Simple EJB causes permissions errors

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Simple EJB causes permissions errors

ross.cohen
I have a super simple web project (it includes no jars at all in web-inf/lib)
which deploys and works fine.   However as soon as I add an Ejb (@Singleton
@Startup), it starts blowing up on startup/deploy  (stack trace below).   I
am starting Tomee with a security manager, but the policy file is wide open:

grant {
    permission java.security.AllPermission;
};

Any hints as to what I need to look at to fix this?

7.0.4 running on jdk 8.0_192

Thanks,
Ross

INFO: OpenWebBeans Container is starting...
Oct 31, 2018 1:30:22 PM org.apache.webbeans.plugins.PluginLoader startUp
INFO: Adding OpenWebBeansPlugin : [CdiPlugin]
Oct 31, 2018 1:30:22 PM org.apache.openejb.cdi.CdiScanner handleBda
INFO: Using annotated mode for
file:/C:/IBM/liferay7-ga5/tomee-7.0.4/webapps/example-web/WEB-INF/classes/
looking all classes to find CDI beans, maybe think to add a beans.xml if not
there or add the jar to exclusions.list
Oct 31, 2018 1:30:22 PM org.apache.webbeans.config.BeansDeployer
validateInjectionPoints
INFO: All injection points were validated successfully.
Oct 31, 2018 1:30:22 PM org.apache.openejb.cdi.OpenEJBLifecycle
startApplication
INFO: OpenWebBeans Container has started, it took 397 ms.
Oct 31, 2018 1:30:22 PM org.apache.openejb.assembler.classic.Assembler
startEjbs
INFO: Created Ejb(deployment-id=MyEjb, ejb-name=MyEjb, container=Default
Singleton Container)
Oct 31, 2018 1:30:22 PM sun.reflect.NativeMethodAccessorImpl invoke
SEVERE: ContainerBase.addChild: start:
org.apache.catalina.LifecycleException: Failed to start component
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/example-web]]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167)
        at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:752)
        at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:726)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
        at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:988)
        at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1860)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "setContextClassLoader")
        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at
java.security.AccessController.checkPermission(AccessController.java:884)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.Thread.setContextClassLoader(Thread.java:1474)
        at
org.apache.catalina.core.StandardContext.unbind(StandardContext.java:5857)
        at
org.apache.catalina.core.StandardContext.unbindThread(StandardContext.java:5787)
        at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5251)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
        ... 14 more

Oct 31, 2018 1:30:22 PM sun.reflect.NativeMethodAccessorImpl invoke
SEVERE: Error deploying web application archive
[C:\IBM\liferay7-ga5\tomee-7.0.4\webapps\example-web.war]
java.lang.IllegalStateException: ContainerBase.addChild: start:
org.apache.catalina.LifecycleException: Failed to start component
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/example-web]]
        at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:756)
        at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:726)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
        at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:988)
        at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1860)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

Oct 31, 2018 1:30:22 PM sun.reflect.NativeMethodAccessorImpl invoke
SEVERE: Error waiting for multi-thread deployment of WAR files to complete
java.util.concurrent.ExecutionException:
java.security.AccessControlException: access denied
("java.io.FilePermission"
"C:\IBM\liferay7-ga5\tomee-7.0.4\webapps\example-web" "read")
        at java.util.concurrent.FutureTask.report(FutureTask.java:122)
        at java.util.concurrent.FutureTask.get(FutureTask.java:192)
        at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:778)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:441)
        at org.apache.catalina.startup.HostConfig.check(HostConfig.java:1632)
        at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:314)
        at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:94)
        at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1164)
        at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1388)
        at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1392)
        at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1360)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.AccessControlException: access denied
("java.io.FilePermission"
"C:\IBM\liferay7-ga5\tomee-7.0.4\webapps\example-web" "read")
        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at
java.security.AccessController.checkPermission(AccessController.java:884)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
        at java.io.File.lastModified(File.java:938)
        at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1002)
        at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1860)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        ... 1 more







--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
Reply | Threaded
Open this post in threaded view
|

Re: Simple EJB causes permissions errors

ross.cohen
I can make this problem go away by removing the Security Manager.    As I
said, the security policy is set to be permissive as possible, so I don't
really understand how I would be getting security exception.




--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
Reply | Threaded
Open this post in threaded view
|

Re: Simple EJB causes permissions errors

Matthew Broadhead-2
do you need the security manager in production or have you solved the
problem?

On 01/11/2018 18:11, ross.cohen wrote:
> I can make this problem go away by removing the Security Manager.    As I
> said, the security policy is set to be permissive as possible, so I don't
> really understand how I would be getting security exception.
>
>
>
>
> --
> Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html

Reply | Threaded
Open this post in threaded view
|

Re: Simple EJB causes permissions errors

ross.cohen
This post was updated on .
Matthew Broadhead-2 wrote
do you need the security manager in production or have you solved the
problem?
A preliminary look suggests that Liferay (and our portlet applications) seem
to run OK without the SecurityManager.   However, adding the SecurityManager
was in the Liferay install instructions, so that leaves me feeling a bit
uncertain.  Time (and some testing) will tell.

As a side note, I'll point out that I made an earlier post about being
unable to deploy EARs
(http://tomee-openejb.979440.n4.nabble.com/EAR-deployment-td4684131.html),
and that too was traced back to having a SecurityManager set.

And having just re-examined that post, I would guess that the root cause of both problems is the same.

Ross


Reply | Threaded
Open this post in threaded view
|

Re: Simple EJB causes permissions errors

jgallimore
There's an issue around JACC where there is an issue with a security
manager. I do have a local patch, but it is not extensively tested at the
moment. Happy to paste it somewhere if you're up for building TomEE with
the patch and giving it a try.

Jon

On Thu, Nov 1, 2018 at 10:07 PM ross.cohen <[hidden email]> wrote:

>
> do you need the security manager in production or have you solved the
> problem?
>
> A preliminary look suggests that Liferay (and our portlet applications)
> seem
> to run OK without the SecurityManager.   However, adding the
> SecurityManager
> was in the Liferay install instructions, so that leaves me feeling a bit
> uncertain.  Time (and some testing) will tell.
>
> As a side note, I'll point out that I made an earlier post about being
> unable to deploy EARs
> (http://tomee-openejb.979440.n4.nabble.com/EAR-deployment-td4684131.html),
> and that too was traced back to having a SecurityManager set.
>
> Ross
>
>
>
>
>
>
> --
> Sent from:
> http://tomee-openejb.979440.n4.nabble.com/TomEE-Users-f979441.html
>