Uploaded image for project: 'MyFaces Core'
  1. MyFaces Core
  2. MYFACES-3536

AccessControlException occurs when using a CustomExceptionHandler to navigate to a page using the NavigationHandler

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.13
    • Fix Version/s: 2.0.14, 2.1.8
    • Component/s: JSR-314
    • Labels:
      None
    • Environment:
      WebSphere Application Server Version 8.0 with Java2 Security enabled

      Description

      After fixing MYFACES-3530 I enabled Java2 Security in Websphere Application Server Version 8.0 and found the following issue related to using a custom Exception Handler to handle a ViewExpiredException.

      When we Navigate to a page from the customer Exception Handler in the application the following exception occurs:

      java.security.AccessControlException: Access denied org.osgi.framework.AdminPermission (id=65) resolve,resource)
      at java.security.AccessController.checkPermission(AccessController.java:108)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:544)
      at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:208)
      at org.eclipse.osgi.framework.internal.core.BundleResourceHandler.checkAuthorization(BundleResourceHandler.java:289)
      at org.eclipse.osgi.framework.internal.core.BundleResourceHandler.parseURL(BundleResourceHandler.java:128)
      at java.net.URL.<init>(URL.java:608)
      at java.net.URL.<init>(URL.java:476)
      at java.net.URL.<init>(URL.java:425)
      at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
      at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
      at org.apache.xerces.impl.XMLEntityManager.startDTDEntity(Unknown Source)
      at org.apache.xerces.impl.XMLDTDScannerImpl.setInputSource(Unknown Source)
      at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source)
      at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
      at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
      at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
      at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
      at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
      at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
      at org.apache.xerces.jaxp.SAXParserImpl.parse(Unknown Source)
      at javax.xml.parsers.SAXParser.parse(Unknown Source)
      at org.apache.myfaces.view.facelets.compiler.SAXCompiler.doCompileViewMetadata(SAXCompiler.java:712)
      at org.apache.myfaces.view.facelets.compiler.Compiler.compileViewMetadata(Compiler.java:126)
      at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory._createViewMetadataFacelet(DefaultFaceletFactory.java:311)
      at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory.getViewMetadataFacelet(DefaultFaceletFactory.java:394)
      at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory.getViewMetadataFacelet(DefaultFaceletFactory.java:376)
      at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage._getViewMetadataFacelet(FaceletViewDeclarationLanguage.java:1940)
      at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage.access$000(FaceletViewDeclarationLanguage.java:129)
      at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage$FaceletViewMetadata.createMetadataView(FaceletViewDeclarationLanguage.java:2049)
      at org.apache.myfaces.application.NavigationHandlerImpl.handleNavigation(NavigationHandlerImpl.java:174)
      at com.ibm.ws.jsf.fat.test.PM62254.ViewExpiredExceptionExceptionHandler.handle(ViewExpiredExceptionExceptionHandler.java:45) -> Application code

      I've attached Exception.txt showing the full stack trace for reference. The exception looks to come from:

      org.apache.myfaces.view.facelets.compiler.SAXCompiler.doCompileViewMetadata(SAXCompiler.java:712).

      I've attached a suggested patch that wraps the offending code in an AccessController.doPrivileged block. I had to make the following changes to completely fix the problem:

      1) Make the ViewMetadataHandler and SAXParser local variables final so they can be used within the doPrivileged block.

      2) I had to create a secondary InputStream object "finalInputStream which is just a copy of the local "is" InputStream but is marked final so it can also be used within the doPrivileged block.

      3) I also added a nested try/catch block that will catch the PrivilegedActionException and catches the SAXException/IOException and keeps the behavior we had before ( throwing IOException, throwing new FaceletException for the SAXException ). I had to do this since the doPrivileged block wraps the exceptions from parser.parse in a PrivilegedActionException.

      4) The new code is only used if System.getSecurityManager() != null so there should be no performance ramifications if security is not enabled.

      Please review and let me know if you are ok with my patch.

      Thanks!

        Attachments

        1. Exception.txt
          11 kB
          Paul Nicolucci
        2. SAXCompiler.patch
          3 kB
          Paul Nicolucci

          Activity

            People

            • Assignee:
              lu4242 Leonardo Uribe
              Reporter:
              paul.nicolucci Paul Nicolucci
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 4h
                4h
                Remaining:
                Remaining Estimate - 4h
                4h
                Logged:
                Time Spent - Not Specified
                Not Specified