glassfish
  1. glassfish
  2. GLASSFISH-17288

QL bean-validator/simple-bv-servlet test failed in security_manager ON mode

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 3.1.2_b01
    • Fix Version/s: None
    • Component/s: bean-validator
    • Labels:
      None
    • Environment:

      AIX makati 1 6 00090DB6D700,
      IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr9-20110203_74623 (JIT enabled, AOT enabled)

      Description

      On AIX platform, the bean-validator/simple-bv-servlet passed in security_manager OFF mode. When turn on the security_manager, the test failed with follow exception in server.log:
      [#|2011-09-12T12:47:22.022-0700|WARNING|glassfish3.1.2|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=8;_ThreadName=Thread-11;|StandardWrapperValve[SimpleBVServlet]: PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
      java.security.AccessControlException: Access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
      at java.security.AccessController.checkPermission(AccessController.java:108)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:544)
      at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:118)
      at com.ibm.oti.reflect.AnnotationHelper$AnnotationInvocationHandler.compare(AnnotationHelper.java:186)
      at com.ibm.oti.reflect.AnnotationHelper$AnnotationInvocationHandler.invoke(AnnotationHelper.java:111)
      at $Proxy15.equals(Unknown Source)

      The full stack trace is attached.

      Steps to reproduce:
      1. Set env variable security_manager ON.
      2. cd quicklook; ant -Dglassfish.home=/makati1/java_re/ming/glassfish3/glassfish add-quicklook-policy-grants
      3. ant -Dglassfish.home=/makati1/java_re/ming/glassfish3/glassfish start_server_with_security_manager_enabled
      4. cd bean-validator/simple-bv-servlet; ant -Dglassfish.home=/makati1/java_re/ming/glassfish3/glassfish all

      1. message.txt
        13 kB
        Ed Burns
      2. server.log
        32 kB
        mzh777

        Activity

        Hide
        Ed Burns added a comment -

        I am in the process of learning how to access an AIX test machine. I'll learn this from someone I know who has recently done it, Roger Kitain.

        Show
        Ed Burns added a comment - I am in the process of learning how to access an AIX test machine. I'll learn this from someone I know who has recently done it, Roger Kitain.
        Hide
        Ed Burns added a comment -

        Here's my environment:

        -bash-3.00$ hostname
        makati
        -bash-3.00$ uname -a
        AIX makati 1 6 00090DB6D700
        -bash-3.00$ java -version
        java version "1.6.0"
        Java(TM) SE Runtime Environment (build pap3260sr9fp1-20110208_03(SR9 FP1))
        IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr9-20110203_74623 (JIT enabled, AOT enabled)
        J9VM - 20110203_074623
        JIT - r9_20101028_17488ifx3
        GC - 20101027_AA)
        JCL - 20110203_01
        -bash-3.00$ ant -v
        Apache Ant(TM) version 1.8.2 compiled on December 20 2010
        Trying the default build file: build.xml
        Buildfile: build.xml does not exist!
        Build failed
        -bash-3.00$ mvn -v
        Apache Maven 2.2.1 (r801777; 2009-08-06 12:16:01-0700)
        Java version: 1.6.0
        Java home: /usr/java6/jre
        Default locale: en_US, platform encoding: ISO8859-1
        OS name: "aix" version: "6.1" arch: "ppc" Family: "unix"

        Show
        Ed Burns added a comment - Here's my environment: -bash-3.00$ hostname makati -bash-3.00$ uname -a AIX makati 1 6 00090DB6D700 -bash-3.00$ java -version java version "1.6.0" Java(TM) SE Runtime Environment (build pap3260sr9fp1-20110208_03(SR9 FP1)) IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr9-20110203_74623 (JIT enabled, AOT enabled) J9VM - 20110203_074623 JIT - r9_20101028_17488ifx3 GC - 20101027_AA) JCL - 20110203_01 -bash-3.00$ ant -v Apache Ant(TM) version 1.8.2 compiled on December 20 2010 Trying the default build file: build.xml Buildfile: build.xml does not exist! Build failed -bash-3.00$ mvn -v Apache Maven 2.2.1 (r801777; 2009-08-06 12:16:01-0700) Java version: 1.6.0 Java home: /usr/java6/jre Default locale: en_US, platform encoding: ISO8859-1 OS name: "aix" version: "6.1" arch: "ppc" Family: "unix"
        Hide
        Ed Burns added a comment -

        Ok, I'm building on that host now. Thank you Jane Young for sharing that I had to activate the "default" and "aix-jdk" profiles when invoking mvn with the "install" goal.

        Show
        Ed Burns added a comment - Ok, I'm building on that host now. Thank you Jane Young for sharing that I had to activate the "default" and "aix-jdk" profiles when invoking mvn with the "install" goal.
        Hide
        Ed Burns added a comment -

        Still building. In the meantime, I have contacted the maintainer of the code at JBoss and asked this question:

        EB> I know that you peppered some AccessController.doPrivileged() calls in
        EB> where necessary, is it possible that we could need another one here,
        EB> around the call to equals()?

        When the build completes, I will reproduce the problem. Then, I'll re-compile the class with the suggestion I made to the maintainer in place, patch that single .class file into the existing glassfish installation, and re-run the test. If it passes, then we know we have a fix.

        In the meantime, I am downgrading this to Minor.

        Ed

        Show
        Ed Burns added a comment - Still building. In the meantime, I have contacted the maintainer of the code at JBoss and asked this question: EB> I know that you peppered some AccessController.doPrivileged() calls in EB> where necessary, is it possible that we could need another one here, EB> around the call to equals()? When the build completes, I will reproduce the problem. Then, I'll re-compile the class with the suggestion I made to the maintainer in place, patch that single .class file into the existing glassfish installation, and re-run the test. If it passes, then we know we have a fix. In the meantime, I am downgrading this to Minor. Ed
        Hide
        mzh777 added a comment -

        Checked the QL hudson job for build 17 of Jan 10, 2012. The bean_validation test is still failing in security manager on mode. Raise the priority back to P2.

        Show
        mzh777 added a comment - Checked the QL hudson job for build 17 of Jan 10, 2012. The bean_validation test is still failing in security manager on mode. Raise the priority back to P2.
        Hide
        Ed Burns added a comment -

        Back from vacation and working on this again. I have resent my proposed solution to the original maintainer.

        Ed

        Show
        Ed Burns added a comment - Back from vacation and working on this again. I have resent my proposed solution to the original maintainer. Ed
        Hide
        Ed Burns added a comment -

        Take the .class files from this zip and patch them into bean-validator.jar.

        Show
        Ed Burns added a comment - Take the .class files from this zip and patch them into bean-validator.jar.
        Hide
        Ed Burns added a comment -

        Here is the output from performing the patch.

        bash-2.05b$ sum bean-validator.jar
        19273 2275 bean-validator.jar
        bash-2.05b$ zip -u bean-validator.jar org/hibernate/validator/metadata/ConstraintDescriptorImpl.class org/hibernate/validator/util/privilegedactions/Equals.class
        updating: org/hibernate/validator/metadata/ConstraintDescriptorImpl.class (deflated 64%)
        adding: org/hibernate/validator/util/privilegedactions/Equals.class (deflated 51%)
        bash-2.05b$ sum bean-validator.jar
        15601 2277 bean-validator.jar

        Show
        Ed Burns added a comment - Here is the output from performing the patch. bash-2.05b$ sum bean-validator.jar 19273 2275 bean-validator.jar bash-2.05b$ zip -u bean-validator.jar org/hibernate/validator/metadata/ConstraintDescriptorImpl.class org/hibernate/validator/util/privilegedactions/Equals.class updating: org/hibernate/validator/metadata/ConstraintDescriptorImpl.class (deflated 64%) adding: org/hibernate/validator/util/privilegedactions/Equals.class (deflated 51%) bash-2.05b$ sum bean-validator.jar 15601 2277 bean-validator.jar
        Hide
        Ed Burns added a comment -

        I applied the fix and tried to run the test as described, but received this error:

        runtest-impl-class:
        [echo] =============Starting TestNG test at ../../classes/test ============
        [mkdir] Created dir: /makati1/edburns/workareas/glassfish-GLASSFISH_3_1_2/tests/quicklook/test-output
        [testng] [Parser] Running:
        [testng] bv
        [testng]
        [testng] java.net.ConnectException: A remote host refused an attempted connect operation.
        [testng] at java.net.PlainSocketImpl.socketConnect(Native Method)
        [testng] at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:383)
        [testng] at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:245)
        [testng] at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:232)
        [testng] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:377)
        [testng] at java.net.Socket.connect(Socket.java:539)
        [testng] at java.net.Socket.connect(Socket.java:488)
        [testng] at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
        [testng] at sun.net.www.http.HttpClient.openServer(HttpClient.java:407)
        [testng] at sun.net.www.http.HttpClient.openServer(HttpClient.java:542)
        [testng] at sun.net.www.http.HttpClient.<init>(HttpClient.java:246)
        [testng] at sun.net.www.http.HttpClient.New(HttpClient.java:319)
        [testng] at sun.net.www.http.HttpClient.New(HttpClient.java:336)
        [testng] at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:980)
        [testng] at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:921)
        [testng] at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:846)
        [testng] at test.bv.servlet.simple.SimpleBVServletTestNG.executeServlet(SimpleBVServletTestNG.java:85)
        [testng] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        [testng] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
        [testng] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
        [testng] at java.lang.reflect.Method.invoke(Method.java:611)
        [testng] at org.testng.internal.MethodHelper.invokeMethod(MethodHelper.java:604)
        [testng] at org.testng.internal.Invoker.invokeMethod(Invoker.java:470)
        [testng] at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:564)
        [testng] at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:830)
        [testng] at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:125)
        [testng] at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:109)
        [testng] at org.testng.TestRunner.runWorkers(TestRunner.java:678)
        [testng] at org.testng.TestRunner.privateRun(TestRunner.java:624)
        [testng] at org.testng.TestRunner.run(TestRunner.java:495)
        [testng] at org.testng.SuiteRunner.runTest(SuiteRunner.java:300)
        [testng] at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:295)
        [testng] at org.testng.SuiteRunner.privateRun(SuiteRunner.java:275)
        [testng] at org.testng.SuiteRunner.run(SuiteRunner.java:190)
        [testng] at org.testng.TestNG.createAndRunSuiteRunners(TestNG.java:792)
        [testng] at org.testng.TestNG.runSuitesLocally(TestNG.java:765)
        [testng] at org.testng.TestNG.run(TestNG.java:699)
        [testng] at org.testng.TestNG.privateMain(TestNG.java:824)
        [testng] at org.testng.TestNG.main(TestNG.java:802)
        [testng] FAILED: executeServlet
        [testng] java.lang.Exception: java.net.ConnectException: A remote host refused an attempted connect operation.
        [testng] at test.bv.servlet.simple.SimpleBVServletTestNG.executeServlet(SimpleBVServletTestNG.java:134)
        [testng] Caused by: java.net.ConnectException: A remote host refused an attempted connect operation.
        [testng] at java.net.PlainSocketImpl.socketConnect(Native Method)
        [testng] at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:383)
        [testng] at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:245)
        [testng] at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:232)
        [testng] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:377)
        [testng] at java.net.Socket.connect(Socket.java:539)
        [testng] at java.net.Socket.connect(Socket.java:488)
        [testng] at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
        [testng] at sun.net.www.http.HttpClient.openServer(HttpClient.java:407)
        [testng] at sun.net.www.http.HttpClient.openServer(HttpClient.java:542)
        [testng] at sun.net.www.http.HttpClient.<init>(HttpClient.java:246)
        [testng] at sun.net.www.http.HttpClient.New(HttpClient.java:319)
        [testng] at sun.net.www.http.HttpClient.New(HttpClient.java:336)
        [testng] at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:980)
        [testng] at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:921)
        [testng] at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:846)
        [testng] at test.bv.servlet.simple.SimpleBVServletTestNG.executeServlet(SimpleBVServletTestNG.java:85)
        [testng] ... 22 more
        [testng] ... Removed 22 stack frames
        [testng]
        [testng] ===============================================
        [testng] bv_servlet_simple
        [testng] Tests run: 1, Failures: 1, Skips: 0
        [testng] ===============================================
        [testng]
        [testng]
        [testng] ===============================================
        [testng] bv
        [testng] Total tests run: 1, Failures: 1, Skips: 0
        [testng] ===============================================
        [testng]

        setOSConditions:

        asenv-unix:

        asenv-windows:

        checkTestNGXML:

        runtest-impl-xml:

        undeploy:

        setOSConditions:

        undeploy-v3-impl:
        [echo] simple-bv-servlet

        undeploy-v3-impl-unix:
        [exec] No such local command, undeploy. To run remote commands, start the application server (e.g. 'asadmin start-domain').
        [exec] Command undeploy failed.
        [exec] Remote server does not listen for requests on [localhost:4848]. Is the server up?
        [exec] Result: 1

        undeploy-v3-impl-windows:

        all:

        BUILD SUCCESSFUL
        Total time: 19 seconds
        -bash-3.00$

        Let me verify the server is not running by some other user.

        Show
        Ed Burns added a comment - I applied the fix and tried to run the test as described, but received this error: runtest-impl-class: [echo] =============Starting TestNG test at ../../classes/test ============ [mkdir] Created dir: /makati1/edburns/workareas/glassfish-GLASSFISH_3_1_2/tests/quicklook/test-output [testng] [Parser] Running: [testng] bv [testng] [testng] java.net.ConnectException: A remote host refused an attempted connect operation. [testng] at java.net.PlainSocketImpl.socketConnect(Native Method) [testng] at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:383) [testng] at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:245) [testng] at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:232) [testng] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:377) [testng] at java.net.Socket.connect(Socket.java:539) [testng] at java.net.Socket.connect(Socket.java:488) [testng] at sun.net.NetworkClient.doConnect(NetworkClient.java:175) [testng] at sun.net.www.http.HttpClient.openServer(HttpClient.java:407) [testng] at sun.net.www.http.HttpClient.openServer(HttpClient.java:542) [testng] at sun.net.www.http.HttpClient.<init>(HttpClient.java:246) [testng] at sun.net.www.http.HttpClient.New(HttpClient.java:319) [testng] at sun.net.www.http.HttpClient.New(HttpClient.java:336) [testng] at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:980) [testng] at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:921) [testng] at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:846) [testng] at test.bv.servlet.simple.SimpleBVServletTestNG.executeServlet(SimpleBVServletTestNG.java:85) [testng] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [testng] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) [testng] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) [testng] at java.lang.reflect.Method.invoke(Method.java:611) [testng] at org.testng.internal.MethodHelper.invokeMethod(MethodHelper.java:604) [testng] at org.testng.internal.Invoker.invokeMethod(Invoker.java:470) [testng] at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:564) [testng] at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:830) [testng] at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:125) [testng] at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:109) [testng] at org.testng.TestRunner.runWorkers(TestRunner.java:678) [testng] at org.testng.TestRunner.privateRun(TestRunner.java:624) [testng] at org.testng.TestRunner.run(TestRunner.java:495) [testng] at org.testng.SuiteRunner.runTest(SuiteRunner.java:300) [testng] at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:295) [testng] at org.testng.SuiteRunner.privateRun(SuiteRunner.java:275) [testng] at org.testng.SuiteRunner.run(SuiteRunner.java:190) [testng] at org.testng.TestNG.createAndRunSuiteRunners(TestNG.java:792) [testng] at org.testng.TestNG.runSuitesLocally(TestNG.java:765) [testng] at org.testng.TestNG.run(TestNG.java:699) [testng] at org.testng.TestNG.privateMain(TestNG.java:824) [testng] at org.testng.TestNG.main(TestNG.java:802) [testng] FAILED: executeServlet [testng] java.lang.Exception: java.net.ConnectException: A remote host refused an attempted connect operation. [testng] at test.bv.servlet.simple.SimpleBVServletTestNG.executeServlet(SimpleBVServletTestNG.java:134) [testng] Caused by: java.net.ConnectException: A remote host refused an attempted connect operation. [testng] at java.net.PlainSocketImpl.socketConnect(Native Method) [testng] at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:383) [testng] at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:245) [testng] at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:232) [testng] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:377) [testng] at java.net.Socket.connect(Socket.java:539) [testng] at java.net.Socket.connect(Socket.java:488) [testng] at sun.net.NetworkClient.doConnect(NetworkClient.java:175) [testng] at sun.net.www.http.HttpClient.openServer(HttpClient.java:407) [testng] at sun.net.www.http.HttpClient.openServer(HttpClient.java:542) [testng] at sun.net.www.http.HttpClient.<init>(HttpClient.java:246) [testng] at sun.net.www.http.HttpClient.New(HttpClient.java:319) [testng] at sun.net.www.http.HttpClient.New(HttpClient.java:336) [testng] at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:980) [testng] at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:921) [testng] at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:846) [testng] at test.bv.servlet.simple.SimpleBVServletTestNG.executeServlet(SimpleBVServletTestNG.java:85) [testng] ... 22 more [testng] ... Removed 22 stack frames [testng] [testng] =============================================== [testng] bv_servlet_simple [testng] Tests run: 1, Failures: 1, Skips: 0 [testng] =============================================== [testng] [testng] [testng] =============================================== [testng] bv [testng] Total tests run: 1, Failures: 1, Skips: 0 [testng] =============================================== [testng] setOSConditions: asenv-unix: asenv-windows: checkTestNGXML: runtest-impl-xml: undeploy: setOSConditions: undeploy-v3-impl: [echo] simple-bv-servlet undeploy-v3-impl-unix: [exec] No such local command, undeploy. To run remote commands, start the application server (e.g. 'asadmin start-domain'). [exec] Command undeploy failed. [exec] Remote server does not listen for requests on [localhost:4848] . Is the server up? [exec] Result: 1 undeploy-v3-impl-windows: all: BUILD SUCCESSFUL Total time: 19 seconds -bash-3.00$ Let me verify the server is not running by some other user.
        Hide
        Ed Burns added a comment -

        Indeed, the server didn't start when running the command to start it. It failed with this output:

        start-server-felix-unix:
        [exec] Command start-domain failed.
        [exec] The main GlassFish configuration file is missing. This is where it is supposed to be: /makati1/edburns/workareas/glassfish-GLASSFISH_3_1_2/distributions/glassfish/target-20111221/glassfish3/glassfish/domains/qltest-domain/config/domain.xml
        [exec] Result: 1

        Show
        Ed Burns added a comment - Indeed, the server didn't start when running the command to start it. It failed with this output: start-server-felix-unix: [exec] Command start-domain failed. [exec] The main GlassFish configuration file is missing. This is where it is supposed to be: /makati1/edburns/workareas/glassfish-GLASSFISH_3_1_2/distributions/glassfish/target-20111221/glassfish3/glassfish/domains/qltest-domain/config/domain.xml [exec] Result: 1
        Hide
        Ed Burns added a comment -

        I copied the domain.xml from domain1. Now when I try to start the server I see this:

        start-server-felix-unix:
        [exec] Command start-domain failed.
        [exec] The Master Password is required to start the domain. No console, no prompting possible. You should either create the domain with --savemasterpassword=true or provide a password file with the --passwordfile option.
        [exec] Result: 1

        How do I get past this?

        Show
        Ed Burns added a comment - I copied the domain.xml from domain1. Now when I try to start the server I see this: start-server-felix-unix: [exec] Command start-domain failed. [exec] The Master Password is required to start the domain. No console, no prompting possible. You should either create the domain with --savemasterpassword=true or provide a password file with the --passwordfile option. [exec] Result: 1 How do I get past this?
        Hide
        Ed Burns added a comment -

        bean-validator.jar with the suggested fix.

        Show
        Ed Burns added a comment - bean-validator.jar with the suggested fix.
        Hide
        scatari added a comment -

        You need the passwordfile with the stored passwords. May be you are missing an environment entry.

        Show
        scatari added a comment - You need the passwordfile with the stored passwords. May be you are missing an environment entry.
        Hide
        Ed Burns added a comment - - edited

        >>>>> On Wed, 11 Jan 2012 15:51:09 -0800, Ming Zhang said:

        MZ> The QL is now running on a separate domain "qltest-domain" since the
        MZ> default domain1 requires interactive input of password.

        MZ> The steps to create qltest-domain and enable security-manager can be
        MZ> found at all_wd_security target in quicklook/build.xml:

        MZ> 1. Set env security_manager=ON
        MZ> 2. ant -Dglassfish.home=$

        {GF_HOME} create-ql-domain
        MZ> 3. ant -Dglassfish.home=${GF_HOME}

        add-quicklook-policy-grants
        MZ> 4. ant -Dglassfish.home=$

        {GF_HOME}

        start_server_with_security_manager_enabled

        Show
        Ed Burns added a comment - - edited >>>>> On Wed, 11 Jan 2012 15:51:09 -0800, Ming Zhang said: MZ> The QL is now running on a separate domain "qltest-domain" since the MZ> default domain1 requires interactive input of password. MZ> The steps to create qltest-domain and enable security-manager can be MZ> found at all_wd_security target in quicklook/build.xml: MZ> 1. Set env security_manager=ON MZ> 2. ant -Dglassfish.home=$ {GF_HOME} create-ql-domain MZ> 3. ant -Dglassfish.home=${GF_HOME} add-quicklook-policy-grants MZ> 4. ant -Dglassfish.home=$ {GF_HOME} start_server_with_security_manager_enabled
        Hide
        Ed Burns added a comment -

        I am happy to report that my changes resolve the problem.

        Note that the exception shown in the initial bug filing:

        [#|2011-09-12T12:47:22.022-0700|WARNING|glassfish3.1.2|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=8;_ThreadName=Thread-11;|StandardWrapperValve[SimpleBVServlet]: PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
        java.security.AccessControlException: Access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
        at java.security.AccessController.checkPermission(AccessController.java:108)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:544)
        at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:118)
        at com.ibm.oti.reflect.AnnotationHelper$AnnotationInvocationHandler.compare(AnnotationHelper.java:186)

        is NOT occurring with the patch in place.

        My next attachment will be the patch to the hibernate-validator sources that I used to generate the two .class files that I patched into the existing bean-validator.jar.

        Show
        Ed Burns added a comment - I am happy to report that my changes resolve the problem. Note that the exception shown in the initial bug filing: [#|2011-09-12T12:47:22.022-0700|WARNING|glassfish3.1.2|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=8;_ThreadName=Thread-11;|StandardWrapperValve [SimpleBVServlet] : PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception java.security.AccessControlException: Access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) at java.security.AccessController.checkPermission(AccessController.java:108) at java.lang.SecurityManager.checkPermission(SecurityManager.java:544) at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:118) at com.ibm.oti.reflect.AnnotationHelper$AnnotationInvocationHandler.compare(AnnotationHelper.java:186) is NOT occurring with the patch in place. My next attachment will be the patch to the hibernate-validator sources that I used to generate the two .class files that I patched into the existing bean-validator.jar.
        Hide
        Ed Burns added a comment -

        I have filed this issue in the JIRA for Hibernate Validator: <https://hibernate.onjira.com/browse/HV-552> and attached the patch therein.

        Show
        Ed Burns added a comment - I have filed this issue in the JIRA for Hibernate Validator: < https://hibernate.onjira.com/browse/HV-552 > and attached the patch therein.
        Hide
        Ed Burns added a comment -

        This appears to be a known issue in the IBM JVM <http://www-01.ibm.com/support/docview.wss?uid=swg1PM10814>:

        "The AccessControlException is thrown due to an equals check
        being performed on the security Subject outside of a
        privileged action."

        [...]

        "The fix for this APAR resolves the problem by ensuring the
        equals method on the Subject is called with the correct Java 2
        security privilege."

        Show
        Ed Burns added a comment - This appears to be a known issue in the IBM JVM < http://www-01.ibm.com/support/docview.wss?uid=swg1PM10814 >: "The AccessControlException is thrown due to an equals check being performed on the security Subject outside of a privileged action." [...] "The fix for this APAR resolves the problem by ensuring the equals method on the Subject is called with the correct Java 2 security privilege."
        Hide
        Ed Burns added a comment - - edited

        Relnotes content. Included here for convenience.

        SECTION: Description

        Consider the action of invoking "equals()" on an instance of
        java.lang.annotation.Annotation. Code that performs this action will
        cause an AccessControlException when running in the IBM JDK [1] but will
        succeed without an exception in a similar version of the Oracle JDK.

        SECTION: Recommended Workaround

        Include the following grant in the server.policy file

        grant codeBase "file:$

        {com.sun.aas.instanceRoot}/applications/<YOUR_APP_NAME>/-" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; };

        For example the following grant was tested on the IBM JDK [1] on a
        machine whose uname -a output included "AIX 1 6 00090DB6D700".

        grant codeBase "file:${com.sun.aas.instanceRoot}

        /applications/simple-bv-servlet/-"

        { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }

        ;

        SECTION: Notes

        [1] java version "1.6.0"
        Java(TM) SE Runtime Environment (build pap3260sr9fp1-20110208_03(SR9 FP1))
        IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr9-20110203_74623 (JIT enabled, AOT enabled)
        J9VM - 20110203_074623
        JIT - r9_20101028_17488ifx3
        GC - 20101027_AA)
        JCL - 20110203_01

        Show
        Ed Burns added a comment - - edited Relnotes content. Included here for convenience. SECTION: Description Consider the action of invoking "equals()" on an instance of java.lang.annotation.Annotation. Code that performs this action will cause an AccessControlException when running in the IBM JDK [1] but will succeed without an exception in a similar version of the Oracle JDK. SECTION: Recommended Workaround Include the following grant in the server.policy file grant codeBase "file:$ {com.sun.aas.instanceRoot}/applications/<YOUR_APP_NAME>/-" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; For example the following grant was tested on the IBM JDK [1] on a machine whose uname -a output included "AIX 1 6 00090DB6D700". grant codeBase "file:${com.sun.aas.instanceRoot} /applications/simple-bv-servlet/-" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; } ; SECTION: Notes [1] java version "1.6.0" Java(TM) SE Runtime Environment (build pap3260sr9fp1-20110208_03(SR9 FP1)) IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr9-20110203_74623 (JIT enabled, AOT enabled) J9VM - 20110203_074623 JIT - r9_20101028_17488ifx3 GC - 20101027_AA) JCL - 20110203_01
        Hide
        Ed Burns added a comment -

        Closed in Relnotes.

        Show
        Ed Burns added a comment - Closed in Relnotes.

          People

          • Assignee:
            Ed Burns
            Reporter:
            mzh777
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: