glassfish
  1. glassfish
  2. GLASSFISH-17288

QL bean-validator/simple-bv-servlet test failed in security_manager ON mode

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 3.1.2_b01
    • Fix Version/s: None
    • Component/s: bean-validator
    • Labels:
      None
    • Environment:

      AIX makati 1 6 00090DB6D700,
      IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr9-20110203_74623 (JIT enabled, AOT enabled)

      Description

      On AIX platform, the bean-validator/simple-bv-servlet passed in security_manager OFF mode. When turn on the security_manager, the test failed with follow exception in server.log:
      [#|2011-09-12T12:47:22.022-0700|WARNING|glassfish3.1.2|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=8;_ThreadName=Thread-11;|StandardWrapperValve[SimpleBVServlet]: PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
      java.security.AccessControlException: Access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
      at java.security.AccessController.checkPermission(AccessController.java:108)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:544)
      at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:118)
      at com.ibm.oti.reflect.AnnotationHelper$AnnotationInvocationHandler.compare(AnnotationHelper.java:186)
      at com.ibm.oti.reflect.AnnotationHelper$AnnotationInvocationHandler.invoke(AnnotationHelper.java:111)
      at $Proxy15.equals(Unknown Source)

      The full stack trace is attached.

      Steps to reproduce:
      1. Set env variable security_manager ON.
      2. cd quicklook; ant -Dglassfish.home=/makati1/java_re/ming/glassfish3/glassfish add-quicklook-policy-grants
      3. ant -Dglassfish.home=/makati1/java_re/ming/glassfish3/glassfish start_server_with_security_manager_enabled
      4. cd bean-validator/simple-bv-servlet; ant -Dglassfish.home=/makati1/java_re/ming/glassfish3/glassfish all

      1. message.txt
        13 kB
        Ed Burns
      2. server.log
        32 kB
        mzh777

        Activity

        Hide
        Ed Burns added a comment -

        I am happy to report that my changes resolve the problem.

        Note that the exception shown in the initial bug filing:

        [#|2011-09-12T12:47:22.022-0700|WARNING|glassfish3.1.2|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=8;_ThreadName=Thread-11;|StandardWrapperValve[SimpleBVServlet]: PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
        java.security.AccessControlException: Access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
        at java.security.AccessController.checkPermission(AccessController.java:108)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:544)
        at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:118)
        at com.ibm.oti.reflect.AnnotationHelper$AnnotationInvocationHandler.compare(AnnotationHelper.java:186)

        is NOT occurring with the patch in place.

        My next attachment will be the patch to the hibernate-validator sources that I used to generate the two .class files that I patched into the existing bean-validator.jar.

        Show
        Ed Burns added a comment - I am happy to report that my changes resolve the problem. Note that the exception shown in the initial bug filing: [#|2011-09-12T12:47:22.022-0700|WARNING|glassfish3.1.2|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=8;_ThreadName=Thread-11;|StandardWrapperValve [SimpleBVServlet] : PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception java.security.AccessControlException: Access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at java.security.AccessController.checkPermission(AccessController.java:108) at java.lang.SecurityManager.checkPermission(SecurityManager.java:544) at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:118) at com.ibm.oti.reflect.AnnotationHelper$AnnotationInvocationHandler.compare(AnnotationHelper.java:186) is NOT occurring with the patch in place. My next attachment will be the patch to the hibernate-validator sources that I used to generate the two .class files that I patched into the existing bean-validator.jar.
        Hide
        Ed Burns added a comment -

        I have filed this issue in the JIRA for Hibernate Validator: <https://hibernate.onjira.com/browse/HV-552> and attached the patch therein.

        Show
        Ed Burns added a comment - I have filed this issue in the JIRA for Hibernate Validator: < https://hibernate.onjira.com/browse/HV-552 > and attached the patch therein.
        Hide
        Ed Burns added a comment -

        This appears to be a known issue in the IBM JVM <http://www-01.ibm.com/support/docview.wss?uid=swg1PM10814>:

        "The AccessControlException is thrown due to an equals check
        being performed on the security Subject outside of a
        privileged action."

        [...]

        "The fix for this APAR resolves the problem by ensuring the
        equals method on the Subject is called with the correct Java 2
        security privilege."

        Show
        Ed Burns added a comment - This appears to be a known issue in the IBM JVM < http://www-01.ibm.com/support/docview.wss?uid=swg1PM10814 >: "The AccessControlException is thrown due to an equals check being performed on the security Subject outside of a privileged action." [...] "The fix for this APAR resolves the problem by ensuring the equals method on the Subject is called with the correct Java 2 security privilege."
        Hide
        Ed Burns added a comment - - edited

        Relnotes content. Included here for convenience.

        SECTION: Description

        Consider the action of invoking "equals()" on an instance of
        java.lang.annotation.Annotation. Code that performs this action will
        cause an AccessControlException when running in the IBM JDK [1] but will
        succeed without an exception in a similar version of the Oracle JDK.

        SECTION: Recommended Workaround

        Include the following grant in the server.policy file

        grant codeBase "file:$

        {com.sun.aas.instanceRoot}/applications/<YOUR_APP_NAME>/-" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; };

        For example the following grant was tested on the IBM JDK [1] on a
        machine whose uname -a output included "AIX 1 6 00090DB6D700".

        grant codeBase "file:${com.sun.aas.instanceRoot}

        /applications/simple-bv-servlet/-"

        { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }

        ;

        SECTION: Notes

        [1] java version "1.6.0"
        Java(TM) SE Runtime Environment (build pap3260sr9fp1-20110208_03(SR9 FP1))
        IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr9-20110203_74623 (JIT enabled, AOT enabled)
        J9VM - 20110203_074623
        JIT - r9_20101028_17488ifx3
        GC - 20101027_AA)
        JCL - 20110203_01

        Show
        Ed Burns added a comment - - edited Relnotes content. Included here for convenience. SECTION: Description Consider the action of invoking "equals()" on an instance of java.lang.annotation.Annotation. Code that performs this action will cause an AccessControlException when running in the IBM JDK [1] but will succeed without an exception in a similar version of the Oracle JDK. SECTION: Recommended Workaround Include the following grant in the server.policy file grant codeBase "file:$ {com.sun.aas.instanceRoot}/applications/<YOUR_APP_NAME>/-" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; For example the following grant was tested on the IBM JDK [1] on a machine whose uname -a output included "AIX 1 6 00090DB6D700". grant codeBase "file:${com.sun.aas.instanceRoot} /applications/simple-bv-servlet/-" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; } ; SECTION: Notes [1] java version "1.6.0" Java(TM) SE Runtime Environment (build pap3260sr9fp1-20110208_03(SR9 FP1)) IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr9-20110203_74623 (JIT enabled, AOT enabled) J9VM - 20110203_074623 JIT - r9_20101028_17488ifx3 GC - 20101027_AA) JCL - 20110203_01
        Hide
        Ed Burns added a comment -

        Closed in Relnotes.

        Show
        Ed Burns added a comment - Closed in Relnotes.

          People

          • Assignee:
            Ed Burns
            Reporter:
            mzh777
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: