Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 329212

Summary: OSGI app binaries do not inherit Java 2 security
Product: [Eclipse Project] Equinox Reporter: Simon Kaegi <simon_kaegi>
Component: Server-SideAssignee: equinox.server-side-inbox <equinox.server-side-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: P3 CC: duongn, gunnar, jcr2548, simon_kaegi, tjwatson
Version: 3.6.1Flags: tjwatson: review+
Target Milestone: 3.6.2+   
Hardware: PC   
OS: Windows XP   
Whiteboard:
Bug Depends on: 327482    
Bug Blocks: 329204    
Attachments:
Description Flags
Proposed Patch none

Description Simon Kaegi CLA 2010-11-01 13:59:46 EDT 
Cloned to back-port the fix to 3.6 maintenance branch.

+++ This bug was initially created as a clone of Bug #327482 +++

AccessControlException seen when an OSGI application is run in WebSphere when Java 2 security is enabled.

Steps to Recreate:
Install an OSGI web application in WebSphere and enable Java 2 security.
When I attempt to load the application, I get exceptions in the log:

Permission:
      setContextClassLoader : Access denied (java.lang.RuntimePermission setContextClassLoader)

Code:
     org.apache.jsp.index_jsp  in  {file:/G:/wasX/profiles/Dmgr02/temp/HumeCellManager41/dmgr/isclite/iehs.war/proxytemp/hc_30600740/}

Stack Trace:
java.security.AccessControlException: Access denied (java.lang.RuntimePermission setContextClassLoader)
	at java.security.AccessController.checkPermission(AccessController.java:108)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:533)
	at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:212)
	at java.lang.Thread.setContextClassLoader(Thread.java:754)
	at com.ibm.ws.util.ThreadPool$Worker.setContextClassLoader(ThreadPool.java:1773)
	at org.eclipse.equinox.servletbridge.BridgeServlet.service(BridgeServlet.java:120)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
	at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1138)
	at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:708)
	at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:435)

The problem is that the was.policy file which grants AllPermission to the ear does not get applied to the OSGI war binaries which have been extracted to the temp directory.
A known workaround is to edit the server.policy file to grant AllPermission for this temp path as the codeBase. This workaround should not be needed if the permissions are inherited correctly from the ear's .policy file.

We think the issue is the org.eclipse.equinox.servletbridge.BridgeServlet class uses the class loader org.eclipse.equinox.servletbridge.CloseableURLClassLoader to load the framework (the jars that got extracted to the temp directory).  The CloseableClassLoader extends URLClassLoader.  By default the URLClassLoader uses the built in policy.  I think WAS sets up a built-in security policy that only understands how to grant permissions to the server's codebase and to class loaders it controls.  It knows nothing about CloseableClassLoader.  I think CloseableClassLoader should override the method java.net.URLClassLoader.getPermissions(CodeSource) in order to grant all permissions to the framework jar (codebase) that it extracted.
Comment 1 Simon Kaegi CLA 2010-11-01 14:04:10 EDT 
Created attachment 182165 [details]
Proposed Patch
Comment 2 Simon Kaegi CLA 2010-11-01 14:05:19 EDT 
Tom please review but we need to re-validate in bug 329204 first.
Comment 3 Thomas Watson CLA 2010-11-01 16:40:54 EDT 
(In reply to comment #2)
> Tom please review but we need to re-validate in bug 329204 first.

Looks good, but need to increase bundle version to 1.0.201
Comment 4 Simon Kaegi CLA 2010-11-04 10:44:12 EDT 
Thanks Tom. Bumped version, re-validated and committed.
Comment 5 Simon Kaegi CLA 2010-11-04 10:46:01 EDT 
.
Comment 6 Thomas Watson CLA 2012-07-17 08:58:05 EDT 
It looks like this fix did not actually make it into the final 3.6.2 build.  At least according to git and CVS the tags to not match up for 3.6.2.  See CVS:

http://dev.eclipse.org/viewsvn/viewvc.cgi/org.eclipse.equinox/server-side/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/jsp/jasper/JspServlet.java?view=log&root=RT_Project&pathrev=R3_6_maintenance

And Git:

http://git.eclipse.org/c/equinox/rt.equinox.bundles.git/log/?h=R3_6_maintenance

The logs show that the previous commit was marked as R3_6_2.
Comment 7 Thomas Watson CLA 2012-07-18 11:03:03 EDT 
I have updated the micro-version of org.eclipse.equinox.jsp.jasper and tagged it [1] and updated the releng maps [2] in case a build is done against the R3_6_maintenance stream then this fix will be included.

[1] - http://git.eclipse.org/c/equinox/rt.equinox.bundles.git/commit/?h=R3_6_maintenance&id=b151f5171c3af422ec1ad6f3cde26b48faef6fb4

[2] - http://git.eclipse.org/c/platform/eclipse.platform.releng.maps.git/commit/?h=R3_6_maintenance&id=dbb15a72e5cf2a31bd9298adbab3686e0424b488
Comment 8 Duong Nguyen CLA 2012-07-30 17:22:47 EDT 
Legal +1