jaxb
  1. jaxb
  2. JAXB-885

Security constraints not verified

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 2.2.3u1
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:

      Google App Engine 1.6.2

      Description

      When running JAX 2.2.3-1 on Google App Engine plataform the security constraints are violated. Checking the source code, the exception is thrown by:

      com.sun.xml.bind.v2.runtime.reflect.opt.Injector at line 179
      ...

      public Void run()

      { // TODO: check security implication // do these setAccessible allow anyone to call these methods freely?s defineClass.setAccessible(true); resolveClass.setAccessible(true); findLoadedClass.setAccessible(true); return null; }

      ...

      The developer team had left a TODO mark to fix exactly that.

        Activity

        Hide
        Christian Lacerda added a comment -

        Hey yaroska, it works!

        Is there any side effects caused by this workaround?

        Thanks!!

        Show
        Christian Lacerda added a comment - Hey yaroska, it works! Is there any side effects caused by this workaround? Thanks!!
        Hide
        Iaroslav Savytskyi added a comment -

        Hi, Christian,

        It's not proved, but possibly you could mention some performance problems. Nobody ever tested performance improvement of optimisation you disabled with that systemProperty.

        Please let us know if you will face some bad behaviour.

        Show
        Iaroslav Savytskyi added a comment - Hi, Christian, It's not proved, but possibly you could mention some performance problems. Nobody ever tested performance improvement of optimisation you disabled with that systemProperty. Please let us know if you will face some bad behaviour.
        Hide
        Christian Lacerda added a comment -

        Hi Iaroslav,

        Although it is a dificult thing to measure, I'll be watching performance on my JAXB services. If some bad behavior appear, I'll notify you guys.

        Again, Thanks!!

        Show
        Christian Lacerda added a comment - Hi Iaroslav, Although it is a dificult thing to measure, I'll be watching performance on my JAXB services. If some bad behavior appear, I'll notify you guys. Again, Thanks!!
        Hide
        Martin Grebac added a comment -

        I'm updating the priority based on the main issue has been solved / workarounded.

        Show
        Martin Grebac added a comment - I'm updating the priority based on the main issue has been solved / workarounded.
        Hide
        Martin Grebac added a comment - - edited

        One additional idea is to detect the noOptimize automatically in the code by trying to change the classifier and catching security exception - if we catch it, we'll defer to noOptimize, if successfuly injected we can continue with optimized path. In this case no switch would be required (we'd have to warn/log somewhere that we're switching to non-optimized path though.

        Show
        Martin Grebac added a comment - - edited One additional idea is to detect the noOptimize automatically in the code by trying to change the classifier and catching security exception - if we catch it, we'll defer to noOptimize, if successfuly injected we can continue with optimized path. In this case no switch would be required (we'd have to warn/log somewhere that we're switching to non-optimized path though.

          People

          • Assignee:
            miroslav.kos
            Reporter:
            Christian Lacerda
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated: