[
https://issues.apache.org/jira/browse/FELIX-837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Karl Pauls resolved FELIX-837.
------------------------------
Resolution: Fixed
Setting a security manager when the framework already was started is causing a
recursive lookup of handlers as
a) not all security sensitive calls where done from inside a doPriv and
b) invoking built-in handlers is causing a recursive attempt to create the url
to the policy file.
Fixed in trunk by adding the doPrivs and makeing sure to only use setAccessible
where needed and then (if possible) before the URLHandlers are registered.
Additionally, we create urls for the known built-in handler up front to be able
to set the handler of a new url without causing a security check.
This will make it into the upcoming 1.4.1 release. Thanks again for reporting
and please close this issue if it works for you.
> Setting the SecurityManager in a bundle generate an infinite loop
> -----------------------------------------------------------------
>
> Key: FELIX-837
> URL: https://issues.apache.org/jira/browse/FELIX-837
> Project: Felix
> Issue Type: Bug
> Components: Framework
> Affects Versions: felix-1.4.0
> Reporter: Loris Bouzonnet
> Assignee: Karl Pauls
> Priority: Minor
> Fix For: felix-1.4.1
>
> Attachments: sm-test.zip
>
>
> Since Felix 1.4.0, each method invocation is now check in the class
> SecureAction. When we DON'T set the security manager as argument of the
> command line and a started bundle tries to set this one, we always get an
> infinite loop:
> at java.net.URL.<init>(URL.java:413)
> at sun.security.provider.PolicyFile$3.run(PolicyFile.java:676)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> sun.security.provider.PolicyFile.initStaticPolicy(PolicyFile.java:617)
> at sun.security.provider.PolicyFile.<init>(PolicyFile.java:314)
> at java.security.Policy.getPolicyNoCheck(Policy.java:145)
> at java.security.ProtectionDomain.implies(ProtectionDomain.java:195)
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:249)
> at
> java.security.AccessController.checkPermission(AccessController.java:427)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at
> java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
> at
> org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1123)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> org.apache.felix.framework.util.SecureAction.invoke(SecureAction.java:754)
> at
> org.apache.felix.framework.URLHandlersStreamHandlerProxy.getStreamHandlerService(URLHandlersStreamHandlerProxy.java:400)
> at
> org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:267)
> at java.net.URL.<init>(URL.java:596)
> at java.net.URL.<init>(URL.java:464)
> at java.net.URL.<init>(URL.java:413)
> at sun.security.provider.PolicyFile$3.run(PolicyFile.java:676)
> ... until a stack overflow.
> To reproduce it, just start the attached bundle that does:
> System.setSecurityManager(new RMISecurityManager());
> URL wantBug = new URL("http://felix.apache.org";);
> System.out.println("I want a bug: " + wantBug.toExternalForm());
> If the security manager is set in the command line, there is no bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
