Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
-
None
-
Operating System: All
Platform: All
-
21618
Description
Currently, Struts 1.1 is using beansutil.MappedPropertyDescriptor in its
processing. The method getPublicDeclaredMethods() in that class is
requiring a very potent Java2 security permission, which appears to not be
necessary. This is a concern for us because we want to run Struts 1.1 code
in an ASP type of environment in which the application code cannot be
trusted. Therefore we want to severely limit the granted Java2 permissions to
the application code.
Specifically,
org.apache.commons.beanutils.MappedPropertyDescriptor tries to invoke
Class.getDeclaredMethods() for a particular class, which returns a set of
public/protected/private/default classes declared exclusively by that
class. Since it reflects a class and returns the public as well as
non-public methods, the SecurityManager.checkMemberAccess method gets
invoked with Member.DECLARED access level. Apparently, the Jakarta class
assumes it has enough permissions to perform the call, so it tries to wrap
the call in a doPrivileged block. From looking at the code, it appears
that the class just wants to cache a set of public Method objects that are
exclusively declared by a particular class (not inherited from parent
classes).
Perhaps the MethodPropertyDesc can instead call Class.getMethods() to get a
set of public methods accessible in a particular class. For each Method
object in the resulting set, it can check if the method is declared by the
expected class by checking Method.getDeclaringClass(). This would require
fewer permissions, as SecurityManager.checkMemberAccess would only need a
Member.PUBLIC access clearance.
If you think it would not be wise to make this kind of code change for the
main line path, perhaps you could put a try .. catch block around the
getDeclaredMethods call to catch the potential SecurityException and
perform the proposed logic in the exception case only.