[
https://issues.apache.org/jira/browse/FELIX-5908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16581037#comment-16581037
]
ASF GitHub Bot commented on FELIX-5908:
---------------------------------------
GitHub user timothyjward opened a pull request:
https://github.com/apache/felix/pull/150
Configuration Admin Security can cause a NoClassDefFoundError
Fixes FELIX-5908
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/timothyjward/felix config-security
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/felix/pull/150.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #150
----
commit 561a99c53854c0449bd922a344f9eee513df5222
Author: Tim Ward <timothyjward@...>
Date: 2018-08-15T12:21:20Z
FELIX-5908 - Tests to demonstrate the NoClassDefFoundError that can occur
with security on
Also includes general security tests to ensure that Config Admin runs
correctly with Security on
Signed-off-by: Tim Ward <[email protected]>
commit 007a88b104deb92fcd890d81bbac5a0df1ec4708
Author: Tim Ward <timothyjward@...>
Date: 2018-08-15T12:52:30Z
FELIX-5908 Avoid a NoClassDefFoundError by eagerly instantiating the
ProtectionDomain
Signed-off-by: Tim Ward <[email protected]>
----
> NoClassDefFoundError for the CM Security Domain combiner
> --------------------------------------------------------
>
> Key: FELIX-5908
> URL: https://issues.apache.org/jira/browse/FELIX-5908
> Project: Felix
> Issue Type: Bug
> Components: Configuration Admin
> Affects Versions: configadmin-1.9.4
> Reporter: Timothy Ward
> Priority: Major
>
> This is a pretty weird bug, so I'll try to explain it.
> When running with security on the Configuration Admin Updater thread applies
> an Access Control Context which, amongst other things, sets up a Domain
> Combiner. This Domain Combiner lazily creates a combined Protection Domain
> based on the target bundle.
>
> All of this works fine until you end up in the following situation:
> # The MS/MSF being called attempts to perform a checked operation (for which
> they may or may not have permission)
> # The Check causes the CM Domain Combiner to be instantiated, triggering a
> class load if it is the first time
> # The Loading of the class can then trigger *more* security checks in some
> cases, for example setting the CodeSource of the class being defined can
> require a security check if there are multiple frameworks in the VM, or if
> the code was installed from a custom URL handler that has a custom
> toExternalForm() implementation
> # This security check retrievers the CM Domain Combiner, which attempts to
> load the class again
> # The Java ClassLoader detects the cycle and throws a NoClassDefFoundError
>
> I am setting up a "simple" test demonstrating this (it necessarily has
> several moving parts) and a proposed patch.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
