Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 333336

Summary:

GlassFish V3 JMX API findMBeanServer() requires security.AccessControlException handler - shouldUsePrivilegedAccess() check is missing

Product:

z_Archived

Reporter:

Michael OBrien <michael.f.obrien>

Component:

Eclipselink

Assignee:

Nobody - feel free to take it <nobody>

Status:

RESOLVED FIXED

QA Contact:

Severity:

major

Priority:

CC:

eclipselink.foundation-inbox, michael.f.obrien, mitesh.meswani, peter.krogh

Version:

unspecified

Target Milestone:

---

Hardware:

OS:

Windows 7

URL:

http://java.net/jira/browse/GLASSFISH-15337

Whiteboard:

Bug Depends on:

333368, 316512, 316513, 318892, 333160

Bug Blocks:

297312, 322288, 334381

Attachments:

Description	Flags
AccessController private run method - preliminary patch (pending EAR testing)	none
AccessController private run method - 2.2 milestone patch (pending secure EAR testing)	none
2.2 milestone patch of both 333160 and 333336	none
patch 2 adds registerMBean and unregisterMBean privileged blocks when security manager is on	none
Screencap of JConsole MBean view on secured GlassFish 3.0.1 running 2.2 rev 8831 EclipseLink bundles	none
trunk 333336 patch from 2.2 branch	none
10427734 for 333160 and 333336 on 2.1.3 backport	none

Description Michael OBrien

2010-12-30 07:43:50 EST

Comment 1 Michael OBrien

2010-12-30 15:18:32 EST

>The code below that retrieves the MBeanServer on GlassFish V3.1 requires both
a handler for a security.AccessControlException that attempts an alternate JNDI lookup, or fails gracefully with no MBean registration in the case that GlassFish is running with security on.

A reproduction on the dev machine is required, but here is the code that needs refactoring...
JMXServerPlatformBase.java:168
    public MBeanServer getMBeanServer() {
        // lazy initialize the MBeanServer reference
        if(null == mBeanServer) {
            try {
                // Attempt to get the first MBeanServer we find - usually there is only one - when agentId == null we return a List of them
>               List<MBeanServer> mBeanServerList = MBeanServerFactory.findMBeanServer(null);                

>and the exception in GF-15337
>The following standard SSB wrapped in an ejb proxy is failing to load the MBeanServer in a security context
[#|2010-12-23T08:47:47.988-0500|INFO|glassfish3.1|org.eclipse.persistence.session.file:/export/home/sun/glassfish-3.1-b34-12_19_2010_CTS6X/glassfish/domains/domain1/applications/ejb-timer-service-app/WEB-INF/classes/___EJB__Timer__App|_ThreadID=15;_ThreadName=Thread-1;|EclipseLink, version: Eclipse Persistence Services - 2.2.0.v20101209-r8662|#]
[#|2010-12-23T08:47:56.524-0500|INFO|glassfish3.1|org.eclipse.persistence.session.file:/export/home/sun/glassfish-3.1-b34-12_19_2010_CTS6X/glassfish/domains/domain1/applications/ejb-timer-service-app/WEB-INF/classes/___EJB__Timer__App|_ThreadID=15;_ThreadName=Thread-1;|file:/export/home/sun/glassfish-3.1-b34-12_19_2010_CTS6X/glassfish/domains/domain1/applications/ejb-timer-service-app/WEB-INF/classes/___EJB__Timer__App login successful|#]
[#|2010-12-23T08:47:56.525-0500|FINE|glassfish3.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=Thread-1;ClassName=com.sun.enterprise.security.provider.BasePolicyWrapper;MethodName=doImplies;|JACC Policy Provider, failed Permission Check at :
java.lang.Exception
	at com.sun.enterprise.security.provider.BasePolicyWrapper.doImplies(BasePolicyWrapper.java:408)
	at com.sun.enterprise.security.provider.BasePolicyWrapper.implies(BasePolicyWrapper.java:244)
	at java.security.ProtectionDomain.implies(ProtectionDomain.java:224)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:301)
	at java.security.AccessController.checkPermission(AccessController.java:546)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
	at javax.management.MBeanServerFactory.checkPermission(MBeanServerFactory.java:393)
	at javax.management.MBeanServerFactory.findMBeanServer(MBeanServerFactory.java:343)
	at org.eclipse.persistence.platform.server.JMXServerPlatformBase.getMBeanServer(JMXServerPlatformBase.java:165)
	at org.eclipse.persistence.platform.server.JMXServerPlatformBase.serverSpecificRegisterMBean(JMXServerPlatformBase.java:235)
	at org.eclipse.persistence.platform.server.sunas.SunAS9ServerPlatform.serverSpecificRegisterMBean(SunAS9ServerPlatform.java:180)
	at org.eclipse.persistence.platform.server.ServerPlatformBase.registerMBean(ServerPlatformBase.java:510)
	at org.eclipse.persistence.internal.sessions.DatabaseSessionImpl.postConnectDatasource(DatabaseSessionImpl.java:687)
	at org.eclipse.persistence.internal.sessions.DatabaseSessionImpl.loginAndDetectDatasource(DatabaseSessionImpl.java:620)
	at org.eclipse.persistence.internal.jpa.EntityManagerFactoryProvider.login(EntityManagerFactoryProvider.java:240)
	at org.eclipse.persistence.internal.jpa.EntityManagerSetupImpl.deploy(EntityManagerSetupImpl.java:394)
...
	at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(EJBObjectInvocationHandler.java:205)
	at com.sun.ejb.containers.EJBObjectInvocationHandlerDelegate.invoke(EJBObjectInvocationHandlerDelegate.java:79)
	at $Proxy188.add(Unknown Source)

Comment 2 Michael OBrien

2010-12-31 15:10:07 EST

>Forensics:
>java.net GlassFish issue reference is 15337
http://java.net/jira/browse/GLASSFISH-15337

>Previously optional GlassFish support was added for bug# 316512 in SVN rev# 7777 in July 2010
https://fisheye2.atlassian.com/changelog/eclipselink/?cs=7777

>This change will go into trunk (2.3) and be backported to the 2.2 stream

Comment 3 Michael OBrien

2011-01-02 21:55:25 EST

>I am going to use a standard PrivilegedAccessHelper.shouldUsePrivilegedAccess() wrapper
I was reminded by Mitesh (thank you) of this standard security code block that exists throughout our code - would have run into existing examples of it that I modified for WebLogic when the fallback JNDI code was examined - If I would have gone that way.
The following propery will need to be set as well.
eclipselink.security.usedoprivileged=true

Comment 4 Michael OBrien

2011-01-10 15:59:43 EST

>Changes in 333160 (pending backport to 2.2) will need to be part of this 2.2 change
- both changes modify the JMX framework

Comment 5 Michael OBrien

2011-01-11 09:16:06 EST

Created attachment 186495 [details]
AccessController private run method - preliminary patch (pending EAR testing)

>prelimiary AccessController private run method patch for secure deployments.
Instead of using the standard PrivilegedAccessHelper.getPublicMethod()/

Comment 6 Michael OBrien

2011-01-11 14:43:13 EST

Created attachment 186554 [details]
AccessController private run method - 2.2 milestone patch (pending secure EAR testing)

Comment 7 Michael OBrien

2011-01-11 14:43:53 EST

>Enabling security
http://download.oracle.com/docs/cd/E13222_01/wls/docs92/security/server_prot.html
startWebLogic.cmd
set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.manager
note: the weblogic.policy file is already set later in the cmd file
without security on the servlet or session bean we now get the following because security is now on for the weblogic domain


java.lang.ExceptionInInitializerError
org.eclipse.persistence.example.jpa.server.weblogic.enterprise.presentation.FrontController.doGet(FrontController.java:459)
Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission weblogic.servlet.session.PersistentBackCompatibility read)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
	at java.security.AccessController.checkPermission(AccessController.java:546)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
	at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
	at java.lang.System.getProperty(System.java:650)


>Checking in patch 2 without security testing so we can meet the 2.2 stream milestone today.
>will continue with <security-permission> grants in ejb descriptor after checking in patch 2

Comment 8 Michael OBrien

2011-01-11 14:45:14 EST

>Enabling security
http://download.oracle.com/docs/cd/E13222_01/wls/docs92/security/server_prot.html
startWebLogic.cmd
set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.manager
note: the weblogic.policy file is already set later in the cmd file
without security on the servlet or session bean we now get the following
because security is now on for the weblogic domain


java.lang.ExceptionInInitializerError
org.eclipse.persistence.example.jpa.server.weblogic.enterprise.presentation.FrontController.doGet(FrontController.java:459)
Caused by: java.security.AccessControlException: access denied
(java.util.PropertyPermission
weblogic.servlet.session.PersistentBackCompatibility read)
    at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
    at
java.security.AccessController.checkPermission(AccessController.java:546)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
    at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
    at java.lang.System.getProperty(System.java:650)


>Checking in patch 2 without security testing so we can meet the 2.2 stream milestone today.
>will continue with <security-permission> grants in ejb descriptor after checking in patch 2

Comment 9 Michael OBrien

2011-01-11 14:47:30 EST

Created attachment 186555 [details]
2.2 milestone patch of both 333160 and 333336

Comment 10 Michael OBrien

2011-01-11 14:51:37 EST

>see SVN rev # 8798 for the 2.2 stream milestone 20110111
https://fisheye2.atlassian.com/changelog/eclipselink/?cs=8798

Comment 11 Michael OBrien

2011-01-11 20:14:44 EST

>Regression test results same as clean view for separate 2.2 view on Core i7 32-bit SUN 1.6.0_17 on derby 10.5.3
    [junit] Tests run: 7733, Failures: 0, Errors: 15, Time elapsed: 2,586.575 sec
>Note: no actual JMX testing is in the suite yet though

Comment 12 Michael OBrien

2011-01-11 22:38:58 EST

>To verify PrivilegedAccess codepath need to get past a missing [grant] for 
<11-Jan-2011 10:31:40 o'clock PM EST> <Error> <Deployer> <BEA-149205> <Failed to initialize the application 'localJTA' due to error 
Caused By: weblogic.common.ResourceException: access denied (java.net.SocketPermission 127.0.0.1:1527 connect,resolve)

>even with facet
weblogic-ejb-jar.xml
    <wls:security-permission>
        <wls:security-permission-spec>grant {         
        permission java.net.SocketPermission "127.0.0.1:1527", "connect,resolve";
        permission java.util.PropertyPermission "weblogic.transaction.blocking.commit", "read";
        };</wls:security-permission-spec>
    </wls:security-permission>

>and global permissions override
startWebLogic.cmd
set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.manager -Declipselink.security.usedoprivileged=true

>weblogic.policy
grant codebase "file:/weblogic/application/defaults/Connector" {
    permission java.net.SocketPermission "*", "connect,resolve";

Comment 13 Michael OBrien

2011-01-12 11:21:47 EST

>Secure EAR deployment scenarios/configuration for WebLogic in progress
http://wiki.eclipse.org/EclipseLink/Examples/JPA/WebLogic_Web_Tutorial#Deploying_a_Secure_Enterprise_Application_on_WebLogic

Comment 14 Michael OBrien

2011-01-12 13:11:59 EST

>The issue holding up my secure EAR deployment was the permissions on the derby localJTA global TX datasource
I now predeploy the persistence unit fine without JTA permissions errors
Note: no shouldUsePrivilegedAccess() call actually happens in predeploy - (set breakpoint on the server) - so this is not yet an accurate test of whether privileged access is happening via...

Security policy property reference (already set for us
-Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy

Security Manager enablement
$WebLogic_home\user_projects\domains\base_domain\bin\startWebLogic.cmd 
set JAVA_OPTIONS=%JAVA_OPTIONS% -Djava.security.manager 

and enablement of the EclipseLink property eclipselink.security.usedoprivileged 
$WebLogic_home\user_projects\domains\base_domain\bin\startWebLogic.cmd 
set JAVA_OPTIONS=%JAVA_OPTIONS% -Declipselink.security.usedoprivileged=true 


>Creation of the JTA datasource in WebLogic Console
http://127.0.0.1:7001/console/console.portal?_nfpb=true&_pageLabel=GlobalJDBCDataSourceTablePage 
The database is standalone Derby 10.5.3.0 using a global JTA TX datasource (Type IV XA) set on WebLogic. 
org.apache.derby.jdbc.ClientXADataSource 
jdbc:derby://127.0.0.1:1527/weblogic;create=true;ServerName=127.0.0.1;databaseName=weblogic 
APP:APP 

This resource must be granted permissions [java.net.SocketPermission 127.0.0.1:1527 connect,resolve ] and is unrelated to EclipseLink deployment.

<12-Jan-2011 11:43:01 o'clock AM VET> <Warning> <JDBC> <BEA-001129> <Received exception while creating connection for pool "localJTA": access denied (java.net.SocketPermission 127.0.0.1:1527 connect,resolve)> 
<12-Jan-2011 11:43:02 o'clock AM VET> <Error> <Deployer> <BEA-149205> <Failed to initialize the application 'localJTA' due to error weblogic.application.ModuleException: .
weblogic.application.ModuleException: 
	at weblogic.jdbc.module.JDBCModule.prepare(JDBCModule.java:302)
	at weblogic.application.internal.flow.ModuleListenerInvoker.prepare(ModuleListenerInvoker.java:199)
	at weblogic.application.internal.flow.DeploymentCallbackFlow$1.next(DeploymentCallbackFlow.java:517)
	at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
	at weblogic.application.internal.flow.DeploymentCallbackFlow.prepare(DeploymentCallbackFlow.java:159)
	Truncated. see log file for complete stacktrace
Caused By: weblogic.common.ResourceException: access denied (java.net.SocketPermission 127.0.0.1:1527 connect,resolve)
	at weblogic.jdbc.common.internal.XAConnectionEnvFactory.makeConnection(XAConnectionEnvFactory.java:494)

>fix to weblogic.policy
http://otndnld.oracle.co.jp/document/products/wls/docs90/security/server_prot.html
// localJTA
grant codeBase "file:C:/opt/wls103----/wlserver_10.3/common/derby/lib/-" {
  permission java.net.SocketPermission "127.0.0.1:1527", "connect,resolve";
};

>I now get to the same place I was before where I need to set security on the servlet and the SSB proxy it uses
Caused By: java.security.AccessControlException: access denied (java.util.PropertyPermission weblogic.transaction.blocking.commit read)

>this is unrelated to EclipseLink as I get the same file permission for an application managed persistence unit

java.security.AccessControlException: access denied (java.io.FilePermission C:\opt\wls103---\user_projects\domains\base_domain\servers\AdminServer\cache\EJBCompilerCache\bi5iz0rnwaep\META-INF\services\javax.persistence.spi.PersistenceProvider read)

for
EntityManagerFactory anEMF  = Persistence.createEntityManagerFactory("exampleLocal");

>Securing the eclipselink library
The wiki states this is for EE but the way the jar is referenced (originally for OC4J) looks like it is for applicaiton managed deployments.

 http://wiki.eclipse.org/Integrating_EclipseLink_with_an_Application_Server_(ELUG)#Granting_Permissions_for_Java_EE_Application_Deployment we need to grant access to the EclipseLink module as well 
This step may be optional - as I predeploy the persistence unit fine without it 
[EL Finest]: 2011-01-12 12:50:47.014--ServerSession(24567153)--Thread(Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads])--Begin predeploying Persistence Unit example; session file:/C:/view_w36a/examples/org.eclipse.persistence.example.jpa.server.weblogic.enterpriseEJB/build/classes/_example; state Initial; factoryCount 0 
$WebLogic_home/modules/org.eclipse.persistence_1.0.0.0_2-x.jar 
grant codeBase "file:C:\opt\wls103----\modules/org.eclipse.persistence_1.0.0.0_2-x.jar" {
    permission java.security.AllPermission;
};

>I am likely going to move over to GlassFish 3 now and enable the security manager there.

Comment 15 Michael OBrien

2011-01-12 21:58:04 EST

- verify SecurityException thrown by findMBeanServer() is checked
  We will then continue to use PrivilegedExceptionAction() otherwise we should use PrivilegedAction()
- verify that the global "*" permissions grant includes the checkPermission("findMBeanServer"); which is part of the static factory function
  from the spec...
"Throws: SecurityException - if there is a SecurityManager and the caller's permissions do not include or imply MBeanServerPermission("findMBeanServer")."

Comment 16 Michael OBrien

2011-01-13 20:56:49 EST

>Summary: deployment in 2.2 8825 now passes - but MBeans don't register as registration also needs a permission Grant
>Was able to test GlassFish V3.0.1 with EclipseLink 2.2 rev#8798-8825 with the security manager ON
>We no longer break predeploy() during the findMBeanServers() JMX call.
We pass through to MBean registration - however the registration call does not have the proper permission set - and requires a Privileged block as well

java.security.AccessControlException: access denied (javax.management.MBeanPermission 
org.eclipse.persistence.services.mbean.MBeanDevelopmentServices#-[TopLink:...] registerMBean)|#]

The result is that although we access the MBeanServer now - MBeans are not registered for GlassFish V3 with -Djava.security.manager set but the MBean part of EAR deployment fails fast and continues fine
_ThreadID=24;_ThreadName=Thread-1;ClassName=null;MethodName=null;|End deploying Persistence Unit enterprise2;

However, now that we have reproduced and fixed the original issue - we can also fix the secondary registration issue under secure mode.

>Testing
>Note: when building and replacing the 6 EclipseLink bundles [ant dev-package-bundles] - observe the following (worked this out with Mitesh at HQ)
- The bnd jar should not be in the root of your SVN view - or the manifest files will not be generated correctly and GlassFish felix will not properly update the bundles
bnd-0.0.384.jar
- The file date (not the date in the manifest) - should be later than the file date of the bundle you are replacing or...
- Remove the felix cache off the osgi-cache on the domain (so the new bundles will override the previous ones)

C:\opt\glassfishv301b\glassfish\bin>asadmin start-server
C:\opt\glassfishv301b\glassfish\bin>asadmin --user admin create-jvm-options -Djava.security.manager
C:\opt\glassfishv301b\glassfish\bin>asadmin --user admin create-jvm-options -Declipselink.security.usedoprivileged=true
C:\opt\glassfishv301b\glassfish\bin>asadmin stop-server
C:\opt\glassfishv301b\glassfish\bin>asadmin start-server


[#|2011-01-13T19:30:55.430-0500|INFO|glassfish3.0.1|javax.enterprise.system.core.security.com.sun.enterprise.security|_ThreadID=11;_ThreadName=Thread-1;|Security service(s) started successfully....|#]
[#|2011-01-13T19:30:55.399-0500|INFO|glassfish3.0.1|javax.enterprise.system.core.security.com.sun.enterprise.security|_ThreadID=11;_ThreadName=Thread-1;|Security startup service called|#]
[#|2011-01-13T19:30:55.321-0500|INFO|glassfish3.0.1|javax.enterprise.system.core.security.com.sun.enterprise.security|_ThreadID=11;_ThreadName=Thread-1;|SEC1001: Security Manager is ON.|#]

[#|2011-01-13T19:31:45.225-0500|INFO|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar
/_enterprise2|_ThreadID=24;_ThreadName=Thread-1;|file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2 login successful|#]

[#|2011-01-13T19:31:45.225-0500|FINER|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar
/_enterprise2.server|_ThreadID=24;_ThreadName=Thread-1;ClassName=null;MethodName=null;|JMX MBeanServer instance found: [com.sun.jmx.mbeanserver.JmxMBeanServer@5d50c4], # of beans: [52], domain: [DefaultDomain] at index: [0].|#]

[#|2011-01-13T19:31:45.225-0500|WARNING|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar
/_enterprise2.server|_ThreadID=24;_ThreadName=Thread-1;|
Problem while registering MBean: java.security.AccessControlException: access denied (
javax.management.MBeanPermission 
org.eclipse.persistence.services.mbean.MBeanDevelopmentServices#-[TopLink:Name=Development-file_/C_/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2,Type=Configuration] 
registerMBean)|#]

[#|2011-01-13T19:31:45.225-0500|FINEST|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar
/_enterprise2.server|_ThreadID=24;_ThreadName=Thread-1;ClassName=null;MethodName=null;|Registered MBean: null on server com.sun.jmx.mbeanserver.JmxMBeanServer@5d50c4|#]

[#|2011-01-13T19:31:45.225-0500|WARNING|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar
/_enterprise2.server|_ThreadID=24;_ThreadName=Thread-1;|Problem while registering MBean: java.security.AccessControlException: access denied (javax.management.MBeanPermission org.eclipse.persistence.services.glassfish.MBeanGlassfishRuntimeServices#-[TopLink:Name=Session(file_/C_/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2)] registerMBean)|#]

[#|2011-01-13T19:31:45.225-0500|FINEST|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar
/_enterprise2.server|_ThreadID=24;_ThreadName=Thread-1;ClassName=null;MethodName=null;|Registered MBean: null on server com.sun.jmx.mbeanserver.JmxMBeanServer@5d50c4|#]

[#|2011-01-13T19:31:45.225-0500|FINEST|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar
/_enterprise2.server|_ThreadID=24;_ThreadName=Thread-1;ClassName=null;MethodName=null;|EclipseLink JMX Runtime Services is referencing the [Platform ConversionManager] ClassLoader at: [EarClassLoader : 
urlSet = [URLEntry : file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/, URLEntry : file:/C:/opt/glassfishv301b/glassfish/domains/domain1/generated/ejb/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/]
doneCalled = false 
 Parent -> org.glassfish.internal.api.DelegatingClassLoader@f7e5d1
]|#]
[#|2011-01-13T19:31:45.225-0500|FINEST|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar
/_enterprise2.server|_ThreadID=24;_ThreadName=Thread-1;ClassName=null;MethodName=null;|The applicationName for the MBean attached to session [file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2] is [C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_URLEntry _file:/C:/opt/glassfishv301b/glassfish/domains/domain1/generated/ejb/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/]|#]
[#|2011-01-13T19:31:45.288-0500|FINEST|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar
/_enterprise2.properties|_ThreadID=24;_ThreadName=Thread-1;ClassName=null;MethodName=null;|End deploying Persistence Unit enterprise2; session file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2; state Deployed; factoryCount 1|#]

Comment 17 Michael OBrien

2011-01-13 20:58:00 EST

>above use
asadmin start|stop-domain not
asadmin start|stop-server

Comment 18 Michael OBrien

2011-01-13 21:48:23 EST

Created attachment 186800 [details]
patch 2 adds registerMBean and unregisterMBean privileged blocks when security manager is on

>Patch #2 add a Privileged block around the MBean registration/unregistration functions


>with 2nd patch for registerMBean|unregisterMBean
[#|2011-01-13T21:36:30.857-0500|FINER|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2.server|_ThreadID=23;_ThreadName=Thread-1;ClassName=null;MethodName=null;|
JMX MBeanServer instance found: [com.sun.jmx.mbeanserver.JmxMBeanServer@1ccf0ad], # of beans: [52], domain: [DefaultDomain] at index: [0].|#]

[#|2011-01-13T21:36:30.857-0500|FINEST|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2.server|_ThreadID=23;_ThreadName=Thread-1;ClassName=null;MethodName=null;|
Registered MBean: org.eclipse.persistence.services.mbean.MBeanDevelopmentServices[TopLink:Name=Development-file_/C_/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2,Type=Configuration] 
on server com.sun.jmx.mbeanserver.JmxMBeanServer@1ccf0ad|#]

[#|2011-01-13T21:36:30.857-0500|FINEST|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2.server|_ThreadID=23;_ThreadName=Thread-1;ClassName=null;MethodName=null;|
Registered MBean: org.eclipse.persistence.services.glassfish.MBeanGlassfishRuntimeServices[TopLink:Name=Session(file_/C_/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2)] 
on server com.sun.jmx.mbeanserver.JmxMBeanServer@1ccf0ad|#]

[#|2011-01-13T21:36:30.857-0500|FINEST|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2.server|_ThreadID=23;_ThreadName=Thread-1;ClassName=null;MethodName=null;|
EclipseLink JMX Runtime Services is referencing the [Platform ConversionManager] ClassLoader at: [EarClassLoader : 

urlSet = [URLEntry : file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/, URLEntry : file:/C:/opt/glassfishv301b/glassfish/domains/domain1/generated/ejb/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/]
doneCalled = false 
 Parent -> org.glassfish.internal.api.DelegatingClassLoader@92900d


>and undeploy/unregister
[#|2011-01-13T21:39:35.233-0500|FINEST|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2.properties|_ThreadID=24;_ThreadName=Thread-1;ClassName=null;MethodName=null;|
Begin undeploying Persistence Unit enterprise2; session file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2; state Deployed; factoryCount 1|#]

[#|2011-01-13T21:39:35.233-0500|FINEST|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2.server|_ThreadID=24;_ThreadName=Thread-1;ClassName=null;MethodName=null;|
Unregistering MBean: TopLink:Name=Development-file_/C_/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2,Type=Configuration on server com.sun.jmx.mbeanserver.JmxMBeanServer@1ccf0ad|#]

[#|2011-01-13T21:39:35.233-0500|FINEST|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2.server|_ThreadID=24;_ThreadName=Thread-1;ClassName=null;MethodName=null;|
Unregistered MBean [TopLink:Name=Development-file_/C_/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2,Type=Configuration] from MBeanServer [com.sun.jmx.mbeanserver.JmxMBeanServer@1ccf0ad].|#]

[#|2011-01-13T21:39:35.233-0500|FINEST|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2.server|_ThreadID=24;_ThreadName=Thread-1;ClassName=null;MethodName=null;|
Unregistering MBean: TopLink:Name=Session(file_/C_/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2) on server com.sun.jmx.mbeanserver.JmxMBeanServer@1ccf0ad|#]

[#|2011-01-13T21:39:35.233-0500|FINEST|glassfish3.0.1|org.eclipse.persistence.session.file:/C:/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2.server|_ThreadID=24;_ThreadName=Thread-1;ClassName=null;MethodName=null;|
Unregistered MBean [TopLink:Name=Session(file_/C_/opt/glassfishv301b/glassfish/domains/domain1/applications/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEAR/org.eclipse.persistence.example.jpa.server.glassfishv3.EnterpriseEJB_jar/_enterprise2)] from MBeanServer [com.sun.jmx.mbeanserver.JmxMBeanServer@1ccf0ad].|#]

Comment 19 Michael OBrien

2011-01-13 22:00:28 EST

>patch 2 for 2.2 milestone is in SVN rev# 8831 
- regression testing above on modified GlassFish V 3.0.1 with 8825
https://fisheye2.atlassian.com/changelog/eclipselink/?cs=8831

>trunk checkin of both patches pending

Comment 20 Michael OBrien

2011-01-13 22:18:57 EST

>GlassFish Security Manager was ON for the above tests
[#|2011-01-13T21:36:08.034-0500|INFO|glassfish3.0.1|javax.enterprise.system.core.security.com.sun.enterprise.security|_ThreadID=11;_ThreadName=Thread-1;|SEC1001: Security Manager is ON.|#]

Comment 21 Michael OBrien

2011-01-13 23:35:29 EST

>test-core results are the same as a clean view
    [junit] Tests run: 7733, Failures: 0, Errors: 15, Time elapsed: 2,682.237 sec

Comment 22 Michael OBrien

2011-01-14 12:13:53 EST

Created attachment 186832 [details]
Screencap of JConsole MBean view on secured GlassFish 3.0.1 running 2.2 rev 8831 EclipseLink bundles

Comment 23 Michael OBrien

2011-02-01 11:20:40 EST

>2.3 (trunk) patch pending
>2.1.3 patch is available but not likely

Comment 24 Michael OBrien

2011-02-07 15:18:46 EST

Created attachment 188471 [details]
trunk 333336 patch from 2.2 branch

Comment 25 Michael OBrien

2011-02-07 16:30:54 EST

>Trunk 3.3 checkin for SVN rev #8941
https://fisheye2.atlassian.com/changelog/eclipselink/?cs=8941

>Core LRG results same with/without changes
    [junit]     Driver: Oracle JDBC driver  Version: 11.1.0.0.0-Beta5
    [junit] Tests run: 7548, Failures: 0, Errors: 208, Time elapsed: 850.142 sec
    [junit] Tests run: 7548, Failures: 0, Errors: 208, Time elapsed: 765.215 sec

with
<testsuite errors="0" failures="0" hostname="mf*-pc2" name="org.eclipse.persistence.testing.tests.jpa.AllCMP3TestRunModel" tests="2248" time="629.843" timestamp="2011-02-07T20:20:44">
without
<testsuite errors="0" failures="0" hostname="mf*-pc2" name="org.eclipse.persistence.testing.tests.jpa.AllCMP3TestRunModel" tests="2248" time="586.037" timestamp="2011-02-07T20:41:00">

Comment 26 Michael OBrien

2011-02-25 16:09:33 EST

Created attachment 189854 [details]
10427734 for 333160 and 333336 on 2.1.3 backport

Comment 27 Eclipse Webmaster

2022-06-09 10:33:16 EDT

The Eclipselink project has moved to Github: https://github.com/eclipse-ee4j/eclipselink