Uploaded image for project: 'Application Server 3  4  5 and 6'
  1. Application Server 3 4 5 and 6
  2. JBAS-1363

JACC DelegatingPolicy will not work with a SecurityManager installed

XMLWordPrintable

      If one runs with the JACC policy provided enabled, and also specify that a security manager is intalled, the service fails to start with an exception like:

      16:01:48,985 WARN [ServiceController] Problem starting service jboss.security:service=JACCSecurityService
      java.lang.ClassCircularityError: javax/security/jacc/EJBMethodPermission
      at org.jboss.security.jacc.DelegatingPolicy.implies(DelegatingPolicy.java:72)
      at java.security.ProtectionDomain.implies(ProtectionDomain.java:195)
      at java.security.AccessControlContext.checkPermission(AccessControlContext.java:249)
      at java.security.AccessController.checkPermission(AccessController.java:427)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
      at sun.misc.URLClassPath.check(URLClassPath.java:398)
      at sun.misc.URLClassPath$JarLoader.checkResource(URLClassPath.java:601)
      at sun.misc.URLClassPath$JarLoader.getResource(URLClassPath.java:673)
      at sun.misc.URLClassPath$JarLoader.findResource(URLClassPath.java:660)
      at sun.misc.URLClassPath.findResource(URLClassPath.java:139)
      at java.net.URLClassLoader$2.run(URLClassLoader.java:362)
      at java.security.AccessController.doPrivileged(Native Method)
      at java.net.URLClassLoader.findResource(URLClassLoader.java:359)
      at java.lang.ClassLoader.getResource(ClassLoader.java:977)
      at org.jboss.mx.loading.RepositoryClassLoader.getResourceLocally(RepositoryClassLoader.java:200)
      at org.jboss.mx.loading.LoadMgr3$ResourceAction.run(LoadMgr3.java:95)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.jboss.mx.loading.LoadMgr3.beginLoadTask(LoadMgr3.java:247)
      at org.jboss.mx.loading.RepositoryClassLoader.loadClassImpl(RepositoryClassLoader.java:464)
      at org.jboss.mx.loading.RepositoryClassLoader.loadClass(RepositoryClassLoader.java:374)
      at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
      at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
      at org.jboss.security.jacc.DelegatingPolicy.implies(DelegatingPolicy.java:72)
      at java.security.ProtectionDomain.implies(ProtectionDomain.java:195)
      at java.security.AccessControlContext.checkPermission(AccessControlContext.java:249)
      at java.security.AccessController.checkPermission(AccessController.java:427)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
      at java.lang.Thread.setContextClassLoader(Thread.java:1306)
      at org.jboss.mx.server.TCLAction$5.run(TCLAction.java:102)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.jboss.mx.server.TCLAction$2.setContextClassLoader(TCLAction.java:97)
      at org.jboss.mx.server.TCLAction$UTIL.setContextClassLoader(TCLAction.java:37)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:288)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
      at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:908)
      at $Proxy0.start(Unknown Source)
      at org.jboss.system.ServiceController.start(ServiceController.java:416)

      The problem is the interaction between the class loading layer attempting to locate the class in question as a resource and the lazy loading of the JACC permission classes from within the Policy.implies override which results in recursion into a ClassCircularityError:

      Thread "main"@336 in group "jboss" status: RUNNING
      <init>():32, java.lang.ClassCircularityError
      implies():72, org.jboss.security.jacc.DelegatingPolicy
      implies():189, java.security.ProtectionDomain
      checkPermission():254, java.security.AccessControlContext
      checkPermission():401, java.security.AccessController
      checkPermission():524, java.lang.SecurityManager
      check():397, sun.misc.URLClassPath
      getResource():884, sun.misc.URLClassPath$FileLoader
      getResource():157, sun.misc.URLClassPath
      getResource():209, sun.misc.URLClassPath
      getBootstrapResource():950, java.lang.ClassLoader
      getResource():811, java.lang.ClassLoader
      getResource():809, java.lang.ClassLoader
      getResource():809, java.lang.ClassLoader
      getResource():809, java.lang.ClassLoader
      getResourceLocally():205, org.jboss.mx.loading.RepositoryClassLoader
      run():95, org.jboss.mx.loading.LoadMgr3$ResourceAction
      doPrivileged():-1, java.security.AccessController
      beginLoadTask():247, org.jboss.mx.loading.LoadMgr3

      The classes needed by the implies method need to be loaded before the DelegatingPolicy is installed as the java.security.Policy implementation to avoid this.

              starksm64 Scott Stark (Inactive)
              starksm64 Scott Stark (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: