74246 – [docs] AspectJ and Java Security Manager

Bug 74246 - [docs] AspectJ and Java Security Manager

Summary: [docs] AspectJ and Java Security Manager

Status:	NEW

Alias:	None

Product:	AspectJ
Classification:	Tools
Component:	Docs (show other bugs)
Version:	1.2
Hardware:	PC Windows XP

Importance:	P3 minor (vote)
Target Milestone:	---
Assignee:	Matthew Webster
QA Contact:

URL:
Whiteboard:
Keywords:

Duplicates (1):	159856 (view as bug list)
Depends on:
Blocks:

Reported:	2004-09-19 21:02 EDT by Venkat
Modified:	2008-08-22 15:54 EDT (History)
CC List:	2 users (show)

See Also:

Attachments
Stack trace pointing to the need for <<ALL FILES>> permission (6.31 KB, text/plain) 2004-09-24 13:48 EDT, Venkat	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Venkat

2004-09-19 21:02:04 EDT

We are about to go production with AspectJ and Weblogic 8.1 with load time
weaving. We used the initial AspectJ integration classes released by BEA and
cleaned up a little bit to work with AspectJ 1.2. During our testing with Java
Security Manager integration I am running into a problem. Initially I made the
mistake of not giving the property read permission as well as temp file creation
and once I got through that though I no longer any AccessControlExceptions but a
simple "trouble in:" messege in the console.

What permissions do I need to give for AspectJ Runtime + AspectJ tools in
addition to all System property read permission as well as temporary file creation?

Thanks in advance,
Venkat.

Comment 1 Matthew Webster

2004-09-22 12:40:21 EDT

Could you append the console messages you get?

Comment 2 Venkat

2004-09-22 16:39:21 EDT

I simply get a "trouble in:" each time the aspect is executed.  This is the
exact string. There is no exception stack trace.

Comment 3 Matthew Webster

2004-09-23 12:39:17 EDT

Can yoiu define the following system property so that we can find out a little 
more about what's happening:

-Daj.weaving.verbose=true

Comment 4 Venkat

2004-09-24 13:46:23 EDT

I found what the problem is. BCEL's ClassPathManager tries looks at each path in
the system classpath for a class to be weaved until it finds the one. The only
way this code can run under a JSM is to give a read FilePermission <<ALL
FILES>>. This may not be a good idea. Perhaps it can attempt to load this class
through the getResourceAsStream mechanism which will go through the JSM without
any additional permission.

Here is a section of the stack trace to prove my point.

java.security.AccessControlException: access denied (java.io.FilePermission
C:\aspectj-jsm-test\appconfig\bali\appfw\UserInfo.class read)
        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
        at java.security.AccessController.checkPermission(AccessController.java:401)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
        at java.lang.SecurityManager.checkRead(SecurityManager.java:863)
        at java.io.File.isFile(File.java:723)
        at
org.aspectj.weaver.bcel.ClassPathManager$DirEntry.find(ClassPathManager.java:136)
        at org.aspectj.weaver.bcel.ClassPathManager.find(ClassPathManager.java:72)
        at org.aspectj.weaver.bcel.BcelWorld.lookupJavaClass(BcelWorld.java:211)

I am also attaching the full stack trace as it may help somebody else. Your
thoughts please.

Comment 5 Venkat

2004-09-24 13:48:32 EDT

Created attachment 14770 [details]
Stack trace pointing to the need for <<ALL FILES>> permission

Comment 6 Andrew Clement

2004-09-29 09:29:38 EDT

As you are investigating it ....

Comment 7 Matthew Webster

2004-10-05 10:01:48 EDT

I have used the following security policy. The need for <<ALL FILES>> as well 
as some of the properties would be avoided by using getResourceAsStream() 
although we will also have to fix BCEL to catch security exceptions and use 
reasonable defaults as suggested for bug 74238.

It's a shame the supplies Java 2 SecurityManager doesn't allow a class to read 
a property that has the same name as its package e.g. classes in 
org.aspectj.weaver.tools could read properties "org.aspectj.weaver.tools.*". 
As an alternative we could allow users to safely configure the weaver by 
loading a properties file from classpath in the way we load the Xlint defaults.

grant { 

	// Needed by weaver for bytecode loading
	permission java.io.FilePermission "<<ALL FILES>>", "read";

	// Needed by BCEL
	permission java.util.PropertyPermission "java.class.path", "read";
	permission java.util.PropertyPermission "java.ext.dirs", "read";
	permission java.util.PropertyPermission "JavaClass.*", "read";

	// Needed by org.aspectj.weaver.tools.WeavingAdaptor
	permission java.util.PropertyPermission "sun.boot.class.path", "read";

	// Needed to configure org.aspectj.weaver.WeavingURLClassLoader
	permission java.util.PropertyPermission "aj.*", "read";

	// Needed by weaving class loader
	permission java.lang.RuntimePermission "createClassLoader";
	permission java.lang.RuntimePermission "getClassLoader";
};

Comment 8 Andrew Clement

2006-05-30 08:58:26 EDT

We should doc this info !

Comment 9 Matthew Webster

2006-10-18 09:49:13 EDT

*** Bug 159856 has been marked as a duplicate of this bug. ***

Comment 10 Matthew Webster

2006-10-18 11:49:02 EDT

Using -Djava.security.debug=access:failure (http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/debugger.html) I have identified that <<ALL FILES>> also seems to be needed by ClassLoader.getResources() when looking for aop.xml fiels:

     [java] 16:35:40.341 main - org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor.parseDefinitions org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor@50d89c org/aspectj/weaver/loadtime/aop.xml;META-INF/aop-ajc.xml
     ...
     [java] access: access denied (java.io.FilePermission \C:\temp\ajcSandbox\org.aspectj\ajcTest47118.tmp\META-INF\aop-ajc.xml read)
     [java] java.lang.Exception: Stack trace
     [java] 	at java.lang.Thread.dumpStack(Thread.java:1158)
     [java] 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:253)
     [java] 	at java.security.AccessController.checkPermission(AccessController.java:427)
     [java] 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
     [java] 	at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
     [java] 	at sun.misc.URLClassPath.check(URLClassPath.java:407)
     [java] 	at sun.misc.URLClassPath.checkURL(URLClassPath.java:381)
     [java] 	at java.net.URLClassLoader$3.next(URLClassLoader.java:400)
     [java] 	at java.net.URLClassLoader$3.hasMoreElements(URLClassLoader.java:415)
     [java] 	at sun.misc.CompoundEnumeration.next(CompoundEnumeration.java:27)
     [java] 	at sun.misc.CompoundEnumeration.hasMoreElements(CompoundEnumeration.java:36)
     [java] 	at org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor.parseDefinitions(ClassLoaderWeavingAdaptor.java:209)
     [java] 	at org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor.initialize(ClassLoaderWeavingAdaptor.java:134)
     [java] 	at org.aspectj.weaver.loadtime.Aj$ExplicitlyInitializedClassLoaderWeavingAdaptor.initialize(Aj.java:148)
     [java] 	at org.aspectj.weaver.loadtime.Aj$ExplicitlyInitializedClassLoaderWeavingAdaptor.getWeavingAdaptor(Aj.java:153)
     [java] 	at org.aspectj.weaver.loadtime.Aj$WeaverContainer.getWeaver(Aj.java:119)
     [java] 	at org.aspectj.weaver.loadtime.Aj.preProcess(Aj.java:72)
     [java] 	at org.aspectj.weaver.loadtime.ClassPreProcessorAgentAdapter.transform(ClassPreProcessorAgentAdapter.java:55)
     [java] 	at sun.instrument.TransformerManager.transform(TransformerManager.java:122)
     [java] 	at sun.instrument.InstrumentationImpl.transform(InstrumentationImpl.java:155)
     [java] 	at java.lang.ClassLoader.defineClass1(Native Method)
     [java] 	at java.lang.ClassLoader.defineClass(ClassLoader.java:620)
     [java] 	at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
     [java] 	at java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
     [java] 	at java.net.URLClassLoader.access$100(URLClassLoader.java:56)
     [java] 	at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
     [java] 	at java.security.AccessController.doPrivileged(Native Method)
     [java] 	at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
     [java] 	at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
     [java] 	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:268)
     [java] 	at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
     [java] 	at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
     ...
     [java] 16:35:40.622 main I [AppClassLoader@7ced01] info no configuration found. Disabling weaver for class loader sun.misc.Launcher$AppClassLoader@7ced01

Even using org/aspectj/weaver/loadtime/aop.xml fails.

We also need to grant permissions to support reflection delegates:

     [java] 16:43:30.488 main > org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor.registerAspects org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor@50d89c org.aspectj.weaver.bcel.BcelWeaver@a4e2e3, sun.misc.Launcher$AppClassLoader@7ced01, java.util.ArrayList(2)
     [java] 16:43:30.488 main I [AppClassLoader@7ced01] info register aspect Aspect
     [java] 16:43:30.488 main > org.aspectj.weaver.bcel.BcelWeaver.addLibraryAspect org.aspectj.weaver.bcel.BcelWeaver@a4e2e3 Aspect
     [java] 16:43:31.329 main - org.aspectj.weaver.bcel.BcelWorld.lookupJavaClass org.aspectj.weaver.ltw.LTWWorld@bd928a Aspect, org.aspectj.apache.bcel.classfile.JavaClass@1c56c60
     [java] 16:43:33.141 main E register definition failed java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers)
     [java] java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers)
     [java] 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
     [java] 	at java.security.AccessController.checkPermission(AccessController.java:427)
     [java] 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
     [java] 	at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
     [java] 	at java.lang.Class.checkMemberAccess(Class.java:2125)
     [java] 	at java.lang.Class.getDeclaredMethods(Class.java:1762)
     [java] 	at org.aspectj.internal.lang.reflect.AjTypeImpl.getDeclaredMethods(AjTypeImpl.java:333)
     [java] 	at org.aspectj.weaver.reflect.Java15ReflectionBasedReferenceTypeDelegate.getDeclaredMethods(Java15ReflectionBasedReferenceTypeDelegate.java:171)
     [java] 	at org.aspectj.weaver.ReferenceType.getDeclaredMethods(ReferenceType.java:516)
     [java] 	at org.aspectj.weaver.ResolvedType.getDeclaredAdvice(ResolvedType.java:703)
     [java] 	at org.aspectj.weaver.ResolvedType.getDeclaredShadowMungers(ResolvedType.java:740)
     [java] 	at org.aspectj.weaver.ResolvedType.collectShadowMungers(ResolvedType.java:576)
     [java] 	at org.aspectj.weaver.ResolvedType.collectCrosscuttingMembers(ResolvedType.java:505)
     [java] 	at org.aspectj.weaver.CrosscuttingMembersSet.addOrReplaceAspect(CrosscuttingMembersSet.java:79)
     [java] 	at org.aspectj.weaver.CrosscuttingMembersSet.addOrReplaceAspect(CrosscuttingMembersSet.java:66)
     [java] 	at org.aspectj.weaver.bcel.BcelWeaver.addLibraryAspect(BcelWeaver.java:200)
     [java] 	at org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor.registerAspects(ClassLoaderWeavingAdaptor.java:401)
     [java] 	at org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor.registerDefinitions(ClassLoaderWeavingAdaptor.java:242)
     [java] 	at org.aspectj.weaver.loadtime.ClassLoaderWeavingAdaptor.initialize(ClassLoaderWeavingAdaptor.java:153)
     [java] 	at org.aspectj.weaver.loadtime.Aj$ExplicitlyInitializedClassLoaderWeavingAdaptor.initialize(Aj.java:148)
     [java] 	at org.aspectj.weaver.loadtime.Aj$ExplicitlyInitializedClassLoaderWeavingAdaptor.getWeavingAdaptor(Aj.java:153)
     [java] 	at org.aspectj.weaver.loadtime.Aj$WeaverContainer.getWeaver(Aj.java:119)
     [java] 	at org.aspectj.weaver.loadtime.Aj.preProcess(Aj.java:72)
     [java] 	at org.aspectj.weaver.loadtime.ClassPreProcessorAgentAdapter.transform(ClassPreProcessorAgentAdapter.java:55)
     [java] 	at sun.instrument.TransformerManager.transform(TransformerManager.java:122)
     [java] 	at sun.instrument.InstrumentationImpl.transform(InstrumentationImpl.java:155)
     [java] 	at java.lang.ClassLoader.defineClass1(Native Method)
     [java] 	at java.lang.ClassLoader.defineClass(ClassLoader.java:620)
     [java] 	at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124)
     [java] 	at java.net.URLClassLoader.defineClass(URLClassLoader.java:260)
     [java] 	at java.net.URLClassLoader.access$100(URLClassLoader.java:56)
     [java] 	at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
     [java] 	at java.security.AccessController.doPrivileged(Native Method)
     [java] 	at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
     [java] 	at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
     [java] 	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:268)
     [java] 	at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
     [java] 	at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
     [java] 16:43:33.151 main W [AppClassLoader@7ced01] warning register definition failed -- (AccessControlException) access denied (java.lang.RuntimePermission accessDeclaredMembers)

So a revised policy might look like this:

grant { 

	// Needed by weaver for bytecode loading
	permission java.io.FilePermission "<<ALL FILES>>", "read";

	// Needed by BCEL
	permission java.util.PropertyPermission "java.class.path", "read";
	permission java.util.PropertyPermission "java.ext.dirs", "read";
	permission java.util.PropertyPermission "JavaClass.*", "read";

	permission java.util.PropertyPermission "org.aspectj.apache.bcel.useSharedCache", "read";

	// Needed by org.aspectj.weaver.tools.WeavingAdaptor
	permission java.util.PropertyPermission "sun.boot.class.path", "read";
	permission java.util.PropertyPermission "org.aspectj.weaver.*", "read";

	// Needed to configure org.aspectj.weaver.WeavingURLClassLoader
	permission java.util.PropertyPermission "aj.*", "read";

	// Needed to configure org.aspectj.weaver.tools.TraceFactory
	permission java.util.PropertyPermission "org.aspectj.tracing.*", "read";

	// Needed by weaving class loader
	permission java.lang.RuntimePermission "createClassLoader";
	permission java.lang.RuntimePermission "getClassLoader";

	// Needed by Java15ReflectionBasedReferenceTypeDelegate
	permission java.lang.RuntimePermission "accessDeclaredMembers";
};