Issue Details (XML | Word | Printable)

Key: GLASSFISH-20839
Type: Bug Bug
Status: Open Open
Priority: Blocker Blocker
Assignee: russgold
Reporter: Joe Di Pol
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
glassfish

Corba: GF QL failing with JDK7U25: java.security.AccessControlException

Created: 01/Oct/13 06:29 PM   Updated: 01/Oct/13 06:31 PM
Component/s: orb
Affects Version/s: 4.0
Fix Version/s: None

Time Tracking:
Not Specified

Tags:
Participants: Joe Di Pol and russgold


 Description  « Hide

GF full profile QL fails with this exception when
running with JDK7U25. When running with JDK7U09, the failure
does not occur.

Logs here:
http://gf-hudson.us.oracle.com/hudson/view/GlassFish/view/Trunk%20Continuous/job/gf-trunk-build-continuous/14626/
Results here:
http://gf-hudson.us.oracle.com/hudson/view/GlassFish/view/Trunk%20Continuous/job/gf-trunk-build-continuous/14626/testReport/

It looks like the error is coming from Corba.

Caused by: java.rmi.RemoteException: ; nested exception is:
java.security.AccessControlException: access denied ("java.io.SerializablePermission" "enableSubclassImplementation")
at com.sun.enterprise.naming.impl.LocalSerialContextProviderImpl.lookup(LocalSerialContextProviderImpl.java:142)
at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:478)
... 93 more
Caused by: java.security.AccessControlException: access denied ("java.io.SerializablePermission" "enableSubclassImplementation")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at org.omg.CORBA_2_3.portable.OutputStream.checkPermission(OutputStream.java:65)
at org.omg.CORBA_2_3.portable.OutputStream.<init>(OutputStream.java:81)
at com.sun.corba.ee.impl.encoding.CDROutputObject.<init>(CDROutputObject.java:136)
at com.sun.corba.ee.impl.encoding.EncapsOutputStream.<init>(EncapsOutputStream.java:97)
at com.sun.corba.ee.impl.encoding.EncapsOutputStream.<init>(EncapsOutputStream.java:89)
at com.sun.corba.ee.impl.orb.ORBImpl.create_output_stream(ORBImpl.java:706)
at com.sun.corba.ee.impl.corba.AnyImpl.create_input_stream(AnyImpl.java:544)
at org.omg.CosTransactions.OTSPolicyValueHelper.extract(OTSPolicyValueHelper.java:25)
at com.sun.jts.pi.InterceptorImpl.send_request(InterceptorImpl.java:253)
at com.sun.corba.ee.impl.interceptors.InterceptorInvoker.invokeClientInterceptorStartingPoint(InterceptorInvoker.java:290)
at com.sun.corba.ee.impl.interceptors.PIHandlerImpl.invokeClientPIStartingPoint(PIHandlerImpl.java:378)
at com.sun.corba.ee.impl.protocol.ClientRequestDispatcherImpl.beginRequest(ClientRequestDispatcherImpl.java:324)
at com.sun.corba.ee.impl.protocol.ClientDelegateImpl.request(ClientDelegateImpl.java:227)
at com.sun.corba.ee.impl.protocol.ClientDelegateImpl.is_a(ClientDelegateImpl.java:392)
at org.omg.CORBA.portable.ObjectImpl._is_a(ObjectImpl.java:130)
at org.omg.CosNaming.NamingContextHelper.narrow(NamingContextHelper.java:69)
at com.sun.jndi.cosnaming.CNCtx.callResolve(CNCtx.java:490)
at com.sun.jndi.cosnaming.CNCtx.lookup(CNCtx.java:541)
at com.sun.jndi.cosnaming.CNCtx.lookup(CNCtx.java:519)
at javax.naming.InitialContext.lookup(InitialContext.java:411)
at com.sun.enterprise.naming.util.IIOPObjectFactory.getObjectInstance(IIOPObjectFactory.java:71)
at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:321)
at com.sun.enterprise.naming.impl.LocalSerialContextProviderImpl.lookup(LocalSerialContextProviderImpl.java:133)
... 94 more
]]



Joe Di Pol added a comment - 01/Oct/13 06:31 PM

Comments from JDK team:

we fixed a vulnerability in JDK code around the org.omg.CORBA_2_3.portable.OutputStream class (7u25 fix). Any code extending that class will now need extra permission check if a security manager is installed.

There is a property flag to allow subclass instantiations without the security check (jdk.corba.allowOutputStreamSubclass=true)