The Source for Java Technology Collaboration

Home » java.net Forums » GlassFish » GlassFish

Thread: security error when trying to deploy a resource connector

Welcome, Guest Help
Login Login
Guest Settings Guest Settings
This question is not answered. Helpful answers available: 2. Correct answers available: 1.

Reply to this Thread Reply to this Thread Search Forum Search Forum Back to Thread List Back to Thread List

Permlink Replies: 5 - Last Post: May 22, 2008 8:33 AM by: monzillo
fbratu

Posts: 9
security error when trying to deploy a resource connector
Posted: May 21, 2008 4:27 AM 		 
  Click to reply to this thread Reply

Hello!

I have developed a resource archive - proactive.rar - and I want to deploy it on Glassfish. The resource adapter creates an RMI object, so it needs to have security permissions enabled. So, I modified the policy file like this:

// permission for ProActive Connector
grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-modules/proactive/-" {
permission java.security.AllPermission;
};

grant codeBase "file:${com.sun.aas.instanceRoot}/autodeploy/proactive.rar" {
permission java.security.AllPermission;
};

One note here: I deploy by copying proactive.rar into the autodeploy directory.

The problem is that I always get a StackOverflowError when I start Glassfish. Here is a portion of the stack trace:

[#|2008-05-19T16:50:05.674+0200|SEVERE|sun-appserver9.1|javax.enterprise.resource.resourceadapter|_ThreadID=15;_ThreadName=Timer-6;_RequestID=79724524-bb66-455b-b18d-46b17598fa6a;|RAR6035 : Resource adapter start failed : {0}
java.lang.StackOverflowError
at sun.security.provider.PolicyFile.canonPath(PolicyFile.java:1842)
at java.io.FilePermission$1.run(FilePermission.java:186)
at java.io.FilePermission$1.run(FilePermission.java:183)
at java.security.AccessController.doPrivileged(Native Method)
at java.io.FilePermission.init(FilePermission.java:183)
at java.io.FilePermission.<init>(FilePermission.java:249)
at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
at java.io.File.isDirectory(File.java:752)
at sun.net.www.ParseUtil.fileToEncodedURL(ParseUtil.java:242)
at com.sun.enterprise.security.provider.PolicyFile.canonicalizeCodebase(PolicyFile.java:1827)
at com.sun.enterprise.security.provider.PolicyFile.access$700(PolicyFile.java:296)
at com.sun.enterprise.security.provider.PolicyFile$5.run(PolicyFile.java:1253)
at com.sun.enterprise.security.provider.PolicyFile$5.run(PolicyFile.java:1252)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.enterprise.security.provider.PolicyFile.getPermissions(PolicyFile.java:1250)
at com.sun.enterprise.security.provider.PolicyFile.getPermissions(PolicyFile.java:1198)
at com.sun.enterprise.security.provider.PolicyFile.implies(PolicyFile.java:1153)
at com.sun.enterprise.security.provider.BasePolicyWrapper.doImplies(BasePolicyWrapper.java:383)
at com.sun.enterprise.security.provider.BasePolicyWrapper.implies(BasePolicyWrapper.java:243)
at java.security.ProtectionDomain.implies(ProtectionDomain.java:213)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:301)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
at java.io.File.isDirectory(File.java:752)
at sun.net.www.ParseUtil.fileToEncodedURL(ParseUtil.java:242)
at com.sun.enterprise.security.provider.PolicyFile.canonicalizeCodebase(PolicyFile.java:1827)
at com.sun.enterprise.security.provider.PolicyFile.access$700(PolicyFile.java:296)
at com.sun.enterprise.security.provider.PolicyFile$5.run(PolicyFile.java:1253)
at com.sun.enterprise.security.provider.PolicyFile$5.run(PolicyFile.java:1252)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.enterprise.security.provider.PolicyFile.getPermissions(PolicyFile.java:1250)
at com.sun.enterprise.security.provider.PolicyFile.getPermissions(PolicyFile.java:1198)
at com.sun.enterprise.security.provider.PolicyFile.implies(PolicyFile.java:1153)
at com.sun.enterprise.security.provider.BasePolicyWrapper.doImplies(BasePolicyWrapper.java:383)
at com.sun.enterprise.security.provider.BasePolicyWrapper.implies(BasePolicyWrapper.java:243)
at java.security.ProtectionDomain.implies(ProtectionDomain.java:213)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:301)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
at java.io.File.isDirectory(File.java:752)
at sun.net.www.ParseUtil.fileToEncodedURL(ParseUtil.java:242)
at com.sun.enterprise.security.provider.PolicyFile.canonicalizeCodebase(PolicyFile.java:1827)
at com.sun.enterprise.security.provider.PolicyFile.access$700(PolicyFile.java:296)
at com.sun.enterprise.security.provider.PolicyFile$5.run(PolicyFile.java:1253)
at com.sun.enterprise.security.provider.PolicyFile$5.run(PolicyFile.java:1252)
at java.security.AccessController.doPrivileged(Native Method)

I attach the whole server.log file to this message. I've compressed it, as it is too large - 1 Mb in size.
As can be seen from the stack trace, the problem seems to be from the security module. I seem not to be able to configure it correctly.
I also tried to enable the Java Security verbose logging messages:
-Djava.security.debug="all,failure"
but then the asadmin just freezes without trying to start the application server.

I have tried and succeeded to deploy proactive.rar on other application servers, and it works. I don't know what else I should try in order to make it working on Glassfish, so I would appreciate any help. Thank you.

monzillo

Posts: 181
Re: security error when trying to deploy a resource connector
Posted: May 21, 2008 1:13 PM   in response to: fbratu 		 
  Click to reply to this thread Reply

since you have the security manager enabled, the BasePolicyWrapper should be running with its avoidReentrancy flag set to true. In which case, it uses a threadlocal to avoid the recursive calls to policy.implies() shown in your stack trace.

there may be a bug in the logic of the BasePolicyWrapper wrt to its setting of the avoidRentrancy flag, although the logic appears to be ok. I enabled the security manager, and added the grants you describe below, and did not see a problem or restart. I also tried a couple of app tests, and I didn't see a problem.

I was able to cause a startup problem (although I did not see the same stack trace you are seeing), by setting
-Dcom.sun.enterprise.security.provider.PolicyWrapper.ignoreReentrancy=true
in domain.xml

By default this property should NOT bedefined. If you haven't defined this property, can you try repeating your test after having set this property to

-Dcom.sun.enterprise.security.provider.PolicyWrapper.ignoreReentrancy=false
in jvm-options of domain.xml.

that should explicitly cause avoidReecusion to be set to true.

let me know what you learn, and then we can see if you should file a bug.

Ron

fbratu

Posts: 9
Re: security error when trying to deploy a resource connector
Posted: May 22, 2008 1:32 AM   in response to: monzillo 		 
  Click to reply to this thread Reply

<quote>
since you have the security manager enabled,
</quote>

That was the problem - I didn't have the security manager enabled!!! :(
I've just found out that Glassfish starts with the security manager disabled by default for a domain created with the developper profile - which is the profile I created in order to test the connector on Glassfish - so I added the -Djava.security.manager option to the JVM, and now it works!

Thanks for the help!

Message was edited by: fbratu

kumarjayanti

Posts: 1,125
Re: security error when trying to deploy a resource connector
Posted: May 22, 2008 5:07 AM   in response to: fbratu 		 
  Click to reply to this thread Reply

Even with SecurityManger disabled you should not run into the stackoverflow. This appears to be a fallout of a compensating bugfix done in GF for a related JDK issue.

Can you please try the following and let us know...

1. disable Security Manager back again
2. Go to "Configuration> Security> JACC Providers> default" under the admin console
3. change the Policy Provider class name to "com.sun.enterprise.security.provider.BasePolicyWrapper"
4. restart GF and deploy your RA again.

Thanks.

fbratu

Posts: 9
Re: security error when trying to deploy a resource connector
Posted: May 22, 2008 6:29 AM   in response to: kumarjayanti 		 
  Click to reply to this thread Reply

First I want to mention that, if I enable the Security Manager, and then set the enableReentrancy flag to true, I get an "Exception in thread main" message in server.log , and GF doesn't start.

I've made the changes you asked me to do - disabled Security Manager and changed the Policy Provider to the BasePolicyProvider . Also, I start without setting the enableReentrancy flag. And yes, it works!

monzillo

Posts: 181
Re: security error when trying to deploy a resource connector
Posted: May 22, 2008 8:33 AM   in response to: fbratu 		 
  Click to reply to this thread Reply

I realize the thread does on, so I am just responding to the thread where you indicated that you enabled the SecurityManager (because it was disabled)

In the stack trace you sent us, it appears that the SecurityManager was enabled, since it was being called by java.io.File.isDirectory(File.java:752).

I will try to follow up on the rest of the thread.


Point your RSS reader here for a feed of the latest messages in all forums
Go Back Back to Thread List



 XML java.net RSS
Feedback  | FAQ  | Press | Terms of Use
Privacy  |  Trademarks | Site Map
 
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Participation.
 
Copyright © 1995-2006 Sun Microsystems, Inc.
Collabnet Logo Cognisync Communities
Powered by Sun Microsystems, Inc.,
CollabNet and Cognisync