Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Tomcat Users »

Re: java.lang.ClassCircularityError

Jean-Francois Arcand

2004-05-19

Replies:



Viktor Matic wrote:

>On Wed, 2004-05-19 at 17:23, Jeanfrancois Arcand wrote:
>
>
>
>>Well, take a look at org.apache.catalina.security.SecurityUtil. I am
>>setting the Subject/AccessControlContext there. I think that might cause
>>your problem, but I need more info ;-). AnybodyPrincipal is trying to do
>>what?
>>
>>-- Jeanfrancois
>>  
>>
>Thanks for fast replay.
>I'll check org.apache.catalina.security.SecurityUtil.
>Problem is manifested in line 65 of class SimpeGroup and this line
>checks is group member instance of AnybodyPrincipal
>
>isMember = (member instanceof com.ingemark.security.AnybodyPrincipal)
>
>The AnybodyPrincipal is a simple class which returns true if it is
>compared to any real principal. But I think that real problem is not in
>implementation of this class than more likely in the class loader which
>tests permissions to read this particular class. For example if I
>comment out line 65 (which is not crucial for this test) and try it
>again ClassCircularityError arise on different place, as it can be seen
>in the following error stack dump:
>
>java.lang.ClassCircularityError:
>com/ingemark/experiments/PermissionName$NameLengthComparator
>  com.ingemark.experiments.NamespacePermissionCollection.<init>(NamespacePermissionCollection.java:22)
>  com.ingemark.experiments.NamespacePermission.newPermissionCollection(NamespacePermission.java:66)
>  java.security.Permissions.getPermissionCollection (Permissions.java:245)
>  java.security.Permissions.add (Permissions.java:110)
>  com.ingemark.security.PolicyEntry.getPermissions(PolicyEntry.java:50)
>  com.ingemark.security.AuthorizationInfo.getPermissions(AuthorizationInfo.java:73)
>  com.ingemark.security.SecurityPolicy.getPermissions(SecurityPolicy.java:95)
>  java.security.Policy.implies (Policy.java:397)
>  java.security.ProtectionDomain.implies (ProtectionDomain.java:189)
>  java.security.AccessControlContext.checkPermission (AccessControlContext.java:254)
>  java.security.AccessController.checkPermission (AccessController.java:401)
>  java.lang.SecurityManager.checkPermission (SecurityManager.java:524)
>  java.lang.SecurityManager.checkRead (SecurityManager.java:863)
>  java.io.File.exists (File.java:678)
>  org.apache.naming.resources.FileDirContext.file (FileDirContext.java:826)
>  org.apache.naming.resources.FileDirContext.lookup (FileDirContext.java:208)
>  org.apache.naming.resources.ProxyDirContext.lookup (ProxyDirContext.java:287)
>  org.apache.catalina.loader.WebappClassLoader.findResourceInternal (WebappClassLoader.java:1707)
>  org.apache.catalina.loader.WebappClassLoader.findClassInternal (WebappClassLoader.java:1575)
>  org.apache.catalina.loader.WebappClassLoader.findClass (WebappClassLoader.java:860)
>  org.apache.catalina.loader.WebappClassLoader.loadClass (WebappClassLoader.java:1307)
>  org.apache.catalina.loader.WebappClassLoader.loadClass (WebappClassLoader.java:1189)
>  java.lang.ClassLoader.loadClassInternal (ClassLoader.java:302)
>  com.ingemark.experiments.NamespacePermissionCollection.<init>(NamespacePermissionCollection.java:22)
>  com.ingemark.experiments.NamespacePermission.newPermissionCollection(NamespacePermission.java:66)
>  java.security.Permissions.getPermissionCollection (Permissions.java:245)
>  java.security.Permissions.add (Permissions.java:110)
>  com.ingemark.security.PolicyEntry.getPermissions(PolicyEntry.java:50)
>  com.ingemark.security.AuthorizationInfo.getPermissions(AuthorizationInfo.java:73)
>  com.ingemark.security.SecurityPolicy.getPermissions(SecurityPolicy.java:95)
>  java.security.Policy.implies (Policy.java:397)
>  java.security.ProtectionDomain.implies (ProtectionDomain.java:189)
>  java.security.AccessControlContext.checkPermission (AccessControlContext.java:254)
>  java.security.AccessController.checkPermission (AccessController.java:401)
>  com.ingemark.experiments.ServletSec$SecuredActions.run(ServletSec.java:207)
>  java.security.AccessController.doPrivileged(Native Method)
>  javax.security.auth.Subject.doAsPrivileged (Subject.java:437)
>  com.ingemark.experiments.ServletSec.service(ServletSec.java:181)
>  javax.servlet.http.HttpServlet.service (HttpServlet.java:810)
>  sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>  sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:39)
>  sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25)
>  java.lang.reflect.Method.invoke (Method.java:324)
>  org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:241)
>  java.security.AccessController.doPrivileged(Native Method)
>  javax.security.auth.Subject.doAsPrivileged (Subject.java:500)
>  org.apache.catalina.security.SecurityUtil.execute (SecurityUtil.java:263)
>  org.apache.catalina.security.SecurityUtil.doAsPrivilege (SecurityUtil.java:157)
>
>This time execution breaks on different place but in a same conditions catalina class loader tries to load the class
>(com/ingemark/experiments/PermissionName$NameLengthComparator) and loops there checking read permission.
>
>Here is peace of servlet code which triggers this behavior
>..
>  /*This line is in servlet service method*/
>  Subject.doAsPrivileged(subject, new SecuredActions(), null );
>
>
Yes, that's probably the problem since SecurityUtil has already set that
value. The AccesControlContext already has the Subject attached to it.
You may want to try:

Subject.getSubject(AccessController.getContext());

and then use that subject to call:

Subject.doAsPrivileged(subject, new SecuredActions(), null );

Let me know what you get.

Thanks

-- Jeanfrancois



>..
>
>/*this is inner class of servlet class*/
>  static class SecuredActions implements PrivilegedAction
>  {
>
>    public Object run()
>    {
>      log.info( "Subject within Secured action:"
>          + Subject.getSubject( AccessController.getContext() ) );
>      log.info( "Check subject with action="+action + " and target=" + target);
>      Permission p = new NamespacePermission( target, action );
>      AccessController.checkPermission( p ); /* <--- this line triggers error ServletSec.java:207 */
>      log.info( "User has permission to execute action" );
>      return null;
>    }
>
>  }
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
>For additional commands, e-mail: tomcat-user-help@(protected)
>
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)

©2008 junlu.com - Jax Systems, LLC, U.S.A.