Uploaded image for project: 'Groovy'
  1. Groovy
  2. GROOVY-6512

AccessControlException at at org.codehaus.groovy.runtime.ProxyGeneratorAdapter$InnerLoader.<init>

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 2.2.1
    • 2.2.2
    • groovy-runtime
    • None

    Description

      Instantiating at org.codehaus.groovy.runtime.ProxyGeneratorAdapter creates a ClassLoader. When a SecurityManager is enabled, this requires the java.lang.RuntimePermission "createClassLoader" permission to be granted.

      java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "createClassLoader")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
        at java.security.AccessController.checkPermission(AccessController.java:560)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at com.quest.nitro.bootstrap.ForgeSecurityManager.checkPermission(ForgeSecurityManager.java:154)
        at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:611)
        at java.lang.ClassLoader.checkCreateClassLoader(ClassLoader.java:273)
        at java.lang.ClassLoader.<init>(ClassLoader.java:315)
        at org.codehaus.groovy.runtime.ProxyGeneratorAdapter$InnerLoader.<init>(ProxyGeneratorAdapter.java:801)
        at org.codehaus.groovy.runtime.ProxyGeneratorAdapter.<init>(ProxyGeneratorAdapter.java:151)
        at groovy.util.ProxyGenerator.instantiateAggregate(ProxyGenerator.java:161)
        at groovy.util.ProxyGenerator.instantiateAggregateFromBaseClass(ProxyGenerator.java:117)
        at groovy.util.ProxyGenerator.instantiateAggregateFromBaseClass(ProxyGenerator.java:103)
        at org.codehaus.groovy.runtime.DefaultGroovyMethods.asType(DefaultGroovyMethods.java:8087)
        at org.codehaus.groovy.runtime.dgm$48.invoke(Unknown Source)
        at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:271)
        at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53)
        at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116)

      While we would grant this permission to the Groovy implementation, granting this permission to all (i.e., untrusted) protection domains that might appear on the stack weakens our security policy.

      The solution is to instantiate InnerLoader within a privileged block (i.e., AccessController.doPrivileged(new PrivilegedAction<InnerLoader>().... This would limit the protection domains that are checked to the groovy code itself, so that a specific grant for the groovy codebase could be made.

      Attachments

        Activity

          People

            blackdrag Jochen Theodorou
            aneilson Andy Neilson
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: