Issue Details (XML | Word | Printable)

Key: GLASSFISH-17288
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Critical Critical
Assignee: Ed Burns
Reporter: mzh777
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
glassfish

QL bean-validator/simple-bv-servlet test failed in security_manager ON mode

Created: 12/Sep/11 08:15 PM   Updated: 29/May/13 04:19 PM   Resolved: 29/May/13 04:19 PM
Component/s: bean-validator
Affects Version/s: 3.1.2_b01
Fix Version/s: None

Time Tracking:
Not Specified

File Attachments: 1. Java Archive File bean-validator.jar (1.11 MB) 11/Jan/12 09:53 PM - Ed Burns
2. Text File message.txt (13 kB) 12/Jan/12 03:20 PM - Ed Burns
3. Zip Archive patch_these_classes_into_bean-validator_jar.zip (8 kB) 11/Jan/12 09:02 PM - Ed Burns
4. Text File server.log (32 kB) 12/Sep/11 08:15 PM - mzh777

Environment:

AIX makati 1 6 00090DB6D700,
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr9-20110203_74623 (JIT enabled, AOT enabled)


Tags: 3_1_2-exclude 3_1_2-release-note-added 3_1_2-release-notes
Participants: Ed Burns, mzh777 and scatari


 Description  « Hide

On AIX platform, the bean-validator/simple-bv-servlet passed in security_manager OFF mode. When turn on the security_manager, the test failed with follow exception in server.log:
[#|2011-09-12T12:47:22.022-0700|WARNING|glassfish3.1.2|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=8;_ThreadName=Thread-11;|StandardWrapperValve[SimpleBVServlet]: PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
java.security.AccessControlException: Access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
at java.security.AccessController.checkPermission(AccessController.java:108)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:544)
at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:118)
at com.ibm.oti.reflect.AnnotationHelper$AnnotationInvocationHandler.compare(AnnotationHelper.java:186)
at com.ibm.oti.reflect.AnnotationHelper$AnnotationInvocationHandler.invoke(AnnotationHelper.java:111)
at $Proxy15.equals(Unknown Source)

The full stack trace is attached.

Steps to reproduce:
1. Set env variable security_manager ON.
2. cd quicklook; ant -Dglassfish.home=/makati1/java_re/ming/glassfish3/glassfish add-quicklook-policy-grants
3. ant -Dglassfish.home=/makati1/java_re/ming/glassfish3/glassfish start_server_with_security_manager_enabled
4. cd bean-validator/simple-bv-servlet; ant -Dglassfish.home=/makati1/java_re/ming/glassfish3/glassfish all



Ed Burns added a comment - 18/Oct/11 04:02 PM

I am in the process of learning how to access an AIX test machine. I'll learn this from someone I know who has recently done it, Roger Kitain.


Ed Burns added a comment - 21/Dec/11 06:10 PM

Here's my environment:

-bash-3.00$ hostname
makati
-bash-3.00$ uname -a
AIX makati 1 6 00090DB6D700
-bash-3.00$ java -version
java version "1.6.0"
Java(TM) SE Runtime Environment (build pap3260sr9fp1-20110208_03(SR9 FP1))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr9-20110203_74623 (JIT enabled, AOT enabled)
J9VM - 20110203_074623
JIT - r9_20101028_17488ifx3
GC - 20101027_AA)
JCL - 20110203_01
-bash-3.00$ ant -v
Apache Ant(TM) version 1.8.2 compiled on December 20 2010
Trying the default build file: build.xml
Buildfile: build.xml does not exist!
Build failed
-bash-3.00$ mvn -v
Apache Maven 2.2.1 (r801777; 2009-08-06 12:16:01-0700)
Java version: 1.6.0
Java home: /usr/java6/jre
Default locale: en_US, platform encoding: ISO8859-1
OS name: "aix" version: "6.1" arch: "ppc" Family: "unix"


Ed Burns added a comment - 21/Dec/11 09:39 PM

Ok, I'm building on that host now. Thank you Jane Young for sharing that I had to activate the "default" and "aix-jdk" profiles when invoking mvn with the "install" goal.


Ed Burns added a comment - 21/Dec/11 10:09 PM

Still building. In the meantime, I have contacted the maintainer of the code at JBoss and asked this question:

EB> I know that you peppered some AccessController.doPrivileged() calls in
EB> where necessary, is it possible that we could need another one here,
EB> around the call to equals()?

When the build completes, I will reproduce the problem. Then, I'll re-compile the class with the suggestion I made to the maintainer in place, patch that single .class file into the existing glassfish installation, and re-run the test. If it passes, then we know we have a fix.

In the meantime, I am downgrading this to Minor.

Ed


mzh777 added a comment - 11/Jan/12 12:22 AM

Checked the QL hudson job for build 17 of Jan 10, 2012. The bean_validation test is still failing in security manager on mode. Raise the priority back to P2.


Ed Burns added a comment - 11/Jan/12 03:26 PM

Back from vacation and working on this again. I have resent my proposed solution to the original maintainer.

Ed


Ed Burns added a comment - 11/Jan/12 09:02 PM

Take the .class files from this zip and patch them into bean-validator.jar.


Ed Burns added a comment - 11/Jan/12 09:13 PM

Here is the output from performing the patch.

bash-2.05b$ sum bean-validator.jar
19273 2275 bean-validator.jar
bash-2.05b$ zip -u bean-validator.jar org/hibernate/validator/metadata/ConstraintDescriptorImpl.class org/hibernate/validator/util/privilegedactions/Equals.class
updating: org/hibernate/validator/metadata/ConstraintDescriptorImpl.class (deflated 64%)
adding: org/hibernate/validator/util/privilegedactions/Equals.class (deflated 51%)
bash-2.05b$ sum bean-validator.jar
15601 2277 bean-validator.jar


Ed Burns added a comment - 11/Jan/12 09:46 PM

I applied the fix and tried to run the test as described, but received this error:

runtest-impl-class:
[echo] =============Starting TestNG test at ../../classes/test ============
[mkdir] Created dir: /makati1/edburns/workareas/glassfish-GLASSFISH_3_1_2/tests/quicklook/test-output
[testng] [Parser] Running:
[testng] bv
[testng]
[testng] java.net.ConnectException: A remote host refused an attempted connect operation.
[testng] at java.net.PlainSocketImpl.socketConnect(Native Method)
[testng] at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:383)
[testng] at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:245)
[testng] at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:232)
[testng] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:377)
[testng] at java.net.Socket.connect(Socket.java:539)
[testng] at java.net.Socket.connect(Socket.java:488)
[testng] at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
[testng] at sun.net.www.http.HttpClient.openServer(HttpClient.java:407)
[testng] at sun.net.www.http.HttpClient.openServer(HttpClient.java:542)
[testng] at sun.net.www.http.HttpClient.<init>(HttpClient.java:246)
[testng] at sun.net.www.http.HttpClient.New(HttpClient.java:319)
[testng] at sun.net.www.http.HttpClient.New(HttpClient.java:336)
[testng] at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:980)
[testng] at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:921)
[testng] at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:846)
[testng] at test.bv.servlet.simple.SimpleBVServletTestNG.executeServlet(SimpleBVServletTestNG.java:85)
[testng] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[testng] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
[testng] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
[testng] at java.lang.reflect.Method.invoke(Method.java:611)
[testng] at org.testng.internal.MethodHelper.invokeMethod(MethodHelper.java:604)
[testng] at org.testng.internal.Invoker.invokeMethod(Invoker.java:470)
[testng] at org.testng.internal.Invoker.invokeTestMethod(Invoker.java:564)
[testng] at org.testng.internal.Invoker.invokeTestMethods(Invoker.java:830)
[testng] at org.testng.internal.TestMethodWorker.invokeTestMethods(TestMethodWorker.java:125)
[testng] at org.testng.internal.TestMethodWorker.run(TestMethodWorker.java:109)
[testng] at org.testng.TestRunner.runWorkers(TestRunner.java:678)
[testng] at org.testng.TestRunner.privateRun(TestRunner.java:624)
[testng] at org.testng.TestRunner.run(TestRunner.java:495)
[testng] at org.testng.SuiteRunner.runTest(SuiteRunner.java:300)
[testng] at org.testng.SuiteRunner.runSequentially(SuiteRunner.java:295)
[testng] at org.testng.SuiteRunner.privateRun(SuiteRunner.java:275)
[testng] at org.testng.SuiteRunner.run(SuiteRunner.java:190)
[testng] at org.testng.TestNG.createAndRunSuiteRunners(TestNG.java:792)
[testng] at org.testng.TestNG.runSuitesLocally(TestNG.java:765)
[testng] at org.testng.TestNG.run(TestNG.java:699)
[testng] at org.testng.TestNG.privateMain(TestNG.java:824)
[testng] at org.testng.TestNG.main(TestNG.java:802)
[testng] FAILED: executeServlet
[testng] java.lang.Exception: java.net.ConnectException: A remote host refused an attempted connect operation.
[testng] at test.bv.servlet.simple.SimpleBVServletTestNG.executeServlet(SimpleBVServletTestNG.java:134)
[testng] Caused by: java.net.ConnectException: A remote host refused an attempted connect operation.
[testng] at java.net.PlainSocketImpl.socketConnect(Native Method)
[testng] at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:383)
[testng] at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:245)
[testng] at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:232)
[testng] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:377)
[testng] at java.net.Socket.connect(Socket.java:539)
[testng] at java.net.Socket.connect(Socket.java:488)
[testng] at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
[testng] at sun.net.www.http.HttpClient.openServer(HttpClient.java:407)
[testng] at sun.net.www.http.HttpClient.openServer(HttpClient.java:542)
[testng] at sun.net.www.http.HttpClient.<init>(HttpClient.java:246)
[testng] at sun.net.www.http.HttpClient.New(HttpClient.java:319)
[testng] at sun.net.www.http.HttpClient.New(HttpClient.java:336)
[testng] at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:980)
[testng] at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:921)
[testng] at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:846)
[testng] at test.bv.servlet.simple.SimpleBVServletTestNG.executeServlet(SimpleBVServletTestNG.java:85)
[testng] ... 22 more
[testng] ... Removed 22 stack frames
[testng]
[testng] ===============================================
[testng] bv_servlet_simple
[testng] Tests run: 1, Failures: 1, Skips: 0
[testng] ===============================================
[testng]
[testng]
[testng] ===============================================
[testng] bv
[testng] Total tests run: 1, Failures: 1, Skips: 0
[testng] ===============================================
[testng]

setOSConditions:

asenv-unix:

asenv-windows:

checkTestNGXML:

runtest-impl-xml:

undeploy:

setOSConditions:

undeploy-v3-impl:
[echo] simple-bv-servlet

undeploy-v3-impl-unix:
[exec] No such local command, undeploy. To run remote commands, start the application server (e.g. 'asadmin start-domain').
[exec] Command undeploy failed.
[exec] Remote server does not listen for requests on [localhost:4848]. Is the server up?
[exec] Result: 1

undeploy-v3-impl-windows:

all:

BUILD SUCCESSFUL
Total time: 19 seconds
-bash-3.00$

Let me verify the server is not running by some other user.


Ed Burns added a comment - 11/Jan/12 09:47 PM

Indeed, the server didn't start when running the command to start it. It failed with this output:

start-server-felix-unix:
[exec] Command start-domain failed.
[exec] The main GlassFish configuration file is missing. This is where it is supposed to be: /makati1/edburns/workareas/glassfish-GLASSFISH_3_1_2/distributions/glassfish/target-20111221/glassfish3/glassfish/domains/qltest-domain/config/domain.xml
[exec] Result: 1


Ed Burns added a comment - 11/Jan/12 09:51 PM

I copied the domain.xml from domain1. Now when I try to start the server I see this:

start-server-felix-unix:
[exec] Command start-domain failed.
[exec] The Master Password is required to start the domain. No console, no prompting possible. You should either create the domain with --savemasterpassword=true or provide a password file with the --passwordfile option.
[exec] Result: 1

How do I get past this?


Ed Burns added a comment - 11/Jan/12 09:53 PM

bean-validator.jar with the suggested fix.


scatari added a comment - 11/Jan/12 10:17 PM

You need the passwordfile with the stored passwords. May be you are missing an environment entry.


Ed Burns added a comment - 12/Jan/12 02:13 PM - edited

>>>>> On Wed, 11 Jan 2012 15:51:09 -0800, Ming Zhang said:

MZ> The QL is now running on a separate domain "qltest-domain" since the
MZ> default domain1 requires interactive input of password.

MZ> The steps to create qltest-domain and enable security-manager can be
MZ> found at all_wd_security target in quicklook/build.xml:

MZ> 1. Set env security_manager=ON
MZ> 2. ant -Dglassfish.home=${GF_HOME} create-ql-domain
MZ> 3. ant -Dglassfish.home=${GF_HOME} add-quicklook-policy-grants
MZ> 4. ant -Dglassfish.home=${GF_HOME} start_server_with_security_manager_enabled


Ed Burns added a comment - 12/Jan/12 03:20 PM

I am happy to report that my changes resolve the problem.

Note that the exception shown in the initial bug filing:

[#|2011-09-12T12:47:22.022-0700|WARNING|glassfish3.1.2|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=8;_ThreadName=Thread-11;|StandardWrapperValve[SimpleBVServlet]: PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
java.security.AccessControlException: Access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
at java.security.AccessController.checkPermission(AccessController.java:108)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:544)
at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:118)
at com.ibm.oti.reflect.AnnotationHelper$AnnotationInvocationHandler.compare(AnnotationHelper.java:186)

is NOT occurring with the patch in place.

My next attachment will be the patch to the hibernate-validator sources that I used to generate the two .class files that I patched into the existing bean-validator.jar.


Ed Burns added a comment - 12/Jan/12 03:37 PM

I have filed this issue in the JIRA for Hibernate Validator: <https://hibernate.onjira.com/browse/HV-552> and attached the patch therein.


Ed Burns added a comment - 13/Jan/12 06:06 PM

This appears to be a known issue in the IBM JVM <http://www-01.ibm.com/support/docview.wss?uid=swg1PM10814>:

"The AccessControlException is thrown due to an equals check
being performed on the security Subject outside of a
privileged action."

[...]

"The fix for this APAR resolves the problem by ensuring the
equals method on the Subject is called with the correct Java 2
security privilege."


Ed Burns added a comment - 13/Jan/12 08:09 PM - edited

Relnotes content. Included here for convenience.

SECTION: Description

Consider the action of invoking "equals()" on an instance of
java.lang.annotation.Annotation. Code that performs this action will
cause an AccessControlException when running in the IBM JDK [1] but will
succeed without an exception in a similar version of the Oracle JDK.

SECTION: Recommended Workaround

Include the following grant in the server.policy file

grant codeBase "file:${com.sun.aas.instanceRoot}/applications/<YOUR_APP_NAME>/-" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; };

For example the following grant was tested on the IBM JDK [1] on a
machine whose uname -a output included "AIX 1 6 00090DB6D700".

grant codeBase "file:${com.sun.aas.instanceRoot}/applications/simple-bv-servlet/-" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; };

SECTION: Notes

[1] java version "1.6.0"
Java(TM) SE Runtime Environment (build pap3260sr9fp1-20110208_03(SR9 FP1))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr9-20110203_74623 (JIT enabled, AOT enabled)
J9VM - 20110203_074623
JIT - r9_20101028_17488ifx3
GC - 20101027_AA)
JCL - 20110203_01


Ed Burns added a comment - 29/May/13 04:19 PM

Closed in Relnotes.