Community
Participate
Working Groups
We are about to go production with AspectJ and Weblogic 8.1 with load time weaving. We used the initial AspectJ integration classes released by BEA and cleaned up a little bit to work with AspectJ 1.2. During our testing with Java Security Manager integration I am running into a problem. Initially I made the mistake of not giving the property read permission as well as temp file creation and once I got through that though I no longer any AccessControlExceptions but a simple "trouble in:" messege in the console. What permissions do I need to give for AspectJ Runtime + AspectJ tools in addition to all System property read permission as well as temporary file creation? Thanks in advance, Venkat.
Could you append the console messages you get?
I simply get a "trouble in:" each time the aspect is executed. This is the exact string. There is no exception stack trace.
Can yoiu define the following system property so that we can find out a little more about what's happening: -Daj.weaving.verbose=true
I found what the problem is. BCEL's ClassPathManager tries looks at each path in the system classpath for a class to be weaved until it finds the one. The only way this code can run under a JSM is to give a read FilePermission <<ALL FILES>>. This may not be a good idea. Perhaps it can attempt to load this class through the getResourceAsStream mechanism which will go through the JSM without any additional permission. Here is a section of the stack trace to prove my point. java.security.AccessControlException: access denied (java.io.FilePermission C:\aspectj-jsm-test\appconfig\bali\appfw\UserInfo.class read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) at java.lang.SecurityManager.checkRead(SecurityManager.java:863) at java.io.File.isFile(File.java:723) at org.aspectj.weaver.bcel.ClassPathManager$DirEntry.find(ClassPathManager.java:136) at org.aspectj.weaver.bcel.ClassPathManager.find(ClassPathManager.java:72) at org.aspectj.weaver.bcel.BcelWorld.lookupJavaClass(BcelWorld.java:211) I am also attaching the full stack trace as it may help somebody else. Your thoughts please.
Created attachment 14770 [details] Stack trace pointing to the need for <<ALL FILES>> permission
As you are investigating it ....
I have used the following security policy. The need for <<ALL FILES>> as well as some of the properties would be avoided by using getResourceAsStream() although we will also have to fix BCEL to catch security exceptions and use reasonable defaults as suggested for bug 74238. It's a shame the supplies Java 2 SecurityManager doesn't allow a class to read a property that has the same name as its package e.g. classes in org.aspectj.weaver.tools could read properties "org.aspectj.weaver.tools.*". As an alternative we could allow users to safely configure the weaver by loading a properties file from classpath in the way we load the Xlint defaults. grant { // Needed by weaver for bytecode loading permission java.io.FilePermission "<<ALL FILES>>", "read"; // Needed by BCEL permission java.util.PropertyPermission "java.class.path", "read"; permission java.util.PropertyPermission "java.ext.dirs", "read"; permission java.util.PropertyPermission "JavaClass.*", "read"; // Needed by org.aspectj.weaver.tools.WeavingAdaptor permission java.util.PropertyPermission "sun.boot.class.path", "read"; // Needed to configure org.aspectj.weaver.WeavingURLClassLoader permission java.util.PropertyPermission "aj.*", "read"; // Needed by weaving class loader permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; };
We should doc this info !
*** Bug 159856 has been marked as a duplicate of this bug. ***
Using -Djava.security.debug=access:failure (http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/debugger.html) I have identified that <<ALL FILES>> also seems to be needed by ClassLoader.getResources() when looking for aop.xml fiels: [java] 16:35:40.341 main - org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor.parseDefinitions org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor@50d89c org/aspectj/weaver/loadtime/aop.xml;META-INF/aop-ajc.xml ... [java] access: access denied (java.io.FilePermission \C:\temp\ajcSandbox\org.aspectj\ajcTest47118.tmp\META-INF\aop-ajc.xml read) [java] java.lang.Exception: Stack trace [java] at java.lang.Thread.dumpStack(Thread.java:1158) [java] at java.security.AccessControlContext.checkPermission(AccessControlContext.java:253) [java] at java.security.AccessController.checkPermission(AccessController.java:427) [java] at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) [java] at java.lang.SecurityManager.checkRead(SecurityManager.java:871) [java] at sun.misc.URLClassPath.check(URLClassPath.java:407) [java] at sun.misc.URLClassPath.checkURL(URLClassPath.java:381) [java] at java.net.URLClassLoader$3.next(URLClassLoader.java:400) [java] at java.net.URLClassLoader$3.hasMoreElements(URLClassLoader.java:415) [java] at sun.misc.CompoundEnumeration.next(CompoundEnumeration.java:27) [java] at sun.misc.CompoundEnumeration.hasMoreElements(CompoundEnumeration.java:36) [java] at org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor.parseDefinitions(ClassLoaderWeavingAdaptor.java:209) [java] at org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor.initialize(ClassLoaderWeavingAdaptor.java:134) [java] at org.aspectj.weaver.loadtime.Aj$ExplicitlyInitializedClassLoaderWeavingAdaptor.initialize(Aj.java:148) [java] at org.aspectj.weaver.loadtime.Aj$ExplicitlyInitializedClassLoaderWeavingAdaptor.getWeavingAdaptor(Aj.java:153) [java] at org.aspectj.weaver.loadtime.Aj$WeaverContainer.getWeaver(Aj.java:119) [java] at org.aspectj.weaver.loadtime.Aj.preProcess(Aj.java:72) [java] at org.aspectj.weaver.loadtime.ClassPreProcessorAgentAdapter.transform(ClassPreProcessorAgentAdapter.java:55) [java] at sun.instrument.TransformerManager.transform(TransformerManager.java:122) [java] at sun.instrument.InstrumentationImpl.transform(InstrumentationImpl.java:155) [java] at java.lang.ClassLoader.defineClass1(Native Method) [java] at java.lang.ClassLoader.defineClass(ClassLoader.java:620) [java] at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124) [java] at java.net.URLClassLoader.defineClass(URLClassLoader.java:260) [java] at java.net.URLClassLoader.access$100(URLClassLoader.java:56) [java] at java.net.URLClassLoader$1.run(URLClassLoader.java:195) [java] at java.security.AccessController.doPrivileged(Native Method) [java] at java.net.URLClassLoader.findClass(URLClassLoader.java:188) [java] at java.lang.ClassLoader.loadClass(ClassLoader.java:306) [java] at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:268) [java] at java.lang.ClassLoader.loadClass(ClassLoader.java:251) [java] at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319) ... [java] 16:35:40.622 main I [AppClassLoader@7ced01] info no configuration found. Disabling weaver for class loader sun.misc.Launcher$AppClassLoader@7ced01 Even using org/aspectj/weaver/loadtime/aop.xml fails. We also need to grant permissions to support reflection delegates: [java] 16:43:30.488 main > org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor.registerAspects org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor@50d89c org.aspectj.weaver.bcel.BcelWeaver@a4e2e3, sun.misc.Launcher$AppClassLoader@7ced01, java.util.ArrayList(2) [java] 16:43:30.488 main I [AppClassLoader@7ced01] info register aspect Aspect [java] 16:43:30.488 main > org.aspectj.weaver.bcel.BcelWeaver.addLibraryAspect org.aspectj.weaver.bcel.BcelWeaver@a4e2e3 Aspect [java] 16:43:31.329 main - org.aspectj.weaver.bcel.BcelWorld.lookupJavaClass org.aspectj.weaver.ltw.LTWWorld@bd928a Aspect, org.aspectj.apache.bcel.classfile.JavaClass@1c56c60 [java] 16:43:33.141 main E register definition failed java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers) [java] java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers) [java] at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264) [java] at java.security.AccessController.checkPermission(AccessController.java:427) [java] at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) [java] at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662) [java] at java.lang.Class.checkMemberAccess(Class.java:2125) [java] at java.lang.Class.getDeclaredMethods(Class.java:1762) [java] at org.aspectj.internal.lang.reflect.AjTypeImpl.getDeclaredMethods(AjTypeImpl.java:333) [java] at org.aspectj.weaver.reflect.Java15ReflectionBasedReferenceTypeDelegate.getDeclaredMethods(Java15ReflectionBasedReferenceTypeDelegate.java:171) [java] at org.aspectj.weaver.ReferenceType.getDeclaredMethods(ReferenceType.java:516) [java] at org.aspectj.weaver.ResolvedType.getDeclaredAdvice(ResolvedType.java:703) [java] at org.aspectj.weaver.ResolvedType.getDeclaredShadowMungers(ResolvedType.java:740) [java] at org.aspectj.weaver.ResolvedType.collectShadowMungers(ResolvedType.java:576) [java] at org.aspectj.weaver.ResolvedType.collectCrosscuttingMembers(ResolvedType.java:505) [java] at org.aspectj.weaver.CrosscuttingMembersSet.addOrReplaceAspect(CrosscuttingMembersSet.java:79) [java] at org.aspectj.weaver.CrosscuttingMembersSet.addOrReplaceAspect(CrosscuttingMembersSet.java:66) [java] at org.aspectj.weaver.bcel.BcelWeaver.addLibraryAspect(BcelWeaver.java:200) [java] at org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor.registerAspects(ClassLoaderWeavingAdaptor.java:401) [java] at org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor.registerDefinitions(ClassLoaderWeavingAdaptor.java:242) [java] at org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor.initialize(ClassLoaderWeavingAdaptor.java:153) [java] at org.aspectj.weaver.loadtime.Aj$ExplicitlyInitializedClassLoaderWeavingAdaptor.initialize(Aj.java:148) [java] at org.aspectj.weaver.loadtime.Aj$ExplicitlyInitializedClassLoaderWeavingAdaptor.getWeavingAdaptor(Aj.java:153) [java] at org.aspectj.weaver.loadtime.Aj$WeaverContainer.getWeaver(Aj.java:119) [java] at org.aspectj.weaver.loadtime.Aj.preProcess(Aj.java:72) [java] at org.aspectj.weaver.loadtime.ClassPreProcessorAgentAdapter.transform(ClassPreProcessorAgentAdapter.java:55) [java] at sun.instrument.TransformerManager.transform(TransformerManager.java:122) [java] at sun.instrument.InstrumentationImpl.transform(InstrumentationImpl.java:155) [java] at java.lang.ClassLoader.defineClass1(Native Method) [java] at java.lang.ClassLoader.defineClass(ClassLoader.java:620) [java] at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124) [java] at java.net.URLClassLoader.defineClass(URLClassLoader.java:260) [java] at java.net.URLClassLoader.access$100(URLClassLoader.java:56) [java] at java.net.URLClassLoader$1.run(URLClassLoader.java:195) [java] at java.security.AccessController.doPrivileged(Native Method) [java] at java.net.URLClassLoader.findClass(URLClassLoader.java:188) [java] at java.lang.ClassLoader.loadClass(ClassLoader.java:306) [java] at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:268) [java] at java.lang.ClassLoader.loadClass(ClassLoader.java:251) [java] at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319) [java] 16:43:33.151 main W [AppClassLoader@7ced01] warning register definition failed -- (AccessControlException) access denied (java.lang.RuntimePermission accessDeclaredMembers) So a revised policy might look like this: grant { // Needed by weaver for bytecode loading permission java.io.FilePermission "<<ALL FILES>>", "read"; // Needed by BCEL permission java.util.PropertyPermission "java.class.path", "read"; permission java.util.PropertyPermission "java.ext.dirs", "read"; permission java.util.PropertyPermission "JavaClass.*", "read"; permission java.util.PropertyPermission "org.aspectj.apache.bcel.useSharedCache", "read"; // Needed by org.aspectj.weaver.tools.WeavingAdaptor permission java.util.PropertyPermission "sun.boot.class.path", "read"; permission java.util.PropertyPermission "org.aspectj.weaver.*", "read"; // Needed to configure org.aspectj.weaver.WeavingURLClassLoader permission java.util.PropertyPermission "aj.*", "read"; // Needed to configure org.aspectj.weaver.tools.TraceFactory permission java.util.PropertyPermission "org.aspectj.tracing.*", "read"; // Needed by weaving class loader permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; // Needed by Java15ReflectionBasedReferenceTypeDelegate permission java.lang.RuntimePermission "accessDeclaredMembers"; };