-
1. Re: Testing jboss-reflect with a SecurityManager enabled
Kabir Khan wrote:
My plan there is to modify JavassistFieldInfo and JavassistMethodInfo to throw an exception if an attempt is made to access them if they are not public and there is a security manager present.Actually, I will make this behave as their reflect counterparts
public static void checkAccess(MemberInfo info) { if (!info.isPublic() && System.getSecurityManager() != null) AccessController.checkPermission(new ReflectPermission("suppressAccessChecks")); }This method will be called by JavassistFieldInfo.set()/get(), JavassistMethodInfo.invoke() and JavassistConstructorInfo.newInstance()
-
2. Re: Testing jboss-reflect with a SecurityManager enabled
Kabir Khan wrote:
The next problem is the Javassist version of the Field-/MethodAccessRestrictionTestCase. These fail since the javassist generated accessors (from JBREFLECT-6) are able to access private members, due to inheriting from sun.reflect.MagicAccessorImpl, so we don't get the expected exceptions when calling private members with a security manager enabled. My plan there is to modify JavassistFieldInfo and JavassistMethodInfo to throw an exception if an attempt is made to access them if they are not public and there is a security manager present.No, if there is a SecurityManager you should do a similar check to what is done by the Reflection based api,
i.e. whether the caller has the "suppressAccessChecks" permission.
See ReflectionMethodInfoImpl.
P.S. I don't think you've solved the whole problem, see
https://jira.jboss.org/jira/browse/JBREFLECT-2
e.g. the MagicAccessorImpl trick doesn't work on jrockit for classes outside the bootstrap classloader.
-
3. Re: Testing jboss-reflect with a SecurityManager enabled
This has been committed against https://jira.jboss.org/jira/browse/JBREFLECT-109.
I did not need the extra permissions in ContainerTestPlugin, all that was needed was a IntrospectionEnumTestCase.properties:
test.Permission.0=java.lang.RuntimePermission, accessClassInPackage.sun.reflect.annotation
Without that I got this
java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.reflect.annotation)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:327)
at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:398)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:247)
at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:604)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1575)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1496)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1732)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1947)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1871)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1947)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1871)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351)
at java.util.HashMap.readObject(HashMap.java:1030)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:974)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1849)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1947)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1871)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351)
at java.util.HashMap.readObject(HashMap.java:1030)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:974)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1849)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1947)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1871)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351)
at org.jboss.test.AbstractTestCase.deserialize(AbstractTestCase.java:352)
at org.jboss.test.classinfo.test.AbstractClassInfoTest.access$0(AbstractClassInfoTest.java:1)
at org.jboss.test.classinfo.test.AbstractClassInfoTest$1.run(AbstractClassInfoTest.java:100)
at java.security.AccessController.doPrivileged(Native Method)
at org.jboss.test.classinfo.test.AbstractClassInfoTest.testBasics(AbstractClassInfoTest.java:96)
at org.jboss.test.classinfo.test.ClassInfoEnumTest.testEnum(ClassInfoEnumTest.java:71)
at org.jboss.test.classinfo.test.ClassInfoEnumTest.testEnumFieldAnnotation(ClassInfoEnumTest.java:64) -
4. Re: Testing jboss-reflect with a SecurityManager enabled
Kabir Khan wrote:
This has been committed against https://jira.jboss.org/jira/browse/JBREFLECT-109.
I did not need the extra permissions in ContainerTestPlugin, all that was needed was a IntrospectionEnumTestCase.properties:
test.Permission.0=java.lang.RuntimePermission, accessClassInPackage.sun.reflect.annotationWithout that I got this
java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.reflect.annotation)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:327)
at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:398)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:247)
at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:604)
<snip/>
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351)
at java.util.HashMap.readObject(HashMap.java:1030)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:974)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1849)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1947)
at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1871)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1753)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1329)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:351)
at org.jboss.test.AbstractTestCase.deserialize(AbstractTestCase.java:352)
at org.jboss.test.classinfo.test.AbstractClassInfoTest.access$0(AbstractClassInfoTest.java:1)
at org.jboss.test.classinfo.test.AbstractClassInfoTest$1.run(AbstractClassInfoTest.java:100)
at java.security.AccessController.doPrivileged(Native Method)
at org.jboss.test.classinfo.test.AbstractClassInfoTest.testBasics(AbstractClassInfoTest.java:96)
at org.jboss.test.classinfo.test.ClassInfoEnumTest.testEnum(ClassInfoEnumTest.java:71)
at org.jboss.test.classinfo.test.ClassInfoEnumTest.testEnumFieldAnnotation(ClassInfoEnumTest.java:64)That actually looks like a bug to me.
We are assuming that the annotations cached in InheritableAnnotationsHolder can be Serialized, but
there's no guarantee in the spec that Annotations are Serializable.
It just so happens that the ones Sun implements are, but it obviously fails to Serialize them if you have a
SecurityManager enabled due to the package restriction.
In a different JDK they might not even be Serializable.
More correctly we should reget the annotations during the readObject() processing rather than serializing them,
or probably, just let the the state revert back to UNKNOWN_ANNOTATIONS_*.
-
5. Re: Testing jboss-reflect with a SecurityManager enabled
This is a deeper problem than I first assumed. Most things that call AbstractClassInfoTest.testBasics() have not yet loaded things like the fields, methods etc. so this problem does not occur. If I modify them to have loaded these annotated members I get a lot of errors.
I'll fix this
-
6. Re: Testing jboss-reflect with a SecurityManager enabled
Kabir Khan wrote:
This is a deeper problem than I first assumed. Most things that call AbstractClassInfoTest.testBasics() have not yet loaded things like the fields, methods etc. so this problem does not occur. If I modify them to have loaded these annotated members I get a lot of errors.
I'll fix this