4 Replies Latest reply on Jan 21, 2010 7:44 PM by Pete Muir

    Enabling Security Manager in Glassfish v3 Final

    Cory Prowse Newbie

      I have downloaded the recently released Glassfish v3 Final and attempted to run a simple application with the security manager enabled (by default it is disabled, enabling it is just adding the JVM option -Djava.security.manager to the glassfish domain).


      However now whenever the following code is called from a JSF2/Facelets page:
        currentFacesContext.getExternalContext().isUserInRole(admin);


      I get:
        java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)


      The closest information I could find relating to this is an issue lodged back in August:
        https://jira.jboss.org/jira/browse/WELD-32


      Would it be issue WELD-32 causing this problem as well?

        • 1. Re: Enabling Security Manager in Glassfish v3 Final
          Nicklas Karlsson Master

          Could be, please post the full stack trace.


          I noticed the issue is open and the patch unapplied so I guess the issue has not gone away by itself. I'll talk to Pete when he gets back in case he has some Grand Scheme regarding security control for reflection operations (as he hints in the JIRA comments)

          • 2. Re: Enabling Security Manager in Glassfish v3 Final
            Cory Prowse Newbie

            No problem, here is the code in question is:


                @Resource
                private javax.ejb.EJBContext currentEjbContext;
            
                public boolean isInRoleAdmin() {
                    return currentEjbContext.isCallerInRole("admin");
                }
            



            The full stacktrace is:


            java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
                 at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
                 at java.security.AccessController.checkPermission(AccessController.java:546)
                 at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
                 at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
                 at org.jboss.weld.util.Reflections.lookupMethod(Reflections.java:646)
                 at org.jboss.weld.util.Reflections.lookupMethod(Reflections.java:623)
                 at org.jboss.weld.util.Reflections.lookupMethod(Reflections.java:605)
                 at org.jboss.weld.bean.proxy.ClientProxyMethodHandler.invoke(ClientProxyMethodHandler.java:113)
                 at au.projectx.UserBean_$$_javassist_19.isInRoleAdmin(UserBean_$$_javassist_19.java)
                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:597)
                 at javax.el.BeanELResolver.getValue(BeanELResolver.java:302)
                 at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:175)
                 at com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:72)
                 at com.sun.el.parser.AstValue.getValue(AstValue.java:116)
                 at com.sun.el.parser.AstValue.getValue(AstValue.java:163)
                 at com.sun.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:219)
                 at org.jboss.weld.el.WeldValueExpression.getValue(WeldValueExpression.java:71)
                 at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:102)
                 at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:190)
                 at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:416)
                 at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1607)
                 at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1616)
                 at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1616)
                 at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:380)
                 at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:126)
                 at javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:273)
                 at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:127)
                 at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
                 at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139)
                 at javax.faces.webapp.FacesServlet.service(FacesServlet.java:313)
                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                 at java.lang.reflect.Method.invoke(Method.java:597)
                 at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:319)
                 at java.security.AccessController.doPrivileged(Native Method)
                 at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
                 at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:352)
                 at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:209)
                 at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1516)
                 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:279)
                 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:188)
                 at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
                 at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
                 at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
                 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
                 at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:332)
                 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:233)
                 at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:165)
                 at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:791)
                 at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:693)
                 at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:954)
                 at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:170)
                 at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
                 at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
                 at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
                 at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
                 at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
                 at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
                 at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
                 at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:330)
                 at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:309)
                 at java.lang.Thread.run(Thread.java:637)
            

            • 4. Re: Enabling Security Manager in Glassfish v3 Final
              Pete Muir Master

              Cory, please make sure to vote for the issue so we can judge interest...