Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Equinox » SecurityException when using Apache Derby with Equinox Servletbridge
SecurityException when using Apache Derby with Equinox Servletbridge [message #1220422] Wed, 11 December 2013 16:28 Go to next message
Ken Lee is currently offline Ken LeeFriend
Messages: 97
Registered: March 2012
Member
We encountered a SecurityException in the Eclipse Scout project since we updated our pretty old Equinox servletbridge to version 1.3 to be compatible with the Luna release train.

The sample web-application we deployed to Tomcat 7 has an Apache Derby fragment (with fragment-host = system.bundle) containing the official Derby libraries in version 10.9.1 [1].
A security exception is thrown when the CloseableURLClassLoader calls the method checkForSealedPackage() with the package "org.apache.derby.iapi.services.io" as a parameter.
Having a deeper look at the manifest file in the derby.jar, we found out that the "Sealed" header is set to true. However, the package "org.apache.derby.iapi.services.io" is not listed explicitly as non-sealed in the manifest file so the value of the sealed header is considered.

My understanding of the Sealed header is to guarantee that all classes in a package come from the same code source [2].
In our example the class "org/apache/derby/iapi/services/io/FormatableProperties.class" is loaded first from the derby.jar.
Because the package cannot be found at the beginning (see method defineClass in CloseableURLClassLoader) "definePackage" is called, which does not check for sealed packages.
Later the class "org/apache/derby/iapi/services/io/Formatable.class" is loaded from the same derby.jar. Since the package is known now, the method checkForSealedPackage() is called resulting in a SecurityException.

However, both classes come from the same derby.jar file so I don't understand why I SecurityException should be thrown here.
Shouldn't the checkForSealedPackage() method also consider the parameter jarFileURL in its check?

Anyways, if the check for the sealed packages are correctly implemented, are there any recommendations how we can successfully use the derby.jar in combination with the Equinox servletbridge without having to modify the manifest file in the derby.jar?

Notes: The package org/apache/derby/iapi/services/io/ is not the only one that causes the security exception. there are some more packages that result in the same exception.

Cheers,

Ken

[1] http://git.eclipse.org/c/scout/org.eclipse.scout.rt.git/tree/org.apache.derby.jdbc_1091.fragment
[2] http://docs.oracle.com/javase/tutorial/deployment/jar/sealman.html
Re: SecurityException when using Apache Derby with Equinox Servletbridge [message #1220427 is a reply to message #1220422] Wed, 11 December 2013 17:07 Go to previous messageGo to next message
Thomas Watson is currently offline Thomas WatsonFriend
Messages: 437
Registered: July 2009
Senior Member
This looks like bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=393407

What build of Luna are you using?
Re: SecurityException when using Apache Derby with Equinox Servletbridge [message #1220520 is a reply to message #1220427] Thu, 12 December 2013 10:28 Go to previous messageGo to next message
Ken Lee is currently offline Ken LeeFriend
Messages: 97
Registered: March 2012
Member
We are using Luna M3 that is shipped with the servletbridge version org.eclipse.equinox.servletbridge_1.3.0.v20130927-1541.
We've also tried using some older servletbridges like org.eclipse.equinox.servletbridge_1.2.300.v20130508-1243 (Kepler SR1) or org.eclipse.equinox.servletbridge_1.3.0.v20130718-2032 (Luna M2), unfortunately we experienced the same problem.

I don't think that the "." suffix mentioned in bug 393407 is responsible for the security problem. I suppose that the method checkForSealedPackage() does not check the same as described in the documentation for the sealed header / attribute [1].

The first check is

if (pkg.isSealed() && !pkg.isSealed(jarFileURL))
  throw new SecurityException("The package '" + packageName + "' was previously loaded and is already sealed.");


Package.isSealed() returns if the package contains the sealBase (=URL of the code source). The sealBase is set if the "sealed" header or the package attribute is set to true. This is the case in our example.
Therefore, the first if-block checks if the package was loaded sealed then the sealBase must be identical. Otherwise, a security exception should be thrown, which is correct in my opinion.

Then the manifest file is parsed and checked for an available sealed attribute or sealed header.

The second if-block then checks

if (Boolean.valueOf(sealed).booleanValue())
  throw new SecurityException("The package '" + packageName + "' was previously loaded unsealed. Cannot seal package."); 


This is wrong in my opinion because it does not correspond to the thrown exception message.
The previously loaded package was sealed and since we have the same package that is also sealed, the security exception should not occur.

I suppose that the check should look like

if (!pkg.isSealed() && Boolean.valueOf(sealed).booleanValue())
  throw new SecurityException("The package '" + packageName + "' was previously loaded unsealed. Cannot seal package."); 


This condition would correspond to the exception message.

I'm not sure if an additional check is required to verify whether the previously loaded package is sealed and the new one is unsealed.

if (pkg.isSealed() && !Boolean.valueOf(sealed).booleanValue())
  throw new SecurityException("The package '" + packageName + "' was previously loaded sealed. Cannot unseal package."); 


What do you think? Should I open a bug?

[1] http://docs.oracle.com/javase/tutorial/deployment/jar/sealman.html

[Updated on: Thu, 12 December 2013 10:34]

Report message to a moderator

Re: SecurityException when using Apache Derby with Equinox Servletbridge [message #1221288 is a reply to message #1220520] Tue, 17 December 2013 10:10 Go to previous messageGo to next message
Ken Lee is currently offline Ken LeeFriend
Messages: 97
Registered: March 2012
Member
I opened bug 424212 for this issue and pushed the proposed solution to Gerrit

Could a committer have a look?
Re: SecurityException when using Apache Derby with Equinox Servletbridge [message #1221358 is a reply to message #1221288] Tue, 17 December 2013 14:09 Go to previous messageGo to next message
Thomas Watson is currently offline Thomas WatsonFriend
Messages: 437
Registered: July 2009
Senior Member
Thanks for the contribution. I released your fix and then did an additional change to the logic to avoid touching the manifest when the package was previously sealed. Please test with the latest code.

Thanks.
Re: SecurityException when using Apache Derby with Equinox Servletbridge [message #1221991 is a reply to message #1221358] Thu, 19 December 2013 09:20 Go to previous message
Ken Lee is currently offline Ken LeeFriend
Messages: 97
Registered: March 2012
Member
Thomas Watson wrote on Tue, 17 December 2013 09:09
Thanks for the contribution. I released your fix and then did an additional change to the logic to avoid touching the manifest when the package was previously sealed. Please test with the latest code.

Thanks.


Works perfectly! Thanks for the quick apply of the patch.
Previous Topic:Testing/Debugging Framework Fragements
Next Topic:Is p2 being updated anymore
Goto Forum:
  


Current Time: Tue Dec 23 04:26:12 GMT 2014

Powered by FUDForum. Page generated in 0.02443 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software