naming.InitialContext.lookup(InitialContext.java:392) at javax.naming.InitialContext.lookup(InitialContext.java:392) at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl._inject(InjectionManagerImpl.java:597) at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.inject(InjectionManagerImpl.java:468) at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.injectInstance(InjectionManagerImpl.java:173) at com.sun.ejb.containers.BaseContainer.injectEjbInstance(BaseContainer.java:1691) at com.sun.ejb.containers.AbstractSingletonContainer.createSingletonEJB(AbstractSingletonContainer.java:504) at com.sun.ejb.containers.AbstractSingletonContainer.access$100(AbstractSingletonContainer.java:79) at com.sun.ejb.containers.AbstractSingletonContainer$SingletonContextFactory.create(AbstractSingletonContainer.java:717) at com.sun.ejb.containers.AbstractSingletonContainer.instantiateSingletonInstance(AbstractSingletonContainer.java:449) at org.glassfish.ejb.startup.SingletonLifeCycleManager.initializeSingleton(SingletonLifeCycleManager.java:216) at org.glassfish.ejb.startup.SingletonLifeCycleManager.initializeSingleton(SingletonLifeCycleManager.java:177) at com.sun.ejb.containers.AbstractSingletonContainer.checkInit(AbstractSingletonContainer.java:421) at com.sun.ejb.containers.CMCSingletonContainer._getContext(CMCSingletonContainer.java:117) at com.sun.ejb.containers.BaseContainer.getContext(BaseContainer.java:2528) at com.sun.ejb.containers.BaseContainer.preInvoke(BaseContainer.java:1895) at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:205) at com.sun.ejb.containers.EJBObjectInvocationHandlerDelegate.invoke(EJBObjectInvocationHandlerDelegate.java:79) at $Proxy188.add(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.corba.ee.impl.presentation.rmi.ReflectiveTie.dispatchToMethod(ReflectiveTie.java:144) at com.sun.corba.ee.impl.presentation.rmi.ReflectiveTie._invoke(ReflectiveTie.java:174) at com.sun.corba.ee.impl.protocol.CorbaServerRequestDispatcherImpl.dispatchToServant(CorbaServerRequestDispatcherImpl.java:528) at com.sun.corba.ee.impl.protocol.CorbaServerRequestDispatcherImpl.dispatch(CorbaServerRequestDispatcherImpl.java:199) at com.sun.corba.ee.impl.protocol.CorbaMessageMediatorImpl.handleRequestRequest(CorbaMessageMediatorImpl.java:1624) at com.sun.corba.ee.impl.protocol.SharedCDRClientRequestDispatcherImpl.marshalingComplete(SharedCDRClientRequestDispatcherImpl.java:126) at com.sun.corba.ee.impl.protocol.CorbaClientDelegateImpl.invoke(CorbaClientDelegateImpl.java:243) at com.sun.corba.ee.impl.presentation.rmi.StubInvocationHandlerImpl.privateInvoke(StubInvocationHandlerImpl.java:200) at com.sun.corba.ee.impl.presentation.rmi.StubInvocationHandlerImpl.invoke(StubInvocationHandlerImpl.java:152) at com.sun.corba.ee.impl.presentation.rmi.codegen.CodegenStubBase.invoke(CodegenStubBase.java:227) at com.sun.ts.tests.ejb30.common.helloejbjar._ HelloRemoteIF_Remote_DynamicStub.add(com/sun/ts/tests/ejb30/common/helloejbjar/ _HelloRemoteIF_Remote_DynamicStub.java) at com.sun.ts.tests.ejb30.common.helloejbjar._HelloRemoteIF_Wrapper.add(com/sun/ts/tests/ejb30/common/helloejbjar/_HelloRemoteIF_Wrapper.java) at com.sun.ts.tests.ejb30.assembly.appres.common.AppResTest.beanPostConstruct(AppResTest.java:114) at com.sun.ts.tests.ejb30.assembly.appres.common.TestServletBase2.postConstruct(TestServletBase2.java:42) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl$3.run(InjectionManagerImpl.java:728) at java.security.AccessController.doPrivileged(Native Method) at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.invokeLifecycleMethod(InjectionManagerImpl.java:722) at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.inject(InjectionManagerImpl.java:492) at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.injectInstance(InjectionManagerImpl.java:146) at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.injectInstance(InjectionManagerImpl.java:132) at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.createManagedObject(InjectionManagerImpl.java:311) at com.sun.enterprise.web.WebContainer.createServletInstance(WebContainer.java:701) at com.sun.enterprise.web.WebModule.createServletInstance(WebModule.java:1943) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1263) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1240) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5025) at org.apache.catalina.core.StandardContext.start(StandardContext.java:5317) at com.sun.enterprise.web.WebModule.start(WebModule.java:497) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:917) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:148) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:170) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:899) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:753) at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1981) at com.sun.enterprise.web.WebContainer.loadWebModule(WebContainer.java:1629) at com.sun.enterprise.web.WebApplication.start(WebApplication.java:100) at org.glassfish.internal.data.EngineRef.start(EngineRef.java:130) at org.glassfish.internal.data.ModuleInfo.start(ModuleInfo.java:269) at org.glassfish.internal.data.ApplicationInfo.start(ApplicationInfo.java:290) at com.sun.enterprise.v3.server.ApplicationLifecycle.deploy(ApplicationLifecycle.java:461) at com.sun.enterprise.v3.server.ApplicationLifecycle.deploy(ApplicationLifecycle.java:240) at org.glassfish.deployment.admin.DeployCommand.execute(DeployCommand.java:370) at com.sun.enterprise.v3.admin.CommandRunnerImpl$1.execute(CommandRunnerImpl.java:359) at com.sun.enterprise.v3.admin.CommandRunnerImpl.doCommand(CommandRunnerImpl.java:369) at com.sun.enterprise.v3.admin.CommandRunnerImpl.doCommand(CommandRunnerImpl.java:1080) at com.sun.enterprise.v3.admin.CommandRunnerImpl.access$1200(CommandRunnerImpl.java:95) at com.sun.enterprise.v3.admin.CommandRunnerImpl$ExecutionContext.execute(CommandRunnerImpl.java:1260) at org.glassfish.deployment.autodeploy.AutoOperation.run(AutoOperation.java:145) at org.glassfish.deployment.autodeploy.AutoDeployer.deploy(AutoDeployer.java:577) at org.glassfish.deployment.autodeploy.AutoDeployer.deployAll(AutoDeployer.java:463) at org.glassfish.deployment.autodeploy.AutoDeployer.run(AutoDeployer.java:395) at org.glassfish.deployment.autodeploy.AutoDeployer.run(AutoDeployer.java:380) at org.glassfish.deployment.autodeploy.AutoDeployService$1.run(AutoDeployService.java:213) at java.util.TimerThread.mainLoop(Timer.java:512) at java.util.TimerThread.run(Timer.java:462)
        Hide
        Shing Wai Chan added a comment - - edited

        Web container code does have doPrivileged there as shown in the stack trace.

        The actual security check failure is as follows:
        [#|2011-01-03T13:48:50.015-0800|FINE|glassfish3.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.provider.BasePolicyWrapper$2;MethodName=run;|Domain that failed(ProtectionDomain (file:/export/gfv3/src/v3/install/glassfish3/glassfish/domains/domain1/applications/ejb3_assembly_appres_warejb/lib/shared.jar <no signer certificates>)
        EarLibClassLoader :
        urlSet = [URLEntry : file:/export/gfv3/src/v3/install/glassfish3/glassfish/domains/domain1/applications/ejb3_assembly_appres_warejb/lib/shared.jar]
        doneCalled = false
        Parent -> org.glassfish.internal.api.DelegatingClassLoader@4bd11776

        <no principals>
        java.security.Permissions@8db2498 (
        (javax.management.MBeanPermission * *)
        (javax.management.MBeanPermission [com.sun.messaging.jms.*:*] *)
        (java.io.FilePermission <<ALL FILES>> read,write,delete)
        (java.io.FilePermission /var/folders/NU/NUJy9eWeH5OxZNNQ8FRakE+++TI/Tmp//- delete)
        (java.io.FilePermission /export/gfv3/src/v3/install/glassfish3/glassfish/domains/domain1/lib/databases/- delete)
        (java.io.FilePermission <<ALL FILES>> read,write)
        (unresolved com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null)
        (unresolved com.sun.enterprise.security.CORBAObjectPermission * *)
        (unresolved org.osgi.framework.AdminPermission * *)
        (unresolved org.osgi.framework.AdminPermission * *)
        (java.lang.RuntimePermission getClassLoader)
        (java.lang.RuntimePermission loadLibrary.*)
        (java.lang.RuntimePermission createClassLoader)
        (java.lang.RuntimePermission accessDeclaredMembers)
        (java.lang.RuntimePermission setFactory)
        (java.lang.RuntimePermission getProtectionDomain)
        (java.lang.RuntimePermission modifyThreadGroup)
        (java.lang.RuntimePermission stopThread)
        (java.lang.RuntimePermission setContextClassLoader)
        (java.lang.RuntimePermission queuePrintJob)
        (java.net.SocketPermission localhost:1024- listen,resolve)
        (java.net.SocketPermission * connect,resolve)
        (java.security.SecurityPermission setProperty.policy.url.1)
        (java.security.SecurityPermission setProperty.policy.url.3)
        (java.security.SecurityPermission setProperty.policy.url.2)
        (java.security.SecurityPermission getPolicy)
        (java.security.SecurityPermission setPolicy)
        (java.security.SecurityPermission getProperty.policy.url.2)
        (java.security.SecurityPermission getProperty.policy.url.3)
        (java.security.SecurityPermission getProperty.policy.url.1)
        (java.lang.reflect.ReflectPermission suppressAccessChecks)
        (javax.management.MBeanTrustPermission register)
        (javax.xml.ws.WebServicePermission publishEndpoint)
        (javax.security.auth.AuthPermission doAsPrivileged)
        (javax.security.auth.AuthPermission modifyPrincipals)
        (javax.security.auth.AuthPermission modifyPrivateCredentials)
        (javax.security.auth.AuthPermission modifyPublicCredentials)
        (javax.security.auth.AuthPermission createLoginContext.fileRealm)
        (javax.security.auth.PrivateCredentialPermission javax.resource.spi.security.PasswordCredential * "*" read)
        (javax.security.auth.PrivateCredentialPermission com.sun.enterprise.security.auth.login.common.PasswordCredential * "*" read)
        (javax.management.MBeanServerPermission createMBeanServer)
        (java.util.PropertyPermission java.vm.version read)
        (java.util.PropertyPermission apple.laf.* read,write)
        (java.util.PropertyPermission java.vendor.url read)
        (java.util.PropertyPermission java.vm.name read)
        (java.util.PropertyPermission com.apple.macos.useScreenMenuBar read,write)
        (java.util.PropertyPermission java.version read)
        (java.util.PropertyPermission file.separator read)
        (java.util.PropertyPermission j2eelogin.name write)
        (java.util.PropertyPermission java.specification.vendor read)
        (java.util.PropertyPermission line.separator read)
        (java.util.PropertyPermission java.vm.specification.version read)
        (java.util.PropertyPermission java.vm.specification.vendor read)
        (java.util.PropertyPermission j2eelogin.password write)
        (java.util.PropertyPermission * read,write)
        (java.util.PropertyPermission os.name read)
        (java.util.PropertyPermission java.vm.vendor read)
        (java.util.PropertyPermission path.separator read)
        (java.util.PropertyPermission org.xml.sax.parser write)
        (java.util.PropertyPermission java.specification.name read)
        (java.util.PropertyPermission os.version read)
        (java.util.PropertyPermission os.arch read)
        (java.util.PropertyPermission mrj.version read)
        (java.util.PropertyPermission com.apple.hwaccel read,write)
        (java.util.PropertyPermission apple.awt.* read,write)
        (java.util.PropertyPermission java.class.version read)
        (java.util.PropertyPermission java.vendor read)
        (java.util.PropertyPermission java.vm.specification.name read)
        (java.util.PropertyPermission java.specification.version read)
        )

        )|#]

        Show
        Shing Wai Chan added a comment - - edited Web container code does have doPrivileged there as shown in the stack trace. The actual security check failure is as follows: [#|2011-01-03T13:48:50.015-0800|FINE|glassfish3.1|javax.enterprise.system.core.security|_ThreadID=20;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.provider.BasePolicyWrapper$2;MethodName=run;|Domain that failed(ProtectionDomain ( file:/export/gfv3/src/v3/install/glassfish3/glassfish/domains/domain1/applications/ejb3_assembly_appres_warejb/lib/shared.jar <no signer certificates>) EarLibClassLoader : urlSet = [URLEntry : file:/export/gfv3/src/v3/install/glassfish3/glassfish/domains/domain1/applications/ejb3_assembly_appres_warejb/lib/shared.jar] doneCalled = false Parent -> org.glassfish.internal.api.DelegatingClassLoader@4bd11776 <no principals> java.security.Permissions@8db2498 ( (javax.management.MBeanPermission * *) (javax.management.MBeanPermission [com.sun.messaging.jms.*:*] *) (java.io.FilePermission <<ALL FILES>> read,write,delete) (java.io.FilePermission /var/folders/NU/NUJy9eWeH5OxZNNQ8FRakE+++TI/ Tmp //- delete) (java.io.FilePermission /export/gfv3/src/v3/install/glassfish3/glassfish/domains/domain1/lib/databases/- delete) (java.io.FilePermission <<ALL FILES>> read,write) (unresolved com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null) (unresolved com.sun.enterprise.security.CORBAObjectPermission * *) (unresolved org.osgi.framework.AdminPermission * *) (unresolved org.osgi.framework.AdminPermission * *) (java.lang.RuntimePermission getClassLoader) (java.lang.RuntimePermission loadLibrary.*) (java.lang.RuntimePermission createClassLoader) (java.lang.RuntimePermission accessDeclaredMembers) (java.lang.RuntimePermission setFactory) (java.lang.RuntimePermission getProtectionDomain) (java.lang.RuntimePermission modifyThreadGroup) (java.lang.RuntimePermission stopThread) (java.lang.RuntimePermission setContextClassLoader) (java.lang.RuntimePermission queuePrintJob) (java.net.SocketPermission localhost:1024- listen,resolve) (java.net.SocketPermission * connect,resolve) (java.security.SecurityPermission setProperty.policy.url.1) (java.security.SecurityPermission setProperty.policy.url.3) (java.security.SecurityPermission setProperty.policy.url.2) (java.security.SecurityPermission getPolicy) (java.security.SecurityPermission setPolicy) (java.security.SecurityPermission getProperty.policy.url.2) (java.security.SecurityPermission getProperty.policy.url.3) (java.security.SecurityPermission getProperty.policy.url.1) (java.lang.reflect.ReflectPermission suppressAccessChecks) (javax.management.MBeanTrustPermission register) (javax.xml.ws.WebServicePermission publishEndpoint) (javax.security.auth.AuthPermission doAsPrivileged) (javax.security.auth.AuthPermission modifyPrincipals) (javax.security.auth.AuthPermission modifyPrivateCredentials) (javax.security.auth.AuthPermission modifyPublicCredentials) (javax.security.auth.AuthPermission createLoginContext.fileRealm) (javax.security.auth.PrivateCredentialPermission javax.resource.spi.security.PasswordCredential * "*" read) (javax.security.auth.PrivateCredentialPermission com.sun.enterprise.security.auth.login.common.PasswordCredential * "*" read) (javax.management.MBeanServerPermission createMBeanServer) (java.util.PropertyPermission java.vm.version read) (java.util.PropertyPermission apple.laf.* read,write) (java.util.PropertyPermission java.vendor.url read) (java.util.PropertyPermission java.vm.name read) (java.util.PropertyPermission com.apple.macos.useScreenMenuBar read,write) (java.util.PropertyPermission java.version read) (java.util.PropertyPermission file.separator read) (java.util.PropertyPermission j2eelogin.name write) (java.util.PropertyPermission java.specification.vendor read) (java.util.PropertyPermission line.separator read) (java.util.PropertyPermission java.vm.specification.version read) (java.util.PropertyPermission java.vm.specification.vendor read) (java.util.PropertyPermission j2eelogin.password write) (java.util.PropertyPermission * read,write) (java.util.PropertyPermission os.name read) (java.util.PropertyPermission java.vm.vendor read) (java.util.PropertyPermission path.separator read) (java.util.PropertyPermission org.xml.sax.parser write) (java.util.PropertyPermission java.specification.name read) (java.util.PropertyPermission os.version read) (java.util.PropertyPermission os.arch read) (java.util.PropertyPermission mrj.version read) (java.util.PropertyPermission com.apple.hwaccel read,write) (java.util.PropertyPermission apple.awt.* read,write) (java.util.PropertyPermission java.class.version read) (java.util.PropertyPermission java.vendor read) (java.util.PropertyPermission java.vm.specification.name read) (java.util.PropertyPermission java.specification.version read) ) )|#]
        Hide
        Shing Wai Chan added a comment -

        How bad is its impact? (Severity)
        high

        How often does it happen? Will many users see this problem? (Frequency)
        With security manager on, a servlet may have issue to load an ejb.

        How much effort is required to fix it? (Cost)
        low

        What is the risk of fixing it and how will the risk be mitigated? (Risk)
        low

        Show
        Shing Wai Chan added a comment - How bad is its impact? (Severity) high How often does it happen? Will many users see this problem? (Frequency) With security manager on, a servlet may have issue to load an ejb. How much effort is required to fix it? (Cost) low What is the risk of fixing it and how will the risk be mitigated? (Risk) low
        Hide
        Shing Wai Chan added a comment - - edited

        Sending src/main/java/org/apache/catalina/core/StandardContext.java
        Transmitting file data .
        Committed revision 44210.

        reviewed by Ron Monzillo, V B Kumar Jayanti

        Simplfy the above change
        Sending src/main/java/org/apache/catalina/core/StandardContext.java
        Transmitting file data .
        Committed revision 44333.

        Show
        Shing Wai Chan added a comment - - edited Sending src/main/java/org/apache/catalina/core/StandardContext.java Transmitting file data . Committed revision 44210. reviewed by Ron Monzillo, V B Kumar Jayanti Simplfy the above change Sending src/main/java/org/apache/catalina/core/StandardContext.java Transmitting file data . Committed revision 44333.

          People

          • Assignee:
            Shing Wai Chan
            Reporter:
            phendley
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: