yangxu998 / guava-libraries

Automatically exported from code.google.com/p/guava-libraries
Apache License 2.0
0 stars 0 forks source link

com.google.common.base.internal.Finalizer security violation on Websphere 7 #666

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Hi, since google-collection.jar is discontinued and renamed as guava, I guess I 
would ask here.  When our application deployed on Websphere 7, java 2 security 
violation is thrown for Finalizer.

[11/16/10 11:38:02:825 EST] 0000001d SecurityManag W   SECJ0314W: Current Java 
2 Security policy reported a potential violation of Java 2 Security Permission. 
Please refer to InfoCenter for further information.

Permission:

      accessDeclaredMembers : Access denied (java.lang.RuntimePermission accessDeclaredMembers)

Code:

     com.google.common.base.internal.Finalizer  in  {wsjar:file:/proj/fmms/was/install/fmms_TeamConnect-3.2.0.1.ear/TeamConnect-3.2.0.1.war/WEB-INF/lib/google-collections-1.0.jar!/}

We opened an ticket with IBM to investigate why 
com.ibm.ws.security.core.SecurityManager.checkPermission() wouldn't find 
Permissions we granted for Finalizer in was.policy file.  IBM said the way that 
google computes the BaseURL for loading Finalizer has 'wsjar:file:' as protocol 
instead of 'file:'.

IBM Lev3 updated the PMR.

==

1.  The codesource URL for the class is:                                
wsjar:file:/proj/fmms/was/install/fmms_TeamConnect-3.2.0.1.ear/TeamConne
ct-3.2.0.1.war/WEB-INF/lib/google-collections-1.0.jar!/                 

2.  The codesource security is expecting is:                            
file:/proj/fmms/was/install/fmms_TeamConnect-3.2.0.1.ear/TeamConnect-3. 
2.0.1.war/WEB-INF/lib/google-collections-1.0.jar                        

So the problem is the "wsjar:" and the "!/".                            

CompoundClassloader is not adding or appending any of those values.     
When we set the codesource we do a getURL call.                         
From looking at the code:                                               

URL finalizerUrl = getClass().getClassLoader().getResource(finalizerPath
);                                                                      

We see it is using getResource.                                         
The finalizer path at that point would be:                              
 wsjar:file:/proj/fmms/was/install/fmms_TeamConnect-3.2.0.1.ear/TeamConn
e                                                                       
ct-3.2.0.1.war/WEB-INF/lib/google-collections-1.0.jar!/<Whatever the    
path with in the jar, like com/foo/MyFoos.class>                        

Next we see the code remove <Whatever the path with in the jar...> from 
the URL string:                                                         
urlString = urlString.substring(0,                                      
urlString.length() - finalizerPath.length());                           

So my understanding is the sample code needs to consider this and finish
the truncation (removing the protocol which is wsjar:).  Additionally,  
they only removed the class from the end of the string, and did not     
remove the markers of !/ which java uses to specify the root folder with
in the jar file.                                                        

Thank you for using IBM products and support.
http://www.ibm.com/support 
END of IBM Lev3 updated the PMR.

Could you please let us know if google would fix the way BaseURL is calculated 
in DecoupledLoader?

Thanks,
Dean

Original issue reported on code.google.com by dh6...@gmail.com on 20 Jul 2011 at 4:35

Attachments:

GoogleCodeExporter commented 9 years ago
All the classes that start with "Finaliz" in Guava are being phased out. 
They're trouble in many ways.

Original comment by kevinb@google.com on 21 Jul 2011 at 5:16

GoogleCodeExporter commented 9 years ago
Thanks Kevin for the response.  So I guess in Guava, MapMaker class doesn't use 
FinalizableReferenceQueue as QueueHolder as google-collection.jar did?  Our 
product is not using Finaliz classes directly but we use MapMaker to create 
weak reference ConcurrentHashMap.

Original comment by dh6...@gmail.com on 24 Jul 2011 at 6:26

GoogleCodeExporter commented 9 years ago
This class is deprecated, and is no longer used inside of Guava as of release 
10.

Original comment by fry@google.com on 28 Jul 2011 at 5:24

GoogleCodeExporter commented 9 years ago
This issue has been migrated to GitHub.

It can be found at https://github.com/google/guava/issues/<id>

Original comment by cgdecker@google.com on 1 Nov 2014 at 4:15

GoogleCodeExporter commented 9 years ago

Original comment by cgdecker@google.com on 3 Nov 2014 at 9:09