[FELIX-5385] ConfigAdmin uses wrong security when calling ManagedServices - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: configadmin-1.8.0
Fix Version/s: configadmin-1.8.12
Component/s: None
Labels:
None

Description

When a ManagedService (which bundles has all permissions) is called, we end up with the following exception.
The reason is that all code protection domain need to have the permission to actually grant the permission, and ConfigAdmin has very restricted permissions. A DomainCombiner should be used to only apply the bundle's permission to the call.

10:43:43.543 [CM Configuration Updater (ManagedService Update: pid=[org.ops4j.pax.logging])] ERROR org.apache.felix.configadmin - [org.osgi.service.log.LogService, org.knopflerfish.service.log.LogService, org.ops4j.pax.logging.PaxLoggingService, org.osgi.service.cm.ManagedService, id=12, bundle=5/mvn:org.ops4j.pax.logging/pax-logging-log4j2/1.9.1-SNAPSHOT]: Unexpected problem updating configuration org.ops4j.pax.logging
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) [?:?]
	at java.security.AccessController.checkPermission(AccessController.java:884) [?:?]
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) [?:?]
	at java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1528) [?:?]
	at java.lang.Thread.getContextClassLoader(Thread.java:1436) [?:?]
	at org.ops4j.pax.logging.log4j2.internal.PaxLoggingServiceImpl.updated(PaxLoggingServiceImpl.java:150) [5:org.ops4j.pax.logging.pax-logging-log4j2:1.9.1.SNAPSHOT]
	at org.ops4j.pax.logging.log4j2.internal.PaxLoggingServiceImpl$1ManagedPaxLoggingService.updated(PaxLoggingServiceImpl.java:408) [5:org.ops4j.pax.logging.pax-logging-log4j2:1.9.1.SNAPSHOT]
	at org.apache.felix.cm.impl.helper.ManagedServiceTracker$1.run(ManagedServiceTracker.java:177) [6:org.apache.felix.configadmin:1.8.8]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
	at org.apache.felix.cm.impl.helper.ManagedServiceTracker.updated(ManagedServiceTracker.java:173) [6:org.apache.felix.configadmin:1.8.8]
	at org.apache.felix.cm.impl.helper.ManagedServiceTracker.updateService(ManagedServiceTracker.java:152) [6:org.apache.felix.configadmin:1.8.8]
	at org.apache.felix.cm.impl.helper.ManagedServiceTracker.provideConfiguration(ManagedServiceTracker.java:85) [6:org.apache.felix.configadmin:1.8.8]
	at org.apache.felix.cm.impl.ConfigurationManager$ManagedServiceUpdate.provide(ConfigurationManager.java:1444) [6:org.apache.felix.configadmin:1.8.8]
	at org.apache.felix.cm.impl.ConfigurationManager$ManagedServiceUpdate.run(ConfigurationManager.java:1400) [6:org.apache.felix.configadmin:1.8.8]
	at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:131) [6:org.apache.felix.configadmin:1.8.8]
	at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:128) [6:org.apache.felix.configadmin:1.8.8]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
	at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:127) [6:org.apache.felix.configadmin:1.8.8]
	at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:110) [6:org.apache.felix.configadmin:1.8.8]
	at java.lang.Thread.run(Thread.java:745) [?:?]

Attachments

Issue Links

is related to

FELIX-5148 Framework Security unusable

Closed

is required by

KARAF-3400 Enabling Java System Security and OSGi security leaves Karaf in unusable state

Resolved

Activity

People

Assignee:: Guillaume Nodet

Reporter:: Guillaume Nodet

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 20/Oct/16 08:47

Updated:: 25/Oct/16 17:35

Resolved:: 20/Oct/16 11:46