[
https://issues.apache.org/jira/browse/FELIX-5910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16612491#comment-16612491
]
Timothy Ward commented on FELIX-5910:
-------------------------------------
{quote}Thanks, yes this looks like a SCR bug
{quote}
I agree with this. SCR should definitely be removing itself from the stack by
setting the relevant access control context before calling any lifecycle
methods on the component. Otherwise SCR requires AllPermission (which is
probably what it has if nobody has created a proper permissions file for it)
which is a bad thing.
> [ConfigAdmin] Set correct AccessControlContext when firing events
> -----------------------------------------------------------------
>
> Key: FELIX-5910
> URL: https://issues.apache.org/jira/browse/FELIX-5910
> Project: Felix
> Issue Type: Bug
> Components: Configuration Admin
> Affects Versions: configadmin-1.9.4
> Environment: - Felix fwk 6.0.0
> - Felix security 2.6.0
> - Felix config admin 1.9.4 and 1.9.5-SNAPSHOT
> Reporter: Christoph Nölle
> Assignee: Carsten Ziegeler
> Priority: Major
> Fix For: configadmin-1.9.6
>
>
> ConfigAdmin requests a restricted set of permissions by means of a
> permissions.perm file, which must not restrict the permissions of other
> bundles to which it sends events. There is in fact a mechanism in place to
> prevent this, using the protection domain of the bundle, in the class
> ManagedServiceTracker (resolving the related issue
> https://issues.apache.org/jira/browse/FELIX-4362). However, the UpdateThread
> class does not use this mechanism; instead it explicitly sets an
> AccessControlContext based on its own protection domain, hence enforcing its
> own restricted set of permissions to the event listeners. Below are two
> examples of the resulting AccessControlExceptions I get... there is just one
> additional bundle in the stack trace, felix-scr, which has all permissions
> and can be ignored from the permissions point of view.
> By the way, removing the permissions.perm file from ConfigAdmin resolves the
> problem, confirming that the bug is indeed in ConfigAdmin.
> rg.slf4j.osgi-over-slf4j[org.apache.felix.configadmin.1.9.4] :
> [[org.osgi.service.cm.ConfigurationAdmin]]Unexpected problem delivering
> configuration event to [org.osgi.service.cm.ConfigurationListener, id=18,
> bundle=24/mvn:org.apache.felix/org.apache.felix.configadmin/1.9.4]
> java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader")
> at
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at
> java.base/java.security.AccessController.checkPermission(AccessController.java:895)
> at
> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
> at
> java.base/java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:2042)
> at java.base/java.lang.Class.getClassLoader(Class.java:807)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod.findMethod(BaseMethod.java:158)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod.access$400(BaseMethod.java:41)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod$NotResolved.resolve(BaseMethod.java:602)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod$NotResolved.methodExists(BaseMethod.java:626)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod.methodExists(BaseMethod.java:528)
> at
> org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:315)
> at
> org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:307)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.invokeModifiedMethod(SingleComponentManager.java:810)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.modify(SingleComponentManager.java:765)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:683)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:647)
> at
> org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:435)
> at
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:288)
> at
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport$1.configurationEvent(RegionConfigurationSupport.java:91)
> at
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:1667)
> at
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:1635)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:126)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:123)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:122)
> at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
> at java.base/java.lang.Thread.run(Thread.java:844)
> org.slf4j.osgi-over-slf4j[org.apache.felix.configadmin.1.9.4] :
> [[org.osgi.service.cm.ConfigurationAdmin]]Unexpected problem delivering
> configuration event to [org.osgi.service.cm.ConfigurationListener, id=18,
> bundle=24/mvn:org.apache.felix/org.apache.felix.configadmin/1.9.4]
> java.security.AccessControlException: access denied
> ("org.osgi.framework.ServicePermission" "java.lang.Runnable" "register")
> at
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at
> java.base/java.security.AccessController.checkPermission(AccessController.java:895)
> at
> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
> at
> org.apache.felix.framework.BundleContextImpl.registerService(BundleContextImpl.java:322)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:891)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:877)
> at
> org.apache.felix.scr.impl.manager.RegistrationManager.changeRegistration(RegistrationManager.java:128)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager.registerService(AbstractComponentManager.java:944)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager.activateInternal(AbstractComponentManager.java:727)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager.enableInternal(AbstractComponentManager.java:661)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager.enable(AbstractComponentManager.java:427)
> at
> org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:440)
> at
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:288)
> at
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport$1.configurationEvent(RegionConfigurationSupport.java:91)
> at
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:1667)
> at
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:1635)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:126)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:123)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:122)
> at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
> at java.base/java.lang.Thread.run(Thread.java:844)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
