[cp-patches] Gnu classpath permission patch ?

Casey Marshall csm at gnu.org
Fri May 25 16:32:38 UTC 2007


On May 25, 2007, at 12:37 AM, Pierre Parrend wrote:

>
>  Hello,
>
> thanks for the tip, to tell the Classes to use the right policy  
> reader is usefull. However, I now get a ugly NullPointerException  
> in policy reading, it seems that the given reader has problem  
> reading the name of the ProtectionDomain:
>

Hmm, no, this looks more like a problem with recursive permission  
checks; that is, something needs to have a permission checked while  
it's checking a permission. It also looks like Classpath will  
eventually deny the permission your code is requesting.

This is a little odd, because it looks like Classpath internal code  
is being denied a permission. That's wrong; library code should be  
able to do what it pleases.

This feels like a regression. What version of Classpath and jamvm are  
you using?

Thanks.

> java.lang.ExceptionInInitializerError
>    at gnu.java.security.x509.X509Certificate.toString 
> (X509Certificate.java:455)
>    at java.lang.StringBuffer.append(StringBuffer.java:348)
>    at java.security.CodeSource.toString(CodeSource.java:269)
>    at java.lang.StringBuffer.append(StringBuffer.java:348)
>    at java.security.ProtectionDomain.toString(ProtectionDomain.java: 
> 212)
>    at java.lang.StringBuffer.append(StringBuffer.java:348)
>    at java.security.AccessControlContext.checkPermission 
> (AccessControlContext.java:157)
>    at java.security.AccessController.checkPermission 
> (AccessController.java:76)
>    at java.lang.SecurityManager.checkPermission 
> (SecurityManager.java:356)
>    at java.lang.SecurityManager.checkPropertyAccess 
> (SecurityManager.java:820)
>    at java.lang.System.getProperty(System.java:397)
>    at org.apache.felix.main.Main.<clinit>(Main.java:66)
> Caused by: java.lang.NullPointerException
>    at java.io.PrintWriter.println(PrintWriter.java:395)
>    at java.io.PrintWriter.println(PrintWriter.java:523)
>    at gnu.java.security.x509.X509Certificate.toString 
> (X509Certificate.java:456)
>    at java.lang.StringBuffer.append(StringBuffer.java:348)
>    at java.security.CodeSource.toString(CodeSource.java:269)
>    at java.lang.StringBuffer.append(StringBuffer.java:348)
>    at java.security.ProtectionDomain.toString(ProtectionDomain.java: 
> 212)
>    at java.lang.StringBuffer.append(StringBuffer.java:348)
>    at java.security.AccessControlContext.checkPermission 
> (AccessControlContext.java:157)
>    at java.security.AccessController.checkPermission 
> (AccessController.java:76)
>    at java.lang.SecurityManager.checkPermission 
> (SecurityManager.java:356)
>    at java.lang.SecurityManager.checkPropertyAccess 
> (SecurityManager.java:820)
>    at java.lang.System.getProperty(System.java:418)
>    at java.io.PrintWriter.<clinit>(PrintWriter.java:381)
>    at gnu.java.security.x509.X509Certificate.toString 
> (X509Certificate.java:455)
>
>
>
>
> Quoting Casey Marshall <csm at gnu.org>:
>
>> On May 24, 2007, at 1:58 PM, Pierre Parrend wrote:
>>
>>>
>>> Hello,
>>>
>>> for instance, I have the following command:
>>>
>>> jamvm -Djava.security.manager -Djava.security.policy=conf/ 
>>> java.policy -cp
>>> bin/felix.jar: org.apache.felix.main.Main
>>> (jamvm uses the Gnu classpath, with default configuration)
>>>
>>> with following conf/java.policy file:
>>>
>>> grant codeBase "/code/osgi-projects/sfelix/sfelix0.2.2/main/-" {
>>>        permission java.io.FilePermission  "/home/pierre/.felix/ 
>>> testSF", "read";
>>>        permission java.lang.RuntimePermission "exitVM";
>>> };
>>>
>>> which gives me following error:
>>>
>>> Error creating bundle cache:
>>> permission (java.io.FilePermission /home/pierre/.felix/testSF  
>>> read)  not granted:
>>> no protection domains
>>> Could not create framework: java.security.AccessControlException:  
>>> permission
>>> (java.lang.RuntimePermission exitVM ) not granted: no protection  
>>> domains
>>> java.security.AccessControlException: permission   
>>> (java.lang.RuntimePermission
>>> exitVM ) not granted: no protection domains
>>>   at
>>> java.security.AccessControlContext.checkPermission 
>>> (AccessControlContext.java:149)
>>>   at  java.security.AccessController.checkPermission 
>>> (AccessController.java:76)
>>>   at java.lang.SecurityManager.checkPermission 
>>> (SecurityManager.java:356)
>>>   at java.lang.SecurityManager.checkExit(SecurityManager.java:475)
>>>   at java.lang.Runtime.exit(Runtime.java:171)
>>>   at java.lang.System.exit(System.java:506)
>>>   at
>>> org.apache.felix.framework.util.SecureAction$Actions.run 
>>> (SecureAction.java:843)
>>>   at java.security.AccessController.doPrivileged 
>>> (AccessController.java:195)
>>>   at  org.apache.felix.framework.util.SecureAction.exit 
>>> (SecureAction.java:624)
>>>   at org.apache.felix.framework.Felix.start(Felix.java:276)
>>>   at org.apache.felix.main.Main.main(Main.java:208)
>>>
>>> (executed platform is the Felix OSGi implementation, which work   
>>> well without the
>>> security set)
>>>
>>
>> One problem here is that Classpath still unfortunately uses a bogus
>> DefaultPolicy class for its policy, not the one that reads policy
>> files. You can force using the policy file reader by adding the  
>> option:
>>
>>   -Dpolicy.provider=gnu.java.security.PolicyFile
>>
>> ...I don't know why the default policy would reject the permission
>> checks, though, since (AFAIK) the default policy grants  
>> AllPermission.
>
>
>




More information about the Classpath-patches mailing list