Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.1.1
-
None
-
Windows 7 under Sun JRE 6 Update 13, 64-bit
Running Commons HttpClient 3,1 w/ Commons Logging 1.1.1
Description
When attempting to instantiate a HttpClient, a call to LogFactory.getLog() is made. Going deeper, Commons Logging later attempts to make an unprivileged call to java.lang.ClassLoader.getParent(). Under systems with an installed SecurityManager (like mine), this may be forbidden.
In particular, this call will require the RuntimePermission getClassLoader. In my particular case, I am attempting to sandbox specific segments of code, and thus cannot grant this permission to the user of HttpClient (and, thus, Commons Logging). However, I feel that Commons Logging should be able to trust itself to make a self-checked call to ClassLoader.getParent().
The stack trace for my situation (trimmed off to assist you) is as follows:
Caused by: org.apache.commons.logging.LogConfigurationException: java.lang.SecurityException: Cannot request this permission from a tainted execution path (Caused by java.lang.SecurityException: Cannot request this permission from a tainted execution path)
at org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:637)
at org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:336)
at org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:310)
at org.apache.commons.logging.LogFactory.getLog(LogFactory.java:685)
at org.apache.commons.httpclient.HttpClient.<clinit>(HttpClient.java:66)
... 11 more
Caused by: java.lang.SecurityException: Cannot request this permission from a tainted execution path
at com.mmoui.manager.MinionSecurityManager.verifyUntainted(MinionSecurityManager.java:507)
at com.mmoui.manager.MinionSecurityManager.checkPermission(MinionSecurityManager.java:263)
at com.mmoui.manager.MinionSecurityManager.checkPermission(MinionSecurityManager.java:474)
at java.lang.ClassLoader.getParent(ClassLoader.java:1233)
at org.apache.commons.logging.impl.LogFactoryImpl.getLowestClassLoader(LogFactoryImpl.java:1327)
at org.apache.commons.logging.impl.LogFactoryImpl.getBaseClassLoader(LogFactoryImpl.java:1247)
at org.apache.commons.logging.impl.LogFactoryImpl.createLogFromClass(LogFactoryImpl.java:1048)
at org.apache.commons.logging.impl.LogFactoryImpl.discoverLogImplementation(LogFactoryImpl.java:914)
at org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:604)
... 15 more
I feel that LogFactoryImpl.getLowestClassLoader's call to java.lang.ClassLoader.getParent() should be wrapped by AccessController.doPrivileged(). I can't think of any reason not to do this currently. This would allow my application to trust Commons Logging and not have to grant the RuntimePermission getClassLoader to the users of HttpClient.
Attachments
Issue Links
- is duplicated by
-
LOGGING-134 No AccessControll on getClassLoader operations
-
- Closed
-