333368 – Server Test: container managed apps require Security Manager enabled testing for GlassFish,WebLogic, WebSphere, JBoss

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 333368 - Server Test: container managed apps require Security Manager enabled testing for GlassFish,WebLogic, WebSphere, JBoss

Summary: Server Test: container managed apps require Security Manager enabled testing ...

Status:	NEW

Alias:	None

Product:	z_Archived
Classification:	Eclipse Foundation
Component:	Eclipselink (show other bugs)
Version:	unspecified
Hardware:	PC Windows 7

Importance:	P2 enhancement (vote)
Target Milestone:	---
Assignee:	Nobody - feel free to take it
QA Contact:

URL:	http://wiki.eclipse.org/EclipseLink/E...
Whiteboard:
Keywords:

Depends on:	332312
Blocks:	316513 331162 333336
	Show dependency tree

Reported:	2010-12-31 15:52 EST by Michael OBrien
Modified:	2022-06-09 10:34 EDT (History)
CC List:	2 users (show)

See Also:

Flags:	michael.f.obrien: documentation+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael OBrien

2010-12-31 15:52:34 EST

The existing server tests should be run with security turned on in GlassFish, WebLogic, JBoss and WebSphere as we only now (29 Dec 2010) caught security issues during session deploy() on @PersistenceContext injection for code that was put into the stream back in July 2010

>Several security issues came up recently when EclipseLink was run with container security on
GlassFish V 3.1 encountered several security API exceptions including the one in bug # 333336
WebLogic also had issues when the server was run in production mode with security on instead our development mode which is usually run during R&D.

>It would be better if we caught these security issues before external groups notified us during integration testing at the end of the release cycle.

Comment 1 Michael OBrien

2011-01-04 10:20:02 EST

>Most issues will occur on predeploy()/deploy() of existing EARs with security on
>Specifically GlassFish with the SecurityManager turned on so the following code blocks execute

import java.security.AccessController;
import org.eclipse.persistence.internal.security.PrivilegedAccessHelper;
if (PrivilegedAccessHelper.shouldUsePrivilegedAccess()) {
  AccessController.doPrivileged(...);
}

Comment 2 Michael OBrien

2011-01-14 12:00:50 EST

>GlassFish V3 Security Manager Enablement
    Turning on the security manager in GlassFish is very simple.  It is WebLogic that has some issues that we need to look at surrounding any custom JTA datasources and their specific grants
    Just an fyi that no Grant elements are required in the EAR if you use the default datasource.

<jta-data-source>jdbc/__default</jta-data-source>

>We can use the existing code for both and configure the server on the fly by creating and deleting the following two security properties
This will simplify partitioning the test suite in secure/unsecured

asadmin start-domain
asadmin --user admin create-jvm-options -Djava.security.manager
asadmin --user admin create-jvm-options -Declipselink.security.usedoprivileged=true
asadmin stop-domain
asadmin start-domain

>Look for the following log to verify.

[#|2011-01-14T12:18:45.513-0430|INFO|glassfish3.0.1|javax.enterprise.system.core.security.com.sun.enterprise.security|_ThreadID=11;_ThreadName=Thread-1;|SEC1001: Security Manager is ON.|#]

Comment 3 Eclipse Webmaster

2022-06-09 10:34:04 EDT

The Eclipselink project has moved to Github: https://github.com/eclipse-ee4j/eclipselink