Beehive
  1. Beehive
  2. BEEHIVE-815

Nested controls: cannot initialize a public control field when using a Java security manager

    Details

    • Type: Bug Bug
    • Status: Reopened
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: v1m1
    • Fix Version/s: None
    • Component/s: Controls
    • Labels:
      None

      Description

      This bug involves using a public @Control field, which should be possible even if "suppressAccessChecks" is not set in the security policy.

      Repro (the easiest way to reproduce this):

      • cd to $CATALINA_HOME/bin.
      • create a file called mysecurity.policy (and REPLACE my c:/prog/... tomcat/jdk directories with ones of your own):

        grant codeBase "file:///c:/prog/jakarta-tomcat-5.0.25/-" { permission java.security.AllPermission; };
        grant codeBase "file:///c:/prog/jdk1.5.0/-"{ permission java.security.AllPermission; }

        ;
        grant

        { permission java.util.PropertyPermission "*", "read"; permission java.lang.RuntimePermission "accessDeclaredMembers"; }

        ;

      • set the JAVA_OPTS environment variable:
        (windows) set JAVA_OPTS=-Djava.security.manager -Djava.security.policy=mysecurity.policy
        (linux) export JAVA_OPTS="-Djava.security.manager -Djava.security.policy=mysecurity.policy"
      • start tomcat:
        (windows) .\startup.bat
        (linux) ./startup.sh
      • Overlay the attached page flow and controls onto a webapp, and deploy it to the running tomcat.
      • Hit the page flow (/usecontrol/Controller.jpf):

      EXPECTED: see the message "hello there" in the displayed page.
      ACTUAL: a series of exceptions, with this root cause:

      Caused by: java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
      at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
      at java.security.AccessController.checkPermission(AccessController.java:427)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
      at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
      at usecontrol.ControllerClientInitializer.<clinit>(ControllerClientInitializer.java:21)
      ... 85 more

      1. jira815.zip
        3 kB
        Rich Feit
      2. j815-exceptions.txt
        49 kB
        Rich Feit

        Activity

        Rich Feit created issue -
        Hide
        Rich Feit added a comment -

        Repro page flow and controls.

        Show
        Rich Feit added a comment - Repro page flow and controls.
        Rich Feit made changes -
        Field Original Value New Value
        Attachment jira815.zip [ 12310743 ]
        Hide
        Rich Feit added a comment -

        The fix for this one isn't as clear as it was for http://issues.apache.org/jira/browse/BEEHIVE-813 (the NetUI issue). In this case, src/runtime/org/apache/beehive/controls/runtime/generator/ClientInitializer.vm and src/runtime/org/apache/beehive/controls/runtime/generator/ImplInitializer.vm can be modified like this:

        #foreach ($field in $init.reflectFields)
        $field.reflectField = $

        {client.className}

        .class.getDeclaredField("$field.name");

        • $ {field.reflectField}.setAccessible(true);
          + if (! Modifier.isPublic(${field.reflectField}

          .getModifiers()))
          +

          Unknown macro: {+ ${field.reflectField}.setAccessible(true);+ }

          #end

        However, the generated nested control Field object always has package protected access, even if the actual control field is public in the control implementation, e.g.,

        static final Field __containedField;

        Show
        Rich Feit added a comment - The fix for this one isn't as clear as it was for http://issues.apache.org/jira/browse/BEEHIVE-813 (the NetUI issue). In this case, src/runtime/org/apache/beehive/controls/runtime/generator/ClientInitializer.vm and src/runtime/org/apache/beehive/controls/runtime/generator/ImplInitializer.vm can be modified like this: #foreach ($field in $init.reflectFields) $field.reflectField = $ {client.className} .class.getDeclaredField("$field.name"); $ {field.reflectField}.setAccessible(true); + if (! Modifier.isPublic(${field.reflectField} .getModifiers())) + Unknown macro: {+ ${field.reflectField}.setAccessible(true);+ } #end However, the generated nested control Field object always has package protected access, even if the actual control field is public in the control implementation, e.g., static final Field __containedField;
        Hide
        Kyle Marvin added a comment -

        Sounds like a bug in the codegen of the client initializer, as the failure has setAccessible() on the stack. It should be code-genning a direct field assignment if it is public.

        Show
        Kyle Marvin added a comment - Sounds like a bug in the codegen of the client initializer, as the failure has setAccessible() on the stack. It should be code-genning a direct field assignment if it is public.
        Chad Schoettger made changes -
        Assignee Chad Schoettger [ chad_s ]
        Hide
        Chad Schoettger added a comment -

        I was unable to reproduce this bug with the current beehive codebase.

        Show
        Chad Schoettger added a comment - I was unable to reproduce this bug with the current beehive codebase.
        Chad Schoettger made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Cannot Reproduce [ 5 ]
        Assignee Chad Schoettger [ chad_s ] Rich Feit [ rich ]
        Hide
        Rich Feit added a comment -

        Hey Chad, I still get the same behavior. I'm attaching the exceptions that get spit into the log. Let me know if you need help repro'ing this.

        Show
        Rich Feit added a comment - Hey Chad, I still get the same behavior. I'm attaching the exceptions that get spit into the log. Let me know if you need help repro'ing this.
        Rich Feit made changes -
        Status Resolved [ 5 ] Reopened [ 4 ]
        Assignee Rich Feit [ rich ] Chad Schoettger [ chad_s ]
        Resolution Cannot Reproduce [ 5 ]
        Hide
        Rich Feit added a comment -

        Exceptions in the log when hitting /usecontrol/Controller.jpf

        Show
        Rich Feit added a comment - Exceptions in the log when hitting /usecontrol/Controller.jpf
        Rich Feit made changes -
        Attachment j815-exceptions.txt [ 12314796 ]
        Chad Schoettger made changes -
        Assignee Chad Schoettger [ chad_s ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Rich Feit
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:

              Development