search

FranzGames / google-gson

Automatically exported from code.google.com/p/google-gson
0 stars 0 forks source link

Unmarshalling fails when GSON library is used in a managed environment with custom SecurityManager installed #566

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Try to set the default security manager (without adding any additional 
permissions) 
2. Try to unmarshall a simple JSON string to a Java object which include access 
to private fields

What is the expected output? What do you see instead?
The JSON string should be unmarshalled without any problems but 
AccessControlException is thrown due to missing permissions for using 
reflection and accessing the context classloader within the GSON library. 

What version of the product are you using? On what operating system?
Issue is not dependent currently on the version of the library and OS 
(reproduced with 2.2.5) 

Please provide any additional information below.
The issue occurs the following scenario: The GSON library is used as an OSGi 
bundle installed as a system bundle (meaning it has AllPrivileges). When 
another OSGi bundle tries to use the GSON system bundle it fails if it does not 
have additional permissions (such as ReflectPermissions that allow the GSON 
library to do the unmarshalling) - this is a result of the intersection of the 
protections domains of the application bundle and the GSON bundle (implied by 
the security architecture of the JDK). A patch for the library is also attached 
with unit tests that provide an overview of the issue outside the context of 
OSGi (or another managed environment such as J2EE server, Applet [2, 3], Google 
AppEngine [1] - issue will be reproducible in such a context as well). 
References: 
[1] 
http://stackoverflow.com/questions/3002714/gson-on-google-app-engine-throws-a-se
curity-exception 
[2] 
http://stackoverflow.com/questions/2788017/reflection-permission-problems-when-u
sing-the-gson-library-in-a-applet 
[3] 
http://stackoverflow.com/questions/3850859/java-using-gson-in-an-applet-causes-s
ecurityexception 
[4] https://code.google.com/p/google-gson/issues/detail?id=344 
[5] https://groups.google.com/forum/#!topic/google-gson/2TKlp619p2w 
[6] https://code.google.com/p/google-gson/issues/detail?id=445

Original issue reported on code.google.com by marto8...@gmail.com on 18 Mar 2014 at 6:11

Attachments: