Viktor Matic wrote:
On Wed, 2004-05-19 at 17:23, Jeanfrancois Arcand wrote:
Well, take a look at org.apache.catalina.security.SecurityUtil. I am
setting the Subject/AccessControlContext there. I think that might cause
your problem, but I need more info ;-). AnybodyPrincipal is trying to do
what?
-- Jeanfrancois
Thanks for fast replay.
I'll check org.apache.catalina.security.SecurityUtil.
Problem is manifested in line 65 of class SimpeGroup and this line
checks is group member instance of AnybodyPrincipal
isMember = (member instanceof com.ingemark.security.AnybodyPrincipal)
The AnybodyPrincipal is a simple class which returns true if it is
compared to any real principal. But I think that real problem is not in
implementation of this class than more likely in the class loader which
tests permissions to read this particular class. For example if I
comment out line 65 (which is not crucial for this test) and try it
again ClassCircularityError arise on different place, as it can be seen
in the following error stack dump:
java.lang.ClassCircularityError:
com/ingemark/experiments/PermissionName$NameLengthComparator
com.ingemark.experiments.NamespacePermissionCollection.<init>(NamespacePermissionCollection.java:22)
com.ingemark.experiments.NamespacePermission.newPermissionCollection(NamespacePermission.java:66)
java.security.Permissions.getPermissionCollection(Permissions.java:245)
java.security.Permissions.add(Permissions.java:110)
com.ingemark.security.PolicyEntry.getPermissions(PolicyEntry.java:50)
com.ingemark.security.AuthorizationInfo.getPermissions(AuthorizationInfo.java:73)
com.ingemark.security.SecurityPolicy.getPermissions(SecurityPolicy.java:95)
java.security.Policy.implies(Policy.java:397)
java.security.ProtectionDomain.implies(ProtectionDomain.java:189)
java.security.AccessControlContext.checkPermission(AccessControlContext.java:254)
java.security.AccessController.checkPermission(AccessController.java:401)
java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
java.lang.SecurityManager.checkRead(SecurityManager.java:863)
java.io.File.exists(File.java:678)
org.apache.naming.resources.FileDirContext.file(FileDirContext.java:826)
org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:208)
org.apache.naming.resources.ProxyDirContext.lookup(ProxyDirContext.java:287)
org.apache.catalina.loader.WebappClassLoader.findResourceInternal(WebappClassLoader.java:1707)
org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1575)
org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:860)
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1307)
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1189)
java.lang.ClassLoader.loadClassInternal(ClassLoader.java:302)
com.ingemark.experiments.NamespacePermissionCollection.<init>(NamespacePermissionCollection.java:22)
com.ingemark.experiments.NamespacePermission.newPermissionCollection(NamespacePermission.java:66)
java.security.Permissions.getPermissionCollection(Permissions.java:245)
java.security.Permissions.add(Permissions.java:110)
com.ingemark.security.PolicyEntry.getPermissions(PolicyEntry.java:50)
com.ingemark.security.AuthorizationInfo.getPermissions(AuthorizationInfo.java:73)
com.ingemark.security.SecurityPolicy.getPermissions(SecurityPolicy.java:95)
java.security.Policy.implies(Policy.java:397)
java.security.ProtectionDomain.implies(ProtectionDomain.java:189)
java.security.AccessControlContext.checkPermission(AccessControlContext.java:254)
java.security.AccessController.checkPermission(AccessController.java:401)
com.ingemark.experiments.ServletSec$SecuredActions.run(ServletSec.java:207)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:437)
com.ingemark.experiments.ServletSec.service(ServletSec.java:181)
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:324)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:241)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:500)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:263)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:157)
This time execution breaks on different place but in a same conditions catalina class loader tries to load the class
(com/ingemark/experiments/PermissionName$NameLengthComparator) and loops there checking read permission.
Here is peace of servlet code which triggers this behavior
..
/*This line is in servlet service method*/
Subject.doAsPrivileged(subject, new SecuredActions(), null );
Yes, that's probably the problem since SecurityUtil has already set that
value. The AccesControlContext already has the Subject attached to it.
You may want to try:
Subject.getSubject(AccessController.getContext());
and then use that subject to call:
Subject.doAsPrivileged(subject, new SecuredActions(), null );
Let me know what you get.
Thanks
-- Jeanfrancois
..
/*this is inner class of servlet class*/
static class SecuredActions implements PrivilegedAction
{
public Object run()
{
log.info( "Subject within Secured action:"
+ Subject.getSubject(
AccessController.getContext() ) );
log.info( "Check subject with action="+action + " and target="
+ target);
Permission p = new NamespacePermission( target, action );
AccessController.checkPermission( p ); /* <--- this line
triggers error ServletSec.java:207 */
log.info( "User has permission to execute action" );
return null;
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
