Closed dhx closed 2 years ago
I guess this is rather a question for https://github.com/jruby/jruby. I wonder though why a web app does not have read access to its own classes directory?
Thats the thing, the webapp (that is the code in the classes / jars in the ${catalina.base}/webapps/... directory) does have its own policy entry granting access to itself already, BUT jruby seems to put the temporary jar files in the jvm wide configured temp directory (in our case in ${catalina.base}/temp/jruby-1/jruby2507730441833188943psych.jar) and code in those jar files is not covered by the policy the tomcat container has already in place for it's webapps (which makes sense to me - what sense does a security policy have when code lying in the global temp directory is not restricted...).
Anyway if you don't see a way this can somehow be addressed at the asciidoc layer - I'll try at the next layer - jruby then: https://github.com/jruby/jruby/issues/6314
@robertpanzer the issue seems to be fixed now in jruby 9.3 with a new configuration option to specify the temporary directory to unpack the nested jars to 'ji.nested.jar.tmpdir' ( https://github.com/jruby/jruby/pull/6330/files ). Are there any plans to update asciidoctorj-pdf to a newer jruby version?
The PR that you pointed to doesn't seem to be released yet. If I didn't look wrong the last release right now is 9.2.13.0. While that PR was also merged into the jruby 9.2 branch it doesn't seem to be there yet either.
Asciidoctorj-pdf does not have an own dependency on jruby, but asciidoctorj has. If a new version of jruby is released you should be able to override the version. There haven't been any issues with upgrading jruby recently.
@robertpanzer thanks for your fast response and the info about upgrading the jruby dependency :+1:
Closing as asciidoctorj is at jruby 9.3.4.0 meanwhile
Using asciidoctorj-pdf in a tomcat webapp (alfresco 6.2) we're running into issues when trying to generate a pdf.
The Environment is:
And the dependencies we use:
Analyzing the stacktrace it seems the SecurityManager is denying access to a pom file:
The problem goes away when adding permissions in the java policy file to the temporary generated jar files jruby uses here apparently:
I'm not happy doing this though as I'm not sure the postfix to the jruby folder here will always be "-1" and it seems I'm unable adding wildcards at this level, the current rule (overly permissive) I'm using to get it working is:
Do you see any possible thing we can do to make this more secure? (e.g. having a specific temporary directory for those temporary jar files, or a way to not having them used at all?)