107847 – [osgi] Security Error in URL Stream Handler

Bug 107847 - [osgi] Security Error in URL Stream Handler

Summary: [osgi] Security Error in URL Stream Handler

Status:	RESOLVED FIXED

Alias:	None

Product:	Platform
Classification:	Eclipse Project
Component:	Runtime (show other bugs)
Version:	3.1
Hardware:	PC Windows XP

Importance:	P3 major (vote)
Target Milestone:	3.1.1
Assignee:	Thomas Watson
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-08-24 10:23 EDT by Tom Musta
Modified:	2005-08-26 10:48 EDT (History)
CC List:	2 users (show)

See Also:

Attachments
Proposed fix (5.30 KB, patch) 2005-08-24 13:04 EDT, Thomas Watson	no flags	Details \| Diff
Better proposed fix (5.32 KB, patch) 2005-08-25 09:27 EDT, Thomas Watson	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tom Musta

2005-08-24 10:23:11 EDT

This is the same problem reported by bug 90980.  I've looked through
the code and don't see any doPrivs (nor do they show up in the stack
trace below).  Perhaps the fix was dropped?   

A fix for this in 3.1.1 or 3.1.2 would be quite helpful.

Here is the stack trace:

java.security.AccessControlException: Access denied
(org.osgi.framework.ServicePermission
org.osgi.service.url.URLStreamHandlerService get)
	at java.security.AccessController.checkPermission(AccessController.java:107)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
	at
com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:188)
	at
org.eclipse.osgi.framework.internal.core.Framework.checkGetServicePermission(Framework.java:1300)
	at
org.eclipse.osgi.framework.internal.core.Framework.getServiceReferences(Framework.java:1174)
	at
org.eclipse.osgi.framework.internal.core.BundleContextImpl.getServiceReferences(BundleContextImpl.java:718)
	at
org.osgi.util.tracker.ServiceTracker.getInitialReferences(ServiceTracker.java:305)
	at org.osgi.util.tracker.ServiceTracker.open(ServiceTracker.java:264)
	at org.osgi.util.tracker.ServiceTracker.open(ServiceTracker.java:218)
	at
org.eclipse.osgi.framework.internal.protocol.URLStreamHandlerProxy.<init>(URLStreamHandlerProxy.java:61)
	at
org.eclipse.osgi.framework.internal.protocol.StreamHandlerFactory.createURLStreamHandler(StreamHandlerFactory.java:110)
	at java.net.URL.getURLStreamHandler(URL.java:1137)
	at java.net.URL.<init>(URL.java:605)
	at java.net.URL.<init>(URL.java:497)
	at java.net.URL.<init>(URL.java:446)
	at com.acme.foo.TestUrlEJB.performTests(TestUrlEJB.java)

Comment 1 Thomas Watson

2005-08-24 10:58:08 EDT

I will investigate ...

Comment 2 Thomas Watson

2005-08-24 13:04:07 EDT

Created attachment 26413 [details]
Proposed fix

wraps doPriv around calls to ServiceTracker.open and System.getProperty

Comment 3 Thomas Watson

2005-08-24 13:05:41 EDT

I want to get confirmation from Tom Musta that this patch fixes his problem.  

Pascal, please review patch for 3.1.1 once Tom confirms the fix.  Thanks.

Comment 4 Tom Musta

2005-08-24 16:35:27 EDT

I've tested out the change made by Thomas and it works.

Comment 5 Thomas Watson

2005-08-24 17:09:38 EDT

Fix released in HEAD (3.2).  Waiting for review from Pascal for 3.1.1 
maintenance release.

Comment 6 Michael Fraenkel

2005-08-25 06:49:02 EDT

Aren't you now opening the Tracker twice when you have no SecurityManager installed?

Comment 7 Thomas Watson

2005-08-25 09:14:38 EDT

Yes, Michael we are.  Nice catch, thanks!  I will post a new patch.

Comment 8 Thomas Watson

2005-08-25 09:27:59 EDT

Created attachment 26445 [details]
Better proposed fix

Modified fix to avoid opening the ServiceTracker object twice.

Comment 9 Pascal Rapicault

2005-08-26 09:56:04 EDT

This is good to go.

Comment 10 Thomas Watson

2005-08-26 10:48:49 EDT

Fixed in 3.1 maintenance branch and HEAD.