Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 333368

Summary: Server Test: container managed apps require Security Manager enabled testing for GlassFish,WebLogic, WebSphere, JBoss
Product: z_Archived Reporter: Michael OBrien <michael.f.obrien>
Component: EclipselinkAssignee: Nobody - feel free to take it <nobody>
Status: NEW --- QA Contact:
Severity: enhancement    
Priority: P2 CC: eclipselink.foundation-inbox, michael.f.obrien
Version: unspecifiedFlags: michael.f.obrien: documentation+
Target Milestone: ---   
Hardware: PC   
OS: Windows 7   
URL: http://wiki.eclipse.org/EclipseLink/Examples/JPA/GlassFishV3_Web_Tutorial#Enabling_the_Security_Manager_in_GlassFish_3
Whiteboard:
Bug Depends on: 332312    
Bug Blocks: 316513, 331162, 333336    

Description Michael OBrien CLA 2010-12-31 15:52:34 EST
The existing server tests should be run with security turned on in GlassFish, WebLogic, JBoss and WebSphere as we only now (29 Dec 2010) caught security issues during session deploy() on @PersistenceContext injection for code that was put into the stream back in July 2010

>Several security issues came up recently when EclipseLink was run with container security on
GlassFish V 3.1 encountered several security API exceptions including the one in bug # 333336
WebLogic also had issues when the server was run in production mode with security on instead our development mode which is usually run during R&D.

>It would be better if we caught these security issues before external groups notified us during integration testing at the end of the release cycle.
Comment 1 Michael OBrien CLA 2011-01-04 10:20:02 EST
>Most issues will occur on predeploy()/deploy() of existing EARs with security on
>Specifically GlassFish with the SecurityManager turned on so the following code blocks execute

import java.security.AccessController;
import org.eclipse.persistence.internal.security.PrivilegedAccessHelper;
if (PrivilegedAccessHelper.shouldUsePrivilegedAccess()) {
  AccessController.doPrivileged(...);
}
Comment 2 Michael OBrien CLA 2011-01-14 12:00:50 EST
>GlassFish V3 Security Manager Enablement
    Turning on the security manager in GlassFish is very simple.  It is WebLogic that has some issues that we need to look at surrounding any custom JTA datasources and their specific grants
    Just an fyi that no Grant elements are required in the EAR if you use the default datasource.

<jta-data-source>jdbc/__default</jta-data-source>

>We can use the existing code for both and configure the server on the fly by creating and deleting the following two security properties
This will simplify partitioning the test suite in secure/unsecured

asadmin start-domain
asadmin --user admin create-jvm-options -Djava.security.manager
asadmin --user admin create-jvm-options -Declipselink.security.usedoprivileged=true
asadmin stop-domain
asadmin start-domain

>Look for the following log to verify.

[#|2011-01-14T12:18:45.513-0430|INFO|glassfish3.0.1|javax.enterprise.system.core.security.com.sun.enterprise.security|_ThreadID=11;_ThreadName=Thread-1;|SEC1001: Security Manager is ON.|#]
Comment 3 Eclipse Webmaster CLA 2022-06-09 10:34:04 EDT
The Eclipselink project has moved to Github: https://github.com/eclipse-ee4j/eclipselink