Uploaded image for project: 'XWork'
  1. XWork
  2. XW-660

SecurityException accessing file within a jar

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.1.2
    • None
    • None

    Description

      With security enabled, a SecurityException occurs when com.opensymphony.xwork2.util.FileManager.loadFile(URL) attempts to access a file within a Jar. A sample stack trace is:

      [ERROR] MY_CONTEXT_PATH] - Exception starting filter struts <Unable to load configuration. - Class: java.security.AccessControlContext

      File: AccessControlContext.java

      Method: checkPermission

      Line: 323 - java/security/AccessControlContext.java:323:-1>Unable to load configuration. - Class: java.security.AccessControlContext

      File: AccessControlContext.java

      Method: checkPermission

      Line: 323 - java/security/AccessControlContext.java:323:-1

      at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:58)

      at org.apache.struts2.dispatcher.Dispatcher.init_PreloadConfiguration(Dispatcher.java:395)

      at org.apache.struts2.dispatcher.Dispatcher.init(Dispatcher.java:452)

      at org.apache.struts2.dispatcher.FilterDispatcher.init(FilterDispatcher.java:201)

      at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:221)

      at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:302)

      at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:78)

      at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3635)

      at org.apache.catalina.core.StandardContext.start(StandardContext.java:4232)

      at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)

      at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:122)

      at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:144)

      at java.security.AccessController.doPrivileged(Native Method)

      at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:738)

      at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)

      at org.apache.catalina.startup.HostConfig.manageApp(HostConfig.java:1251)

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

      at java.lang.reflect.Method.invoke(Method.java:597)

      at org.apache.commons.modeler.BaseModelMBean.invoke(BaseModelMBean.java:458)

      at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)

      at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)

      ...

      Caused by: Caught exception while loading file struts-default.xml - Class: java.security.AccessControlContext

      File: AccessControlContext.java

      Method: checkPermission

      Line: 323 - java/security/AccessControlContext.java:323:-1

      at com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.loadConfigurationFiles(XmlConfigurationProvider.java:879)

      at com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.loadDocuments(XmlConfigurationProvider.java:161)

      at com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.init(XmlConfigurationProvider.java:130)

      at com.opensymphony.xwork2.config.impl.DefaultConfiguration.reloadContainer(DefaultConfiguration.java:155)

      at com.opensymphony.xwork2.config.ConfigurationManager.getConfiguration(ConfigurationManager.java:55)

      ... 27 more

      Caused by: java.security.AccessControlException: access denied (java.io.FilePermission file:/MY_WEBAPP_PATH/WEB-INF/lib/struts2-core-2.0.11.2.jar!/struts-default.xml read)

      at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)

      at java.security.AccessController.checkPermission(AccessController.java:546)

      at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)

      at java.lang.SecurityManager.checkRead(SecurityManager.java:871)

      at java.io.File.exists(File.java:731)

      at com.opensymphony.xwork2.util.FileManager.loadFile(FileManager.java:106)

      at com.opensymphony.xwork2.config.providers.XmlConfigurationProvider.loadConfigurationFiles(XmlConfigurationProvider.java:864)

      ... 31 more

      I believe the issue here is that the code is trying to create a file within a Jar improperly. In this example, the URL passed into loadFile is "jar:file:/MY_WEBAPP_PATH/WEB-INF/lib/struts2-core-2.0.11.2.jar!/struts-default.xml". com.opensymphony.xwork2.util.FileManager.loadFile(URL) attempts to create a file by calling "new File(fileUrl.getFile()) to check if the file exists and is readable. This just strips off the "jar:" prefix leaving a invalid pathname to pass to File as there is a "file:" prefix as well as a "!/..." suffix. The SecurityException occurs here, because the "file:" prefix does not match the grant to the webapp.

      In conclusion, I don't believe it is possible to create a valid java.io.File specifying a filename within a Jar. As a solution, the code needs to use the JarFile.getZipEntry(String) interface, which involves parsing the URL.

      Attachments

        Activity

          People

            rainerh Rainer Hermanns
            ecapachedev Eddy Chan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: