Community
Participate
Working Groups
When a securityManager (java.lang.SecurityManager) is defined in the same JVM as a BIRT engine, all birt EngineTasks return a java.lang.IllegalArgumentException due to Rhino, see stack trace below. Steps to reproduce: - Install a Birt WebViewer on an application server (for this test i used Tomcat 7) - Start the server with a securityManager (for example on Tomcat7, run startup.bat with "-security" argument) - Run any birt report, we get the exception described below - This error occurs even if we give all permissions to BIRT libraries through java security files, it is not related to a security exception. To workaround the bug, we can update these methods so that they always return "null": - org.eclipse.birt.core.script.JavascriptEvalUtil.getSecurityDomain() - org.eclipse.birt.report.engine.javascript.ScriptUtil.getSecurityDomain() I don't know if it is an acceptable fix. org.eclipse.birt.report.engine.api.EngineException: Error happened while running the report. at org.eclipse.birt.report.engine.api.impl.EngineTask.handleFatalExceptions(EngineTask.java:2363) at org.eclipse.birt.report.engine.api.impl.RunTask.doRun(RunTask.java:277) at org.eclipse.birt.report.engine.api.impl.RunTask.run(RunTask.java:86) at org.eclipse.birt.report.service.ReportEngineService.runReport(ReportEngineService.java:1325) at org.eclipse.birt.report.service.BirtViewerReportService.runReport(BirtViewerReportService.java:158) at org.eclipse.birt.report.service.actionhandler.BirtRunReportActionHandler.__execute(BirtRunReportActionHandler.java:81) at org.eclipse.birt.report.service.actionhandler.BirtGetPageActionHandler.__checkDocumentExists(BirtGetPageActionHandler.java:58) at org.eclipse.birt.report.service.actionhandler.AbstractGetPageActionHandler.prepareParameters(AbstractGetPageActionHandler.java:118) at org.eclipse.birt.report.service.actionhandler.AbstractGetPageActionHandler.__execute(AbstractGetPageActionHandler.java:103) at org.eclipse.birt.report.service.actionhandler.AbstractBaseActionHandler.execute(AbstractBaseActionHandler.java:90) at org.eclipse.birt.report.soapengine.processor.AbstractBaseDocumentProcessor.__executeAction(AbstractBaseDocumentProcessor.java:47) at org.eclipse.birt.report.soapengine.processor.AbstractBaseComponentProcessor.executeAction(AbstractBaseComponentProcessor.java:143) at org.eclipse.birt.report.soapengine.processor.BirtDocumentProcessor.handleGetPage(BirtDocumentProcessor.java:87) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.eclipse.birt.report.soapengine.processor.AbstractBaseComponentProcessor.process(AbstractBaseComponentProcessor.java:112) at org.eclipse.birt.report.soapengine.endpoint.BirtSoapBindingImpl.getUpdatedObjects(BirtSoapBindingImpl.java:66) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:397) at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:186) at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:454) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at org.eclipse.birt.report.servlet.BirtSoapMessageDispatcherServlet.doPost(BirtSoapMessageDispatcherServlet.java:265) at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) at org.eclipse.birt.report.servlet.BirtSoapMessageDispatcherServlet.service(BirtSoapMessageDispatcherServlet.java:122) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.eclipse.birt.report.filter.ViewerFilter.doFilter(ViewerFilter.java:68) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at com.googlecode.psiprobe.Tomcat70AgentValve.invoke(Tomcat70AgentValve.java:38) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:724) Caused by: java.lang.IllegalArgumentException: securityDomain should be null if setSecurityController() was never called at org.mozilla.javascript.Context.compileImpl(Context.java:2340) at org.mozilla.javascript.Context.compileString(Context.java:1359) at org.mozilla.javascript.Context.compileString(Context.java:1348) at org.eclipse.birt.report.engine.javascript.JavascriptEngine$3.run(JavascriptEngine.java:240) at org.eclipse.birt.report.engine.javascript.JavascriptEngine$3.run(JavascriptEngine.java:1) at java.security.AccessController.doPrivileged(Native Method) at org.eclipse.birt.report.engine.javascript.JavascriptEngine.compile(JavascriptEngine.java:236) at org.eclipse.birt.report.engine.javascript.JavascriptEngine.compile(JavascriptEngine.java:1) at org.eclipse.birt.core.script.ScriptContext.compile(ScriptContext.java:153) at org.eclipse.birt.report.engine.executor.ExecutionContext.compile(ExecutionContext.java:779) at org.eclipse.birt.report.engine.executor.ExecutionContext.evaluate(ExecutionContext.java:713) at org.eclipse.birt.report.engine.executor.ReportItemExecutor.evaluate(ReportItemExecutor.java:284) at org.eclipse.birt.report.engine.executor.TextItemExecutor.executeHtmlText(TextItemExecutor.java:115) at org.eclipse.birt.report.engine.executor.TextItemExecutor.execute(TextItemExecutor.java:70) at org.eclipse.birt.report.engine.executor.ReportExecutorUtil.executeAll(ReportExecutorUtil.java:87) at org.eclipse.birt.report.engine.executor.ReportExecutorUtil.executeAll(ReportExecutorUtil.java:92) at org.eclipse.birt.report.engine.executor.ReportExecutorUtil.executeAll(ReportExecutorUtil.java:92) at org.eclipse.birt.report.engine.executor.ReportExecutorUtil.executeAll(ReportExecutorUtil.java:92) at org.eclipse.birt.report.engine.executor.ReportExecutorUtil.executeAll(ReportExecutorUtil.java:92) at org.eclipse.birt.report.engine.executor.ReportExecutor.createPageExecutor(ReportExecutor.java:229) at org.eclipse.birt.report.engine.internal.executor.wrap.WrappedReportExecutor.createPageExecutor(WrappedReportExecutor.java:49) at org.eclipse.birt.report.engine.internal.executor.dup.SuppressDuplciateReportExecutor.createPageExecutor(SuppressDuplciateReportExecutor.java:61) at org.eclipse.birt.report.engine.executor.ReportExecutorUtil.executeMasterPage(ReportExecutorUtil.java:63) at org.eclipse.birt.report.engine.layout.html.HTMLPageLM.start(HTMLPageLM.java:147) at org.eclipse.birt.report.engine.layout.html.HTMLPageLM.layout(HTMLPageLM.java:91) at org.eclipse.birt.report.engine.layout.html.HTMLReportLayoutEngine.layout(HTMLReportLayoutEngine.java:100) at org.eclipse.birt.report.engine.presentation.ReportDocumentBuilder.build(ReportDocumentBuilder.java:258) at org.eclipse.birt.report.engine.api.impl.RunTask.doRun(RunTask.java:269) ... 55 more
It is not BIRT bug but Rhino bug and can be tracked here: https://issues.apache.org/bugzilla/show_bug.cgi?id=35233.
@Krzysztof: i don't think so, the issue you linked is attached to BATIK project, not Rhino. It seems more or less fixed for batik, this is now tracked on jira at https://issues.apache.org/jira/browse/BATIK-556?jql=text%20~%20%22RhinoInterpreter%22. But now, birt has a similar problem. It seems to me it is critical because there are more and more server-side environments where a securityManager is enabled.
Also having this problem. big issue.
I am also having this problem. I am desperately trying to move from 3.7.1 to some modern version, but seems like a sequence of issues which more or less mandate hacking BIRT artefacts rather than being able to pick up working versions (489410, 478825). Be much appreciated if this gets some focus. It is pretty hard trying to use BIRT in any industry where security gets some attention given this kind of issue.
I could really use some help here. For my application I cannot switch off the security manager by setting to null - I need a better fix as security is a requirement. I would like to build a local copy of org.eclipse.birt.runtime incorporating these two suggested changes: - org.eclipse.birt.core.script.JavascriptEvalUtil.getSecurityDomain() - org.eclipse.birt.report.engine.javascript.ScriptUtil.getSecurityDomain() However - where do I find some useful info on actually getting BIRT 4.5.0 source and how to build. Or does anyone out there happen to have done this already - and can they share the resulting JAR please?
I have followed this advice and worked fine for me, with a few notes: If you use the BIRT viewer then coreapi.jar also contains these classes, and may get picked up first so you need to patch both JARS To build these you need to grab the SDK and build inside Eclipse. In the end I couldn't seem to get a fully error-free set of projects, and have wasted enough time, so I ended up copying the individual class files across. Not the best of times! I found that I needed to add the com.ibm.icu.jar, and you need to be careful to get the correct version for your BIRT version (I didn't the first time).
I solved setting a SecurityController (PolicySecurityController is good for me) globally in the Rhino, at startup: org.mozilla.javascript.SecurityController.initGlobal(new org.mozilla.javascript.PolicySecurityController());
