Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Equinox » SecurityException when using Apache Derby with Equinox Servletbridge
SecurityException when using Apache Derby with Equinox Servletbridge [message #1220422] Wed, 11 December 2013 11:28 Go to next message
Ken Lee is currently offline Ken Lee
Messages: 97
Registered: March 2012
Member
We encountered a SecurityException in the Eclipse Scout project since we updated our pretty old Equinox servletbridge to version 1.3 to be compatible with the Luna release train.

The sample web-application we deployed to Tomcat 7 has an Apache Derby fragment (with fragment-host = system.bundle) containing the official Derby libraries in version 10.9.1 [1].
A security exception is thrown when the CloseableURLClassLoader calls the method checkForSealedPackage() with the package "org.apache.derby.iapi.services.io" as a parameter.
Having a deeper look at the manifest file in the derby.jar, we found out that the "Sealed" header is set to true. However, the package "org.apache.derby.iapi.services.io" is not listed explicitly as non-sealed in the manifest file so the value of the sealed header is considered.

My understanding of the Sealed header is to guarantee that all classes in a package come from the same code source [2].
In our example the class "org/apache/derby/iapi/services/io/FormatableProperties.class" is loaded first from the derby.jar.
Because the package cannot be found at the beginning (see method defineClass in CloseableURLClassLoader) "definePackage" is called, which does not check for sealed packages.
Later the class "org/apache/derby/iapi/services/io/Formatable.class" is loaded from the same derby.jar. Since the package is known now, the method checkForSealedPackage() is called resulting in a SecurityException.

However, both classes come from the same derby.jar file so I don't understand why I SecurityException should be thrown here.
Shouldn't the checkForSealedPackage() method also consider the parameter jarFileURL in its check?

Anyways, if the check for the sealed packages are correctly implemented, are there any recommendations how we can successfully use the derby.jar in combination with the Equinox servletbridge without having to modify the manifest file in the derby.jar?

Notes: The package org/apache/derby/iapi/services/io/ is not the only one that causes the security exception. there are some more packages that result in the same exception.

Cheers,

Ken

[1] http://git.eclipse.org/c/scout/org.eclipse.scout.rt.git/tree/org.apache.derby.jdbc_1091.fragment
[2] http://docs.oracle.com/javase/tutorial/deployment/jar/sealman.html
Re: SecurityException when using Apache Derby with Equinox Servletbridge [message #1220427 is a reply to message #1220422] Wed, 11 December 2013 12:07 Go to previous messageGo to next message
Thomas Watson is currently offline Thomas Watson
Messages: 420
Registered: July 2009
Senior Member
This looks like bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=393407

What build of Luna are you using?
Re: SecurityException when using Apache Derby with Equinox Servletbridge [message #1220520 is a reply to message #1220427] Thu, 12 December 2013 05:28 Go to previous messageGo to next message
Ken Lee is currently offline Ken Lee
Messages: 97
Registered: March 2012
Member
We are using Luna M3 that is shipped with the servletbridge version org.eclipse.equinox.servletbridge_1.3.0.v20130927-1541.
We've also tried using some older servletbridges like org.eclipse.equinox.servletbridge_1.2.300.v20130508-1243 (Kepler SR1) or org.eclipse.equinox.servletbridge_1.3.0.v20130718-2032 (Luna M2), unfortunately we experienced the same problem.

I don't think that the "." suffix mentioned in bug 393407 is responsible for the security problem. I suppose that the method checkForSealedPackage() does not check the same as described in the documentation for the sealed header / attribute [1].

The first check is

if (pkg.isSealed() && !pkg.isSealed(jarFileURL))
  throw new SecurityException("The package '" + packageName + "' was previously loaded and is already sealed.");


Package.isSealed() returns if the package contains the sealBase (=URL of the code source). The sealBase is set if the "sealed" header or the package attribute is set to true. This is the case in our example.
Therefore, the first if-block checks if the package was loaded sealed then the sealBase must be identical. Otherwise, a security exception should be thrown, which is correct in my opinion.

Then the manifest file is parsed and checked for an available sealed attribute or sealed header.

The second if-block then checks

if (Boolean.valueOf(sealed).booleanValue())
  throw new SecurityException("The package '" + packageName + "' was previously loaded unsealed. Cannot seal package."); 


This is wrong in my opinion because it does not correspond to the thrown exception message.
The previously loaded package was sealed and since we have the same package that is also sealed, the security exception should not occur.

I suppose that the check should look like

if (!pkg.isSealed() && Boolean.valueOf(sealed).booleanValue())
  throw new SecurityException("The package '" + packageName + "' was previously loaded unsealed. Cannot seal package."); 


This condition would correspond to the exception message.

I'm not sure if an additional check is required to verify whether the previously loaded package is sealed and the new one is unsealed.

if (pkg.isSealed() && !Boolean.valueOf(sealed).booleanValue())
  throw new SecurityException("The package '" + packageName + "' was previously loaded sealed. Cannot unseal package."); 


What do you think? Should I open a bug?

[1] http://docs.oracle.com/javase/tutorial/deployment/jar/sealman.html

[Updated on: Thu, 12 December 2013 05:34]

Report message to a moderator

Re: SecurityException when using Apache Derby with Equinox Servletbridge [message #1221288 is a reply to message #1220520] Tue, 17 December 2013 05:10 Go to previous messageGo to next message
Ken Lee is currently offline Ken Lee
Messages: 97
Registered: March 2012
Member
I opened bug 424212 for this issue and pushed the proposed solution to Gerrit

Could a committer have a look?
Re: SecurityException when using Apache Derby with Equinox Servletbridge [message #1221358 is a reply to message #1221288] Tue, 17 December 2013 09:09 Go to previous messageGo to next message
Thomas Watson is currently offline Thomas Watson
Messages: 420
Registered: July 2009
Senior Member
Thanks for the contribution. I released your fix and then did an additional change to the logic to avoid touching the manifest when the package was previously sealed. Please test with the latest code.

Thanks.
Re: SecurityException when using Apache Derby with Equinox Servletbridge [message #1221991 is a reply to message #1221358] Thu, 19 December 2013 04:20 Go to previous message
Ken Lee is currently offline Ken Lee
Messages: 97
Registered: March 2012
Member
Thomas Watson wrote on Tue, 17 December 2013 09:09
Thanks for the contribution. I released your fix and then did an additional change to the logic to avoid touching the manifest when the package was previously sealed. Please test with the latest code.

Thanks.


Works perfectly! Thanks for the quick apply of the patch.
Previous Topic:Testing/Debugging Framework Fragements
Next Topic:Is p2 being updated anymore
Goto Forum:
  


Current Time: Fri Aug 01 04:00:13 EDT 2014

Powered by FUDForum. Page generated in 0.02913 seconds