Uploaded image for project: 'Groovy'
  1. Groovy
  2. GROOVY-6512

AccessControlException at at org.codehaus.groovy.runtime.ProxyGeneratorAdapter$InnerLoader.<init>

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.2.1
    • Fix Version/s: 2.2.2
    • Component/s: groovy-runtime
    • Labels:
      None

      Description

      Instantiating at org.codehaus.groovy.runtime.ProxyGeneratorAdapter creates a ClassLoader. When a SecurityManager is enabled, this requires the java.lang.RuntimePermission "createClassLoader" permission to be granted.

      java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "createClassLoader")
              at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
              at java.security.AccessController.checkPermission(AccessController.java:560)
              at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
              at com.quest.nitro.bootstrap.ForgeSecurityManager.checkPermission(ForgeSecurityManager.java:154)
              at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:611)
              at java.lang.ClassLoader.checkCreateClassLoader(ClassLoader.java:273)
              at java.lang.ClassLoader.<init>(ClassLoader.java:315)
              at org.codehaus.groovy.runtime.ProxyGeneratorAdapter$InnerLoader.<init>(ProxyGeneratorAdapter.java:801)
              at org.codehaus.groovy.runtime.ProxyGeneratorAdapter.<init>(ProxyGeneratorAdapter.java:151)
              at groovy.util.ProxyGenerator.instantiateAggregate(ProxyGenerator.java:161)
              at groovy.util.ProxyGenerator.instantiateAggregateFromBaseClass(ProxyGenerator.java:117)
              at groovy.util.ProxyGenerator.instantiateAggregateFromBaseClass(ProxyGenerator.java:103)
              at org.codehaus.groovy.runtime.DefaultGroovyMethods.asType(DefaultGroovyMethods.java:8087)
              at org.codehaus.groovy.runtime.dgm$48.invoke(Unknown Source)
              at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:271)
              at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53)
              at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)
      

      While we would grant this permission to the Groovy implementation, granting this permission to all (i.e., untrusted) protection domains that might appear on the stack weakens our security policy.

      The solution is to instantiate InnerLoader within a privileged block (i.e., AccessController.doPrivileged(new PrivilegedAction<InnerLoader>().... This would limit the protection domains that are checked to the groovy code itself, so that a specific grant for the groovy codebase could be made.

        Attachments

          Activity

            People

            • Assignee:
              blackdrag Jochen Theodorou
              Reporter:
              aneilson Andy Neilson
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: