glassfish
  1. glassfish
  2. GLASSFISH-20839

Corba: GF QL failing with JDK7U25: java.security.AccessControlException

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Blocker Blocker
    • Resolution: Unresolved
    • Affects Version/s: 4.0
    • Fix Version/s: None
    • Component/s: orb
    • Labels:
      None

      Description

      GF full profile QL fails with this exception when
      running with JDK7U25. When running with JDK7U09, the failure
      does not occur.

      Logs here:
      http://gf-hudson.us.oracle.com/hudson/view/GlassFish/view/Trunk%20Continuous/job/gf-trunk-build-continuous/14626/
      Results here:
      http://gf-hudson.us.oracle.com/hudson/view/GlassFish/view/Trunk%20Continuous/job/gf-trunk-build-continuous/14626/testReport/

      It looks like the error is coming from Corba.

      Caused by: java.rmi.RemoteException: ; nested exception is:
      java.security.AccessControlException: access denied ("java.io.SerializablePermission" "enableSubclassImplementation")
      at com.sun.enterprise.naming.impl.LocalSerialContextProviderImpl.lookup(LocalSerialContextProviderImpl.java:142)
      at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:478)
      ... 93 more
      Caused by: java.security.AccessControlException: access denied ("java.io.SerializablePermission" "enableSubclassImplementation")
      at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
      at java.security.AccessController.checkPermission(AccessController.java:559)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
      at org.omg.CORBA_2_3.portable.OutputStream.checkPermission(OutputStream.java:65)
      at org.omg.CORBA_2_3.portable.OutputStream.<init>(OutputStream.java:81)
      at com.sun.corba.ee.impl.encoding.CDROutputObject.<init>(CDROutputObject.java:136)
      at com.sun.corba.ee.impl.encoding.EncapsOutputStream.<init>(EncapsOutputStream.java:97)
      at com.sun.corba.ee.impl.encoding.EncapsOutputStream.<init>(EncapsOutputStream.java:89)
      at com.sun.corba.ee.impl.orb.ORBImpl.create_output_stream(ORBImpl.java:706)
      at com.sun.corba.ee.impl.corba.AnyImpl.create_input_stream(AnyImpl.java:544)
      at org.omg.CosTransactions.OTSPolicyValueHelper.extract(OTSPolicyValueHelper.java:25)
      at com.sun.jts.pi.InterceptorImpl.send_request(InterceptorImpl.java:253)
      at com.sun.corba.ee.impl.interceptors.InterceptorInvoker.invokeClientInterceptorStartingPoint(InterceptorInvoker.java:290)
      at com.sun.corba.ee.impl.interceptors.PIHandlerImpl.invokeClientPIStartingPoint(PIHandlerImpl.java:378)
      at com.sun.corba.ee.impl.protocol.ClientRequestDispatcherImpl.beginRequest(ClientRequestDispatcherImpl.java:324)
      at com.sun.corba.ee.impl.protocol.ClientDelegateImpl.request(ClientDelegateImpl.java:227)
      at com.sun.corba.ee.impl.protocol.ClientDelegateImpl.is_a(ClientDelegateImpl.java:392)
      at org.omg.CORBA.portable.ObjectImpl._is_a(ObjectImpl.java:130)
      at org.omg.CosNaming.NamingContextHelper.narrow(NamingContextHelper.java:69)
      at com.sun.jndi.cosnaming.CNCtx.callResolve(CNCtx.java:490)
      at com.sun.jndi.cosnaming.CNCtx.lookup(CNCtx.java:541)
      at com.sun.jndi.cosnaming.CNCtx.lookup(CNCtx.java:519)
      at javax.naming.InitialContext.lookup(InitialContext.java:411)
      at com.sun.enterprise.naming.util.IIOPObjectFactory.getObjectInstance(IIOPObjectFactory.java:71)
      at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:321)
      at com.sun.enterprise.naming.impl.LocalSerialContextProviderImpl.lookup(LocalSerialContextProviderImpl.java:133)
      ... 94 more
      ]]

        Activity

        Hide
        Joe Di Pol added a comment -

        Comments from JDK team:

        we fixed a vulnerability in JDK code around the org.omg.CORBA_2_3.portable.OutputStream class (7u25 fix). Any code extending that class will now need extra permission check if a security manager is installed.

        There is a property flag to allow subclass instantiations without the security check (jdk.corba.allowOutputStreamSubclass=true)

        Show
        Joe Di Pol added a comment - Comments from JDK team: we fixed a vulnerability in JDK code around the org.omg.CORBA_2_3.portable.OutputStream class (7u25 fix). Any code extending that class will now need extra permission check if a security manager is installed. There is a property flag to allow subclass instantiations without the security check (jdk.corba.allowOutputStreamSubclass=true)

          People

          • Assignee:
            russgold
            Reporter:
            Joe Di Pol
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated: