Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.2.3
-
None
-
None
Description
When running MyFaces 1.2 on an application server with java2 security turned on, a user can receive an AccessControlException from several locations within the code, in some cases preventing the application from working in the environment.
There are several places in the myfaces code that should be updated to include a doPriv when java2 security is on. Specifically in locations where the code is executing a call to Thread.currentThread().getContextClassLoader(), as well as in the JspStateManagerImpl's deserializeView() method.
for example (in the classloader case):
if (System.getSecurityManager() != null) {
try {
Object cl = AccessController.doPrivileged(new PrivilegedExceptionAction() {
public Object run() throws PrivilegedActionException
});
return (ClassLoader) cl;
} catch (PrivilegedActionException pae)
}else{
return Thread.currentThread().getContextClassLoader();
}
If its agreed that the change should be implemented, I'd be happy to perform the changes myself and supply a patch. I also thought that it might make sense to, at least for the ClassLoader lookup, create a method in ClassUtils called getContextClassloader that could be called elsewhere for efficiency's sake.