[
https://issues.apache.org/jira/browse/FELIX-5910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16612099#comment-16612099
]
Carsten Ziegeler commented on FELIX-5910:
-----------------------------------------
[~cnoelle] The change is in FireConfigurationEvent
> [ConfigAdmin] Set correct AccessControlContext when firing events
> -----------------------------------------------------------------
>
> Key: FELIX-5910
> URL: https://issues.apache.org/jira/browse/FELIX-5910
> Project: Felix
> Issue Type: Bug
> Components: Configuration Admin
> Affects Versions: configadmin-1.9.4
> Environment: - Felix fwk 6.0.0
> - Felix security 2.6.0
> - Felix config admin 1.9.4 and 1.9.5-SNAPSHOT
> Reporter: Christoph Nölle
> Assignee: Carsten Ziegeler
> Priority: Major
> Fix For: configadmin-1.9.6
>
>
> ConfigAdmin requests a restricted set of permissions by means of a
> permissions.perm file, which must not restrict the permissions of other
> bundles to which it sends events. There is in fact a mechanism in place to
> prevent this, using the protection domain of the bundle, in the class
> ManagedServiceTracker (resolving the related issue
> https://issues.apache.org/jira/browse/FELIX-4362). However, the UpdateThread
> class does not use this mechanism; instead it explicitly sets an
> AccessControlContext based on its own protection domain, hence enforcing its
> own restricted set of permissions to the event listeners. Below are two
> examples of the resulting AccessControlExceptions I get... there is just one
> additional bundle in the stack trace, felix-scr, which has all permissions
> and can be ignored from the permissions point of view.
> By the way, removing the permissions.perm file from ConfigAdmin resolves the
> problem, confirming that the bug is indeed in ConfigAdmin.
> rg.slf4j.osgi-over-slf4j[org.apache.felix.configadmin.1.9.4] :
> [[org.osgi.service.cm.ConfigurationAdmin]]Unexpected problem delivering
> configuration event to [org.osgi.service.cm.ConfigurationListener, id=18,
> bundle=24/mvn:org.apache.felix/org.apache.felix.configadmin/1.9.4]
> java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader")
> at
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at
> java.base/java.security.AccessController.checkPermission(AccessController.java:895)
> at
> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
> at
> java.base/java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:2042)
> at java.base/java.lang.Class.getClassLoader(Class.java:807)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod.findMethod(BaseMethod.java:158)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod.access$400(BaseMethod.java:41)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod$NotResolved.resolve(BaseMethod.java:602)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod$NotResolved.methodExists(BaseMethod.java:626)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod.methodExists(BaseMethod.java:528)
> at
> org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:315)
> at
> org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:307)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.invokeModifiedMethod(SingleComponentManager.java:810)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.modify(SingleComponentManager.java:765)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:683)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:647)
> at
> org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:435)
> at
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:288)
> at
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport$1.configurationEvent(RegionConfigurationSupport.java:91)
> at
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:1667)
> at
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:1635)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:126)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:123)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:122)
> at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
> at java.base/java.lang.Thread.run(Thread.java:844)
> org.slf4j.osgi-over-slf4j[org.apache.felix.configadmin.1.9.4] :
> [[org.osgi.service.cm.ConfigurationAdmin]]Unexpected problem delivering
> configuration event to [org.osgi.service.cm.ConfigurationListener, id=18,
> bundle=24/mvn:org.apache.felix/org.apache.felix.configadmin/1.9.4]
> java.security.AccessControlException: access denied
> ("org.osgi.framework.ServicePermission" "java.lang.Runnable" "register")
> at
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at
> java.base/java.security.AccessController.checkPermission(AccessController.java:895)
> at
> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
> at
> org.apache.felix.framework.BundleContextImpl.registerService(BundleContextImpl.java:322)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:891)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:877)
> at
> org.apache.felix.scr.impl.manager.RegistrationManager.changeRegistration(RegistrationManager.java:128)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager.registerService(AbstractComponentManager.java:944)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager.activateInternal(AbstractComponentManager.java:727)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager.enableInternal(AbstractComponentManager.java:661)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager.enable(AbstractComponentManager.java:427)
> at
> org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:440)
> at
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:288)
> at
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport$1.configurationEvent(RegionConfigurationSupport.java:91)
> at
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:1667)
> at
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:1635)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:126)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:123)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:122)
> at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
> at java.base/java.lang.Thread.run(Thread.java:844)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
