Uploaded image for project: 'MyFaces Core'
  1. MyFaces Core
  2. MYFACES-1879

Problems with myfaces when java2 security is enabled

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.2.3
    • 1.2.7
    • None
    • None

    Description

      When running MyFaces 1.2 on an application server with java2 security turned on, a user can receive an AccessControlException from several locations within the code, in some cases preventing the application from working in the environment.

      There are several places in the myfaces code that should be updated to include a doPriv when java2 security is on. Specifically in locations where the code is executing a call to Thread.currentThread().getContextClassLoader(), as well as in the JspStateManagerImpl's deserializeView() method.

      for example (in the classloader case):

      if (System.getSecurityManager() != null) {
      try {
      Object cl = AccessController.doPrivileged(new PrivilegedExceptionAction() {
      public Object run() throws PrivilegedActionException

      { return Thread.currentThread().getContextClassLoader(); }

      });
      return (ClassLoader) cl;
      } catch (PrivilegedActionException pae)

      { throw new FacesException(pae); }

      }else{
      return Thread.currentThread().getContextClassLoader();
      }

      If its agreed that the change should be implemented, I'd be happy to perform the changes myself and supply a patch. I also thought that it might make sense to, at least for the ClassLoader lookup, create a method in ClassUtils called getContextClassloader that could be called elsewhere for efficiency's sake.

      Attachments

        1. MYFACES-1879-core.patch
          6 kB
          Michael Concini
        2. MYFACES-1879-core-v2.patch
          5 kB
          Leonardo Uribe
        3. MYFACES-1879-shared.patch
          5 kB
          Michael Concini
        4. MYFACES-1879-shared-v2.patch
          6 kB
          Leonardo Uribe

        Activity

          People

            lu4242 Leonardo Uribe
            mconcini Michael Concini
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: