Description
This bug involves hitting a public page flow action with a Java security policy enabled. You should be able to hit the action if it's public, even if the policy restricts access to private and protected members.
Repro (the easiest way to reproduce this):
- cd to $CATALINA_HOME/bin.
- create a file called mysecurity.policy (and REPLACE my c:/prog/... tomcat/jdk directories with ones of your own):
—
grant codeBase "file:///c:/prog/jakarta-tomcat-5.0.25/-" { permission java.security.AllPermission; };
grant codeBase "file:///c:/prog/jdk1.5.0/-"{ permission java.security.AllPermission; };
{ permission java.util.PropertyPermission "*", "read"; permission java.lang.RuntimePermission "accessDeclaredMembers"; }
grant;
—
- set the JAVA_OPTS environment variable:
(windows) set JAVA_OPTS=-Djava.security.manager -Djava.security.policy=mysecurity.policy
(linux) export JAVA_OPTS="-Djava.security.manager -Djava.security.policy=mysecurity.policy"
- start tomcat:
(windows) .\startup.bat
(linux) ./startup.sh
Deploy a webapp and hit any page flow action method (a method, not a @Jpf.SimpleAction). You get the following exception:
java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
java.security.AccessController.checkPermission(AccessController.java:427)
java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
org.apache.beehive.netui.pageflow.FlowController.getActionMethod(FlowController.java:698)
org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:745)
org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:426)
org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:285)
org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:306)
org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:48)
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:421)
org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:104)
org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:1998)
org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors$WrapActionInterceptorChain.continueChain(ActionInterceptors.java:63)
org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:86)
org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2067)
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:226)
org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:593)
org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:866)
org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:600)
org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:163)
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:397)
javax.servlet.http.HttpServlet.service(HttpServlet.java:697)
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:585)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:241)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:268)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:157)
java.security.AccessController.doPrivileged(Native Method)
java.security.AccessController.doPrivileged(Native Method)
org.apache.beehive.netui.pageflow.internal.DefaultForwardRedirectHandler.forward(DefaultForwardRedirectHandler.java:127)
org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.doForward(PageFlowRequestProcessor.java:1774)
org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processPageFlowRequest(PageFlowRequestProcessor.java:764)
org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:518)
org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:866)
org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:600)
org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:163)
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:397)
javax.servlet.http.HttpServlet.service(HttpServlet.java:697)
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:585)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:241)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:268)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:157)