Uploaded image for project: 'ActiveMQ Artemis'
  1. ActiveMQ Artemis
  2. ARTEMIS-294

Make ServiceUtils loads its services within doPrivileged block

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.1.0
    • 1.2.0
    • Broker
    • None

    Description

      We have tests that fails when the JVM is running a Security Manager.

      1) IJ000604: Throwable while attempting to get a new connection: null: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/opt/buildAgent/work/6da23a4ee9951677/dist/target/wildfly-10.0.0.CR5-SNAPSHOT/modules/system/layers/base/org/wildfly/extension/messaging-activemq/main/wildfly-messaging-activemq-10.0.0.CR5-SNAPSHOT.jar" "read")" in code source "(vfs:/content/DefaultJMSConnectionFactoryTest.jar <no signer certificates>)" of "null")
    at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273)
    at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
    at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
    at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:377)
    at java.util.zip.ZipFile.<init>(ZipFile.java:210)
    at java.util.zip.ZipFile.<init>(ZipFile.java:149)
    at java.util.jar.JarFile.<init>(JarFile.java:166)
    at java.util.jar.JarFile.<init>(JarFile.java:103)
    at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:93)
    at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:69)
    at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99)
    at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
    at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150)
    at java.net.URL.openStream(URL.java:1038)
    at java.util.ServiceLoader.parse(ServiceLoader.java:304)
    at java.util.ServiceLoader.access$200(ServiceLoader.java:185)
    at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357)
    at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323)
    at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396)
    at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398)
    at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
    at org.apache.activemq.artemis.service.extensions.ServiceUtils.setActiveMQXAResourceWrapperFactory(ServiceUtils.java:72)
    at org.apache.activemq.artemis.service.extensions.ServiceUtils.getActiveMQXAResourceWrapperFactory(ServiceUtils.java:40)
    at org.apache.activemq.artemis.service.extensions.ServiceUtils.wrapXAResource(ServiceUtils.java:46)
    at org.apache.activemq.artemis.ra.ActiveMQRAManagedConnection.getXAResource(ActiveMQRAManagedConnection.java:480)
    at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.createConnectionListener(TxConnectionManagerImpl.java:715)
    at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1345)
    at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:501)
    at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getTransactionNewConnection(AbstractPool.java:717)
    at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:614)
    at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:603)
    at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430)
    at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:761)
    at org.apache.activemq.artemis.ra.ActiveMQRASessionFactoryImpl.allocateConnection(ActiveMQRASessionFactoryImpl.java:853)
    at org.apache.activemq.artemis.ra.ActiveMQRASessionFactoryImpl.createSession(ActiveMQRASessionFactoryImpl.java:520)
   ...

      After debugging, the issue is in the RA's ServiceUtils that loads its services outside a AccessController.doPriviledged block. Depending on who's requesting the RA's managed connection, it may not have the required permissions to load the services.

      In addition, the ServiceUtils loads its services using the TCCL and caches its activeMQXAResourceWrapperFactory instance.
      Depending on who's requesting a managed connection, the TCCL might differ. It'd be better to use the ServiceUtils's own class loader instead.

      Attachments

        Activity

          People

            jbertram Justin Bertram
            jmesnil Jeff Mesnil
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: