[jira] Commented: (MYFACES-1879) Problems with myfaces when java2 security is enabled

Fri, 22 May 2009 06:53:12 -0700 

    [ 
https://issues.apache.org/jira/browse/MYFACES-1879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12712086#action_12712086
 ] 

Michael Concini commented on MYFACES-1879:
------------------------------------------

I can add it to the 2.0 stream.  I'll take care of it next week once I'm back 
from the US Memorial Day holiday.  

> Problems with myfaces when java2 security is enabled
> ----------------------------------------------------
>
>                 Key: MYFACES-1879
>                 URL: https://issues.apache.org/jira/browse/MYFACES-1879
>             Project: MyFaces Core
>          Issue Type: Bug
>    Affects Versions: 1.2.3
>            Reporter: Michael Concini
>            Assignee: Leonardo Uribe
>             Fix For: 1.2.7-SNAPSHOT
>
>         Attachments: MYFACES-1879-core-v2.patch, MYFACES-1879-core.patch, 
> MYFACES-1879-shared-v2.patch, MYFACES-1879-shared.patch
>
>
> When running MyFaces 1.2 on an application server with java2 security turned 
> on, a user can receive an AccessControlException from several locations 
> within the code, in some cases preventing the application from working in the 
> environment. 
> There are several places in the myfaces code that should be updated to 
> include a doPriv when java2 security is on.  Specifically in locations where 
> the code is executing a call to 
> Thread.currentThread().getContextClassLoader(), as well as in the 
> JspStateManagerImpl's deserializeView() method.  
> for example (in the classloader case):
> if (System.getSecurityManager() != null) {
>       try {
>               Object cl = AccessController.doPrivileged(new 
> PrivilegedExceptionAction() {
>                               public Object run() throws 
> PrivilegedActionException {
>                                       return 
> Thread.currentThread().getContextClassLoader();
>                               }
>               });
>               return (ClassLoader) cl;
>       } catch (PrivilegedActionException pae) {
>               throw new FacesException(pae);
>       }
> }else{
>       return Thread.currentThread().getContextClassLoader();
> }
> If its agreed that the change should be implemented, I'd be happy to perform 
> the changes myself and supply a patch.  I also thought that it might make 
> sense to, at least for the ClassLoader lookup, create a method in ClassUtils 
> called getContextClassloader that could be called elsewhere for efficiency's 
> sake. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to