OpenJPA
  1. OpenJPA
  2. OPENJPA-339

Java 2 security Access denied in File.toURL() call

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.9.7
    • Fix Version/s: 1.0.1, 1.1.0
    • Component/s: lib
    • Labels:
      None

      Description

      Encounter the following access denial exception when Java 2 security is enabled in application server environment.

      File.toURL() is not documented which requires security check, however indirectly, the File.isDirectory() is invoked, which required security permission.

      Exception = java.security.AccessControlException
      Source = com.ibm.ws.security.core.SecurityManager
      probeid = 180
      Stack Dump = java.security.AccessControlException: Access denied (java.io.FilePermission C:\WAS3\profiles\AppSrv01\installedApps\javajoeNode01Cell\EJB3JPACallbackBeanApp.ear\EJB3JPACallbackWebApp.war\WEB-INF\classes\suite\r70\base\jpaspec\callback\entities\AbstractCallbackEntity.class read)
      at java.security.AccessController.checkPermission(AccessController.java:104)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
      at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:189)
      at java.lang.SecurityManager.checkRead(SecurityManager.java:886)
      at java.io.File.isDirectory(File.java:747)
      at java.io.File.toURL(File.java:620)
      at org.apache.openjpa.lib.meta.FileMetaDataIterator.next(FileMetaDataIterator.java:114)
      at org.apache.openjpa.lib.meta.ClassArgParser.mapTypeNames(ClassArgParser.java:283)
      at org.apache.openjpa.meta.AbstractCFMetaDataFactory.scan(AbstractCFMetaDataFactory.java:778)
      at org.apache.openjpa.meta.AbstractCFMetaDataFactory.parsePersistentTypeNames(AbstractCFMetaDataFactory.java:637)
      at org.apache.openjpa.meta.AbstractCFMetaDataFactory.getPersistentTypeNames(AbstractCFMetaDataFactory.java:605)
      at org.apache.openjpa.meta.MetaDataRepository.getPersistentTypeNames(MetaDataRepository.java:1214)
      at org.apache.openjpa.meta.MetaDataRepository.loadPersistentTypes(MetaDataRepository.java:1231)
      at org.apache.openjpa.kernel.AbstractBrokerFactory.loadPersistentTypes(AbstractBrokerFactory.java:245)
      at org.apache.openjpa.kernel.AbstractBrokerFactory.newBroker(AbstractBrokerFactory.java:197)
      at org.apache.openjpa.kernel.DelegatingBrokerFactory.newBroker(DelegatingBrokerFactory.java:142)
      at org.apache.openjpa.persistence.EntityManagerFactoryImpl.createEntityManager(EntityManagerFactoryImpl.java:190)
      at com.ibm.ws.persistence.EntityManagerFactoryImpl.createEntityManager(EntityManagerFactoryImpl.java:37)
      at com.ibm.ws.persistence.EntityManagerFactoryImpl.createEntityManager(EntityManagerFactoryImpl.java:28)

      1. OPENJPA-339.1.patch
        5 kB
        Albert Lee
      2. OPENJPA-339.patch
        10 kB
        Albert Lee

        Activity

        Hide
        Albert Lee added a comment -

        Find another failing security scenario that needs to fix:

        Exception = java.security.AccessControlException
        Source = com.ibm.ws.security.core.SecurityManager
        probeid = 180
        Stack Dump = java.security.AccessControlException: Access denied (java.lang.RuntimePermission getClassLoader)
        at java.security.AccessController.checkPermission(AccessController.java:104)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
        at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:189)
        at java.lang.Thread.getContextClassLoader(Thread.java:488)
        at serp.bytecode.Project.loadClass(Project.java:116)
        at serp.bytecode.Project.loadClass(Project.java:86)
        at org.apache.openjpa.util.ProxyManagerImpl.generateProxyBeanBytecode(ProxyManagerImpl.java:629)
        at org.apache.openjpa.util.ProxyManagerImpl.getFactoryProxyBean(ProxyManagerImpl.java:452)
        at org.apache.openjpa.util.ProxyManagerImpl.newCustomProxy(ProxyManagerImpl.java:311)
        at org.apache.openjpa.kernel.SingleFieldManager.proxy(SingleFieldManager.java:126)
        at org.apache.openjpa.kernel.StateManagerImpl.storeObjectField(StateManagerImpl.java:2413)
        at org.apache.openjpa.kernel.StateManagerImpl.storeField(StateManagerImpl.java:2510)
        at org.apache.openjpa.kernel.StateManagerImpl.storeField(StateManagerImpl.java:769)
        at org.apache.openjpa.kernel.StateManagerImpl.store(StateManagerImpl.java:765)
        at org.apache.openjpa.jdbc.meta.strats.HandlerFieldStrategy.load(HandlerFieldStrategy.java:174)
        at org.apache.openjpa.jdbc.meta.FieldMapping.load(FieldMapping.java:789)
        at org.apache.openjpa.jdbc.kernel.JDBCStoreManager.load(JDBCStoreManager.java:833)
        at org.apache.openjpa.jdbc.kernel.JDBCStoreManager.load(JDBCStoreManager.java:785)
        at org.apache.openjpa.jdbc.kernel.JDBCStoreManager.initializeState(JDBCStoreManager.java:336)
        at org.apache.openjpa.jdbc.kernel.JDBCStoreManager.initialize(JDBCStoreManager.java:255)
        at org.apache.openjpa.kernel.DelegatingStoreManager.initialize(DelegatingStoreManager.java:111)
        at org.apache.openjpa.kernel.ROPStoreManager.initialize(ROPStoreManager.java:57)
        at org.apache.openjpa.kernel.BrokerImpl.initialize(BrokerImpl.java:878)
        at org.apache.openjpa.kernel.BrokerImpl.find(BrokerImpl.java:836)
        at org.apache.openjpa.kernel.BrokerImpl.find(BrokerImpl.java:753)
        at org.apache.openjpa.kernel.DelegatingBroker.find(DelegatingBroker.java:172)
        at org.apache.openjpa.persistence.EntityManagerImpl.find(EntityManagerImpl.java:349)
        at suite.r70.acommon.servicesupport.AbstractServiceClass.findIEntity(AbstractServiceClass.java:111)

        Show
        Albert Lee added a comment - Find another failing security scenario that needs to fix: Exception = java.security.AccessControlException Source = com.ibm.ws.security.core.SecurityManager probeid = 180 Stack Dump = java.security.AccessControlException: Access denied (java.lang.RuntimePermission getClassLoader) at java.security.AccessController.checkPermission(AccessController.java:104) at java.lang.SecurityManager.checkPermission(SecurityManager.java:547) at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:189) at java.lang.Thread.getContextClassLoader(Thread.java:488) at serp.bytecode.Project.loadClass(Project.java:116) at serp.bytecode.Project.loadClass(Project.java:86) at org.apache.openjpa.util.ProxyManagerImpl.generateProxyBeanBytecode(ProxyManagerImpl.java:629) at org.apache.openjpa.util.ProxyManagerImpl.getFactoryProxyBean(ProxyManagerImpl.java:452) at org.apache.openjpa.util.ProxyManagerImpl.newCustomProxy(ProxyManagerImpl.java:311) at org.apache.openjpa.kernel.SingleFieldManager.proxy(SingleFieldManager.java:126) at org.apache.openjpa.kernel.StateManagerImpl.storeObjectField(StateManagerImpl.java:2413) at org.apache.openjpa.kernel.StateManagerImpl.storeField(StateManagerImpl.java:2510) at org.apache.openjpa.kernel.StateManagerImpl.storeField(StateManagerImpl.java:769) at org.apache.openjpa.kernel.StateManagerImpl.store(StateManagerImpl.java:765) at org.apache.openjpa.jdbc.meta.strats.HandlerFieldStrategy.load(HandlerFieldStrategy.java:174) at org.apache.openjpa.jdbc.meta.FieldMapping.load(FieldMapping.java:789) at org.apache.openjpa.jdbc.kernel.JDBCStoreManager.load(JDBCStoreManager.java:833) at org.apache.openjpa.jdbc.kernel.JDBCStoreManager.load(JDBCStoreManager.java:785) at org.apache.openjpa.jdbc.kernel.JDBCStoreManager.initializeState(JDBCStoreManager.java:336) at org.apache.openjpa.jdbc.kernel.JDBCStoreManager.initialize(JDBCStoreManager.java:255) at org.apache.openjpa.kernel.DelegatingStoreManager.initialize(DelegatingStoreManager.java:111) at org.apache.openjpa.kernel.ROPStoreManager.initialize(ROPStoreManager.java:57) at org.apache.openjpa.kernel.BrokerImpl.initialize(BrokerImpl.java:878) at org.apache.openjpa.kernel.BrokerImpl.find(BrokerImpl.java:836) at org.apache.openjpa.kernel.BrokerImpl.find(BrokerImpl.java:753) at org.apache.openjpa.kernel.DelegatingBroker.find(DelegatingBroker.java:172) at org.apache.openjpa.persistence.EntityManagerImpl.find(EntityManagerImpl.java:349) at suite.r70.acommon.servicesupport.AbstractServiceClass.findIEntity(AbstractServiceClass.java:111)
        Hide
        Albert Lee added a comment -

        Add corrective doPriv() in appropriate call-outs.

        Show
        Albert Lee added a comment - Add corrective doPriv() in appropriate call-outs.
        Hide
        Kevin Sutter added a comment -

        Resolved via svn revision #570288.

        Show
        Kevin Sutter added a comment - Resolved via svn revision #570288.
        Hide
        Albert Lee added a comment -

        More testing discovers other paths in ProxyManagerImpl causes other access violations.

        Show
        Albert Lee added a comment - More testing discovers other paths in ProxyManagerImpl causes other access violations.
        Hide
        Albert Lee added a comment -

        The other path which caused security violations are:

        Stack Dump = java.security.AccessControlException: Access denied (java.lang.RuntimePermission getClassLoader)
        at java.security.AccessController.checkPermission(AccessController.java:104)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
        at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:189)
        at java.lang.Thread.getContextClassLoader(Thread.java:488)
        at serp.bytecode.BCClass.getClassLoader(BCClass.java:1670)
        at serp.bytecode.BCMember.getClassLoader(BCMember.java:326)
        at serp.bytecode.Attribute.getClassLoader(Attribute.java:85)
        at serp.bytecode.Instruction.getClassLoader(Instruction.java:141)
        at serp.bytecode.TypedInstruction.getType(TypedInstruction.java:76)
        at serp.bytecode.Code.calculateMaxLocals(Code.java:191)
        at org.apache.openjpa.util.ProxyManagerImpl.addProxyBeanMethods(ProxyManagerImpl.java:1173)
        at org.apache.openjpa.util.ProxyManagerImpl.generateProxyBeanBytecode(ProxyManagerImpl.java:640)
        at org.apache.openjpa.util.ProxyManagerImpl.getFactoryProxyBean(ProxyManagerImpl.java:452)
        at org.apache.openjpa.util.ProxyManagerImpl.newCustomProxy(ProxyManagerImpl.java:311)
        at org.apache.openjpa.kernel.SingleFieldManager.proxy(SingleFieldManager.java:129)
        at org.apache.openjpa.kernel.StateManagerImpl.proxyFields(StateManagerImpl.java:2721)
        at org.apache.openjpa.kernel.PNonTransState.initialize(PNonTransState.java:44)
        at org.apache.openjpa.kernel.StateManagerImpl.setPCState(StateManagerImpl.java:216)
        at org.apache.openjpa.kernel.StateManagerImpl.commit(StateManagerImpl.java:1005)
        at org.apache.openjpa.kernel.BrokerImpl.endTransaction(BrokerImpl.java:2177)
        at org.apache.openjpa.kernel.BrokerImpl.afterCompletion(BrokerImpl.java:1782)
        at com.ibm.ws.uow.ComponentContextSynchronizationWrapper.afterCompletion(ComponentContextSynchronizationWrapper.java:84)
        at com.ibm.ws.Transaction.JTA.RegisteredSyncs.distributeAfter(RegisteredSyncs.java:424)
        at com.ibm.ws.Transaction.JTA.TransactionImpl.distributeAfter(TransactionImpl.java:3883)
        at com.ibm.ws.Transaction.JTA.TransactionImpl.postCompletion(TransactionImpl.java:3862)
        at com.ibm.ws.Transaction.JTA.TransactionImpl.commitXAResources(TransactionImpl.java:2518)
        at com.ibm.ws.Transaction.JTA.TransactionImpl.stage1CommitProcessing(TransactionImpl.java:1635)
        at com.ibm.ws.Transaction.JTA.TransactionImpl.processCommit(TransactionImpl.java:1595)
        at com.ibm.ws.Transaction.JTA.TransactionImpl.commit(TransactionImpl.java:1530)
        at com.ibm.ws.Transaction.JTA.TranManagerImpl.commit(TranManagerImpl.java:237)
        at com.ibm.ws.Transaction.JTA.TranManagerSet.commit(TranManagerSet.java:162)
        at com.ibm.ws.Transaction.JTA.UserTransactionImpl.commit(UserTransactionImpl.java:292)
        at com.ibm.ejs.container.UserTransactionWrapper.commit(UserTransactionWrapper.java:264)
        at suite.r70.acommon.transactionservice.JTATransactionService.commitTransaction(JTATransactionService.java:39)

        and

        Caused by: java.security.AccessControlException: Access denied (java.lang.RuntimePermission modifyThreadGroup)
        at java.security.AccessController.checkPermission(AccessController.java:104)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
        at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:189)
        at com.ibm.ws.security.core.SecurityManager.checkAccess(SecurityManager.java:309)
        at java.lang.ThreadGroup.checkAccess(ThreadGroup.java:222)
        at java.lang.Thread.initialize(Thread.java:342)
        at java.lang.Thread.<init>(Thread.java:276)
        at java.lang.Thread.<init>(Thread.java:168)
        at org.apache.openjpa.datacache.DataCacheScheduler.scheduleEviction(DataCacheScheduler.java:100)
        at org.apache.openjpa.datacache.AbstractDataCache.initialize(AbstractDataCache.java:89)
        at org.apache.openjpa.datacache.ConcurrentDataCache.initialize(ConcurrentDataCache.java:91)
        at org.apache.openjpa.datacache.DataCacheManagerImpl.initialize(DataCacheManagerImpl.java:51)
        at org.apache.openjpa.conf.OpenJPAConfigurationImpl.getDataCacheManagerInstance(OpenJPAConfigurationImpl.java:602)
        at org.apache.openjpa.kernel.AbstractBrokerFactory.newBroker(AbstractBrokerFactory.java:181)

        I have created a patch and am running more tests before posting it to this report.

        Show
        Albert Lee added a comment - The other path which caused security violations are: Stack Dump = java.security.AccessControlException: Access denied (java.lang.RuntimePermission getClassLoader) at java.security.AccessController.checkPermission(AccessController.java:104) at java.lang.SecurityManager.checkPermission(SecurityManager.java:547) at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:189) at java.lang.Thread.getContextClassLoader(Thread.java:488) at serp.bytecode.BCClass.getClassLoader(BCClass.java:1670) at serp.bytecode.BCMember.getClassLoader(BCMember.java:326) at serp.bytecode.Attribute.getClassLoader(Attribute.java:85) at serp.bytecode.Instruction.getClassLoader(Instruction.java:141) at serp.bytecode.TypedInstruction.getType(TypedInstruction.java:76) at serp.bytecode.Code.calculateMaxLocals(Code.java:191) at org.apache.openjpa.util.ProxyManagerImpl.addProxyBeanMethods(ProxyManagerImpl.java:1173) at org.apache.openjpa.util.ProxyManagerImpl.generateProxyBeanBytecode(ProxyManagerImpl.java:640) at org.apache.openjpa.util.ProxyManagerImpl.getFactoryProxyBean(ProxyManagerImpl.java:452) at org.apache.openjpa.util.ProxyManagerImpl.newCustomProxy(ProxyManagerImpl.java:311) at org.apache.openjpa.kernel.SingleFieldManager.proxy(SingleFieldManager.java:129) at org.apache.openjpa.kernel.StateManagerImpl.proxyFields(StateManagerImpl.java:2721) at org.apache.openjpa.kernel.PNonTransState.initialize(PNonTransState.java:44) at org.apache.openjpa.kernel.StateManagerImpl.setPCState(StateManagerImpl.java:216) at org.apache.openjpa.kernel.StateManagerImpl.commit(StateManagerImpl.java:1005) at org.apache.openjpa.kernel.BrokerImpl.endTransaction(BrokerImpl.java:2177) at org.apache.openjpa.kernel.BrokerImpl.afterCompletion(BrokerImpl.java:1782) at com.ibm.ws.uow.ComponentContextSynchronizationWrapper.afterCompletion(ComponentContextSynchronizationWrapper.java:84) at com.ibm.ws.Transaction.JTA.RegisteredSyncs.distributeAfter(RegisteredSyncs.java:424) at com.ibm.ws.Transaction.JTA.TransactionImpl.distributeAfter(TransactionImpl.java:3883) at com.ibm.ws.Transaction.JTA.TransactionImpl.postCompletion(TransactionImpl.java:3862) at com.ibm.ws.Transaction.JTA.TransactionImpl.commitXAResources(TransactionImpl.java:2518) at com.ibm.ws.Transaction.JTA.TransactionImpl.stage1CommitProcessing(TransactionImpl.java:1635) at com.ibm.ws.Transaction.JTA.TransactionImpl.processCommit(TransactionImpl.java:1595) at com.ibm.ws.Transaction.JTA.TransactionImpl.commit(TransactionImpl.java:1530) at com.ibm.ws.Transaction.JTA.TranManagerImpl.commit(TranManagerImpl.java:237) at com.ibm.ws.Transaction.JTA.TranManagerSet.commit(TranManagerSet.java:162) at com.ibm.ws.Transaction.JTA.UserTransactionImpl.commit(UserTransactionImpl.java:292) at com.ibm.ejs.container.UserTransactionWrapper.commit(UserTransactionWrapper.java:264) at suite.r70.acommon.transactionservice.JTATransactionService.commitTransaction(JTATransactionService.java:39) and Caused by: java.security.AccessControlException: Access denied (java.lang.RuntimePermission modifyThreadGroup) at java.security.AccessController.checkPermission(AccessController.java:104) at java.lang.SecurityManager.checkPermission(SecurityManager.java:547) at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:189) at com.ibm.ws.security.core.SecurityManager.checkAccess(SecurityManager.java:309) at java.lang.ThreadGroup.checkAccess(ThreadGroup.java:222) at java.lang.Thread.initialize(Thread.java:342) at java.lang.Thread.<init>(Thread.java:276) at java.lang.Thread.<init>(Thread.java:168) at org.apache.openjpa.datacache.DataCacheScheduler.scheduleEviction(DataCacheScheduler.java:100) at org.apache.openjpa.datacache.AbstractDataCache.initialize(AbstractDataCache.java:89) at org.apache.openjpa.datacache.ConcurrentDataCache.initialize(ConcurrentDataCache.java:91) at org.apache.openjpa.datacache.DataCacheManagerImpl.initialize(DataCacheManagerImpl.java:51) at org.apache.openjpa.conf.OpenJPAConfigurationImpl.getDataCacheManagerInstance(OpenJPAConfigurationImpl.java:602) at org.apache.openjpa.kernel.AbstractBrokerFactory.newBroker(AbstractBrokerFactory.java:181) I have created a patch and am running more tests before posting it to this report.
        Hide
        Albert Lee added a comment -

        Attached patch for the 2 new permission denials.

        The "new Thread" scenario is straight forward and needs no explaination.

        For the ProxyManagerImpl case, I have in-line the new PrivilegeAction instead of putting them in J2DoPrivHelper because generateProxyBeanBytecode() is protected qualified, therefore it can not be call from an action in J2DoPrivHelper. There are also many methods being called to the Code instance in generateProxyBeanBytecode() that may potentially need the doPriv . So instead of putting many individual doPriv for Code, the doPriv is moved up to generateProxyBeanBytecode() and this only needs one instead.

        Show
        Albert Lee added a comment - Attached patch for the 2 new permission denials. The "new Thread" scenario is straight forward and needs no explaination. For the ProxyManagerImpl case, I have in-line the new PrivilegeAction instead of putting them in J2DoPrivHelper because generateProxyBeanBytecode() is protected qualified, therefore it can not be call from an action in J2DoPrivHelper. There are also many methods being called to the Code instance in generateProxyBeanBytecode() that may potentially need the doPriv . So instead of putting many individual doPriv for Code, the doPriv is moved up to generateProxyBeanBytecode() and this only needs one instead.
        Hide
        Kevin Sutter added a comment -

        Resolved in trunk (1.1.0).

        Show
        Kevin Sutter added a comment - Resolved in trunk (1.1.0).

          People

          • Assignee:
            Albert Lee
            Reporter:
            Albert Lee
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development