History | Log In     View a printable version of the current page.  
   HOME       BROWSE PROJECT       FIND ISSUES   
    QUICK SEARCH:  
Issue Details (XML | Word | Printable)

Key: STS-620
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Ben Gunter
Reporter: Matthew Altman
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
Stripes

Stripes deployed in Tomcat with SecurityManager enabled throws AccessControlException

Created: 30/Oct/08 03:04 PM   Updated: 19/Feb/09 07:58 AM
Component/s: None
Affects Version/s: Release 1.4.3
Fix Version/s: Release 1.6, Release 1.5.1


 Description  « Hide
There are two classes
net.sourceforge.stripes.config.BootstrapPropertyResolver
net.sourceforge.stripes.util.ResolverUtil

that do not catch exceptions which then get thrown all the way back out and prevent Stripes from running in an environment with the SecurityManager enabled.

An example stacktrace is:
Caused by: java.security.AccessControlException: access denied
(java.util.PropertyPermission ActionResolver.PackageFilters read)
       at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
       at
java.security.AccessController.checkPermission(AccessController.java:546)
       at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
       at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
       at java.lang.System.getProperty(System.java:652)
       at
net.sourceforge.stripes.config.BootstrapPropertyResolver.getProperty(BootstrapPropertyResolver.java:68)
       at
net.sourceforge.stripes.controller.AnnotatedClassActionResolver.getPackageFilters(AnnotatedClassActionResolver.java:492)
       at
net.sourceforge.stripes.controller.AnnotatedClassActionResolver.findClasses(AnnotatedClassActionResolver.java:510)
       at
net.sourceforge.stripes.controller.AnnotatedClassActionResolver.init(AnnotatedClassActionResolver.java:94)
       at
net.sourceforge.stripes.controller.NameBasedActionResolver.init(NameBasedActionResolver.java:115)
       at
net.sourceforge.stripes.config.DefaultConfiguration.init(DefaultConfiguration.java:101)
       ... 48 more

BootstrapPropertyResolver.getProperty() contain the following calls which could throw these types of exceptions:
FilterConfig.getInitParameter()
FilterConfig.getServletContext().getInitParameter()
System.getProperty()

ResolverUtil.loadImplementationsFromContextClassloader() contains the following call which could throw this exception:
ClassLoader.getParent()

Additionally, the File.exists() and File.isDirectory() could also throw security exceptions, but if these calls are placed within the matchesAny() "if" block, then the locations can just be limited based on the ActionResolver.UrlFilters init-param

 All   Comments   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Ben Gunter - 23/Dec/08 03:44 PM
I fixed this the best I could. BootstrapPropertyResolver will catch AccessControlExceptions when getting property values and log a debug message telling what happened if it can't read the property. ResolverUtil has changed significantly since this problem was reported and does not appear to have the same problems as before. Aside from the two changes noted below, everything worked fine after this code change.

Stripes still requires java.lang.RuntimePermission "accessDeclaredMembers", which is not in the default catalina.policy. It needs that one to find the event handler methods in the ActionBean classes.

I also had to allow file read for WEB-INF/classes/logging.properties. That appears to be normal since there was already a template in the catalina.policy file for it.


Powered by a free Atlassian JIRA open source license for Stripes Framework. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.12-#298) - Bug/feature request - Contact Administrators