Uploaded image for project: 'Weld'
  1. Weld
  2. WELD-1625

SecurityException in ReflectionCacheFactory halts deployment

    XMLWordPrintable

    Details

    • Security Sensitive Issue:
      This issue is security relevant
    • Steps to Reproduce:
      Hide

      I can reproduce this issue with a simplest web app. It occurs whenever the listener is configured in web.xml:

      <listener>
      <listener-class>org.jboss.weld.environment.servlet.Listener</listener-class>
      </listener>

      Show
      I can reproduce this issue with a simplest web app. It occurs whenever the listener is configured in web.xml: <listener> <listener-class>org.jboss.weld.environment.servlet.Listener</listener-class> </listener>

      Description

      This happens when I try to deploy my web app to Tomcat running in a private cloud. I'm using Weld to inject my JSF Backing Beans. The service provider applies some security constraints that prevents org.jboss.weld.environment.servlet.Listener from initializing:

      Mar 20, 2014 10:54:24 AM org.apache.catalina.core.StandardContext listenerStart
      SEVERE: Exception sending context initialized event to listener instance of class org.jboss.weld.environment.servlet.Listener
      java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.reflect.annotation)
      at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
      at java.security.AccessController.checkPermission(AccessController.java:546)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
      at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
      at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:298)
      at java.lang.ClassLoader.loadClass(ClassLoader.java:252)
      at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1529)
      at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1462)
      at org.jboss.weld.resources.AbstractClassLoaderResourceLoader.classForName(AbstractClassLoaderResourceLoader.java:40)
      at org.jboss.weld.util.reflection.Reflections.isClassLoadable(Reflections.java:357)
      at org.jboss.weld.resources.ReflectionCacheFactory.newInstance(ReflectionCacheFactory.java:30)
      at org.jboss.weld.bootstrap.WeldStartup.setupInitialServices(WeldStartup.java:237)
      at org.jboss.weld.bootstrap.WeldStartup.startContainer(WeldStartup.java:177)
      at org.jboss.weld.bootstrap.WeldBootstrap.startContainer(WeldBootstrap.java:67)
      at org.jboss.weld.bootstrap.WeldBootstrap.startContainer(WeldBootstrap.java:63)
      at org.jboss.weld.environment.servlet.Listener.contextInitialized(Listener.java:140)
      at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4887)
      at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5381)
      at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
      at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
      at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
      at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
      at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
      at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
      at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:977)
      at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1655)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
      at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
      at java.util.concurrent.FutureTask.run(FutureTask.java:138)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
      at java.lang.Thread.run(Thread.java:619)
      Mar 20, 2014 10:54:27 AM org.apache.catalina.core.StandardContext listenerStop
      SEVERE: Exception sending context destroyed event to listener instance of class org.jboss.weld.environment.servlet.Listener
      java.lang.NullPointerException
      at org.jboss.weld.servlet.WeldInitialListener.contextDestroyed(WeldInitialListener.java:120)
      at org.jboss.weld.servlet.api.helpers.ForwardingServletListener.contextDestroyed(ForwardingServletListener.java:30)
      at org.jboss.weld.environment.servlet.Listener.contextDestroyed(Listener.java:85)
      at org.apache.catalina.core.StandardContext.listenerStop(StandardContext.java:4927)
      at org.apache.catalina.core.StandardContext.stopInternal(StandardContext.java:5573)
      at org.apache.catalina.util.LifecycleBase.stop(LifecycleBase.java:232)
      at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:160)
      at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
      at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
      at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
      at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
      at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
      at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:977)
      at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1655)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
      at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
      at java.util.concurrent.FutureTask.run(FutureTask.java:138)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
      at java.lang.Thread.run(Thread.java:619)

      As a workaround I removed the dependency to weld and switched back to the deprecated JSF ManagedBean annotation and everything works fine.

        Attachments

          Activity

            People

            Assignee:
            mbriskar Matej Briskar (Inactive)
            Reporter:
            shinzey shinzey shinzey (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: