[ https://issues.apache.org/jira/browse/MYFACES-1879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12711977#action_12711977 ]
Matthias Weßendorf commented on MYFACES-1879: --------------------------------------------- can you add this to myfaces 2.0 `? > Problems with myfaces when java2 security is enabled > ---------------------------------------------------- > > Key: MYFACES-1879 > URL: https://issues.apache.org/jira/browse/MYFACES-1879 > Project: MyFaces Core > Issue Type: Bug > Affects Versions: 1.2.3 > Reporter: Michael Concini > Assignee: Leonardo Uribe > Fix For: 1.2.7-SNAPSHOT > > Attachments: MYFACES-1879-core-v2.patch, MYFACES-1879-core.patch, > MYFACES-1879-shared-v2.patch, MYFACES-1879-shared.patch > > > When running MyFaces 1.2 on an application server with java2 security turned > on, a user can receive an AccessControlException from several locations > within the code, in some cases preventing the application from working in the > environment. > There are several places in the myfaces code that should be updated to > include a doPriv when java2 security is on. Specifically in locations where > the code is executing a call to > Thread.currentThread().getContextClassLoader(), as well as in the > JspStateManagerImpl's deserializeView() method. > for example (in the classloader case): > if (System.getSecurityManager() != null) { > try { > Object cl = AccessController.doPrivileged(new > PrivilegedExceptionAction() { > public Object run() throws > PrivilegedActionException { > return > Thread.currentThread().getContextClassLoader(); > } > }); > return (ClassLoader) cl; > } catch (PrivilegedActionException pae) { > throw new FacesException(pae); > } > }else{ > return Thread.currentThread().getContextClassLoader(); > } > If its agreed that the change should be implemented, I'd be happy to perform > the changes myself and supply a patch. I also thought that it might make > sense to, at least for the ClassLoader lookup, create a method in ClassUtils > called getContextClassloader that could be called elsewhere for efficiency's > sake. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.