Bug 46096 - DefaultAnnotationProcessor.processAnnotations should use doPrivileged to call getDeclaredFields
Summary: DefaultAnnotationProcessor.processAnnotations should use doPrivileged to call...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Jasper (show other bugs)
Version: 6.0.18
Hardware: PC Windows Vista
: P2 normal (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-27 05:44 UTC by Richard Evans
Modified: 2008-11-04 19:26 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Evans 2008-10-27 05:44:55 UTC
If tomcat is running with a SecurityManager, and a JSP uses PageContext.forward, DefaultAnnotationProcessor code can be called with untristed code on the call stack.

The processAnnotations method contains the line:

   Field[] fields = instance.getClass().getDeclaredFields();

getDeclaredFields() is subject to security checks so this throws a java.security.AccessControlException.

DefaultAnnotationProcessor is part of the code in the catlina lib directory, which is granted AllPermissions in the standard policy file.  However, because there is untrusted JSP code on the stack, these permissions are not used.

The call to getDeclaredFields() should be wrapped in an AccessController.doPrivileged call to avoid the exception.
Comment 1 Mark Thomas 2008-10-27 11:27:06 UTC
This has been fixed in trunk and a patch (http://people.apache.org/~markt/patches/2008-10-27-bug46096.patch) proposed for 6.0.x
Comment 2 Richard Evans 2008-10-31 05:21:13 UTC
As a temporary workround, I added a java.lang.RuntimePermission for JSPs to catalina.policy.

I then had a different exception:

java.security.AccessControlException: access denied (java.util.PropertyPermission org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER read)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
	at java.security.AccessController.checkPermission(AccessController.java:546)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
	at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
	at java.lang.System.getProperty(System.java:688)
	at org.apache.jasper.runtime.BodyContentImpl.<clinit>(BodyContentImpl.java:44)
	at org.apache.jasper.runtime.PageContextImpl.pushBody(PageContextImpl.java:717)
	at org.apache.jasper.runtime.PageContextImpl.pushBody(PageContextImpl.java:707)

I think the property access in BodyContentImpl also needs to run in a privileged block.  Or the class should be initialized at startup.

This probably should be a different bug?
Comment 3 Mark Thomas 2008-11-01 17:44:21 UTC
Comment#2 looks like a configuration issue. The security policy already grants that permission to all code.
Comment 4 Mark Thomas 2008-11-04 19:26:46 UTC
This has been fixed in 6.0.x and will be in 6.0.19 onwards.