1 2 Previous Next 18 Replies Latest reply: Nov 21, 2008 1:31 PM by Anil Saldhana RSS

Privileged Blocks Issue : JBAOP-675

Anil Saldhana Master

Flavia, I tried the attached jar and we went a bit further. The latest stack trace is here. I am available on IM also at the moment and we can discuss once you are back from lunch. :)

09:35:05,438 ERROR [STDERR] access: access denied (java.lang.RuntimePermission getClassLoader)
09:35:05,438 ERROR [STDERR] java.lang.Exception: Stack trace
09:35:05,439 ERROR [STDERR] at java.lang.Thread.dumpStack(Thread.java:1158)
09:35:05,439 ERROR [STDERR] at java.security.AccessControlContext.checkPermission(AccessControlContext.java:253)
09:35:05,439 ERROR [STDERR] at java.security.AccessController.checkPermission(AccessController.java:427)
09:35:05,439 ERROR [STDERR] at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
09:35:05,439 ERROR [STDERR] at java.lang.Class.getClassLoader(Class.java:588)
09:35:05,439 ERROR [STDERR] at org.jboss.aop.classpool.AOPClassPoolRepository.registerClass(AOPClassPoolRepository.java:166)
09:35:05,439 ERROR [STDERR] at org.jboss.aop.AspectManager.registerClass(AspectManager.java:825)
09:35:05,439 ERROR [STDERR] at org.jboss.aop.AspectManager.initialiseClassAdvisor(AspectManager.java:730)
09:35:05,439 ERROR [STDERR] at org.jboss.aop.AspectManager.getAdvisor(AspectManager.java:712)
09:35:05,439 ERROR [STDERR] at org.jboss.jms.server.endpoint.advised.ConnectionAdvised.<clinit>(ConnectionAdvised.java)
09:35:05,439 ERROR [STDERR] at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegateInternal(ServerConnectionFactoryEndpoint.java:288)
09:35:05,439 ERROR [STDERR] at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegate(ServerConnectionFactoryEndpoint.java:171)



  • 1. Re: Privileged Blocks Issue : JBAOP-675
    Anil Saldhana Master

    Flavia, the fix should not go in GenericAspectFactory as you did.

    Messaging is weaving their code (ClientSessionDelegate) as in:

    3:22:07,502 ERROR [STDERR] java.lang.Exception: Stack trace
    23:22:07,503 ERROR [STDERR] at java.lang.Thread.dumpStack(Thread.java:1158)
    23:22:07,503 ERROR [STDERR] at java.security.AccessControlContext.checkPermission(AccessControlC
    ontext.java:253)
    23:22:07,503 ERROR [STDERR] at java.security.AccessController.checkPermission(AccessController.j
    ava:427)
    23:22:07,503 ERROR [STDERR] at java.lang.SecurityManager.checkPermission(SecurityManager.java:53
    2)
    23:22:07,503 ERROR [STDERR] at java.lang.Class.getClassLoader(Class.java:588)
    23:22:07,503 ERROR [STDERR] at org.jboss.aop.advice.GenericAspectFactory.getClazz(GenericAspectF
    actory.java:123)
    23:22:07,503 ERROR [STDERR] at org.jboss.aop.advice.GenericAspectFactory.createPerInstance(Gener
    icAspectFactory.java:175)
    23:22:07,503 ERROR [STDERR] at org.jboss.aop.InstanceAdvisorDelegate.initializeAspects(InstanceA
    dvisorDelegate.java:109)
    23:22:07,503 ERROR [STDERR] at org.jboss.aop.InstanceAdvisorDelegate.initialize(InstanceAdvisorD
    elegate.java:71)
    23:22:07,503 ERROR [STDERR] at org.jboss.aop.ClassInstanceAdvisor.setAdvisorAndInitialise(ClassI
    nstanceAdvisor.java:84)
    23:22:07,503 ERROR [STDERR] at org.jboss.aop.ClassInstanceAdvisor.<init>(ClassInstanceAdvisor.java:68)
    23:22:07,503 ERROR [STDERR] at org.jboss.jms.client.delegate.ClientSessionDelegate._getInstanceA
    dvisor(ClientSessionDelegate.java)
    23:22:07,503 ERROR [STDERR] at org.jboss.jms.client.delegate.ClientSessionDelegate.createMessage
    (ClientSessionDelegate.java)
    23:22:07,503 ERROR [STDERR] at org.jboss.jms.client.JBossSession.createMessage(JBossSession.java
    :124)
    


    Their pointcut is on createMessage of ClientSessionDelegate. At the location of the pointcut, in the aop weaved code, you should be wrapping that with a privileged block.

    You are trying the priv block way up in the stack trace.

  • 2. Re: Privileged Blocks Issue : JBAOP-675
    Anil Saldhana Master

    I am saying that the privileged block should be in:

    23:22:07,503 ERROR [STDERR] at org.jboss.jms.client.delegate.ClientSessionDelegate.createMessage
    (ClientSessionDelegate.java)
    


    When they do "aopc" as part of their build process, in the generated aop code of ClientSessionDelegate, the createMessage should be having a privileged block.

  • 3. Re: Privileged Blocks Issue : JBAOP-675
    Anil Saldhana Master

     

    13:40:46,501 ERROR [STDERR] java.lang.Exception: Stack trace
    13:40:46,501 ERROR [STDERR] at java.lang.Thread.dumpStack(Thread.java:1158)
    13:40:46,501 ERROR [STDERR] at java.security.AccessControlContext.checkPermission(AccessControlContext.java:253)
    13:40:46,501 ERROR [STDERR] at java.security.AccessController.checkPermission(AccessController.java:427)
    13:40:46,501 ERROR [STDERR] at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
    13:40:46,501 ERROR [STDERR] at org.jboss.aop.AspectManager.getAdvisor(AspectManager.java:707)
    13:40:46,501 ERROR [STDERR] at org.jboss.jms.server.endpoint.advised.ConnectionAdvised.<clinit>(ConnectionAdvised.java)
    13:40:46,501 ERROR [STDERR] at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegateInternal(ServerConnectionFactoryEndpoint.java:288)
    13:40:46,501 ERROR [STDERR] at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegate(ServerConnectionFactoryEndpoint.java:171)
    13:40:46,501 ERROR [STDERR] at org.jboss.jms.server.endpoint.advised.ConnectionFactoryAdvised.org$jboss$jms$server$endpoint$advised$ConnectionFactoryAdvised$createConnectionDelegate$aop(ConnectionFactoryAdvised.java:108)
    


    This is the error I am getting now. It is better than the previous. Is the call to AspectManager.getAdvisor happening from aop side or it is messaging aspect?

  • 4. Re: Privileged Blocks Issue : JBAOP-675
    Flavia Rainone Master

     

    "anil.saldhana@jboss.com" wrote:
    I am saying that the privileged block should be in:
    23:22:07,503 ERROR [STDERR] at org.jboss.jms.client.delegate.ClientSessionDelegate.createMessage
    (ClientSessionDelegate.java)
    


    Unless the problem is not with Class.getClassLoader call, it shouldn't be in the joinpoint wrapper, createMessage.

    There are two good reasons for this. The first one is that the joinpointwrapper, createMessage, will trigger the Class.getClassLoader call only the first time it is reached on a per scope basis (given the aspect is a PER_INSTANCE one, it will be triggered the first time this method is run for each ClientSessionDelegate instance).

    So, it is not fair to pay the extra performance price of running the joinpoint inside a privileged block just because it might need to trigger a Class.getClassLoader.

    Secondly, I'm following the design decision that Kabir has made for the other points of JBoss AOP code. Kabir created SecurityActions classes that perform a few operations inside privileged blocks. When I want to call, for example, Class.getClassLoader, I am supposed to call SecurityActions.getClassLader(Class).

    This method was already there, but it looks like some points of the new 2.0.0GA version mistakenly were invoking Class.getClassLoader instead of delegating to SecurityActions.

    There is a new version of the jar attached at the Jira issue, now with all the points replaced. Please, test that jar and let me know if it works or if I missed some Class.getClassLoader call in the code.

  • 5. Re: Privileged Blocks Issue : JBAOP-675
    Flavia Rainone Master

     

    "anil.saldhana@jboss.com" wrote:
    Is the call to AspectManager.getAdvisor happening from aop side or it is messaging aspect?


    I think that the problem is still on the aop side. But I can't see what is wrong with that. Look at the piece of code below:

    public synchronized ClassAdvisor getAdvisor(Class<?> clazz)
     {
     ClassAdvisor advisor = null;
     // See if one already exists
     advisor = (ClassAdvisor)findAdvisor(clazz);
     // if one does not
     if (advisor == null)
     {
     advisor = AdvisorFactory.getClassAdvisor(clazz, this);
     initialiseClassAdvisor(clazz, advisor);
     }
     return advisor;
     }


    The line 707 is:
    advisor = (ClassAdvisor)findAdvisor(clazz);


    As the findAdvisor call doesn't appear at the stack, I would assume that the check is being performed for the casting. But this doesn't make any sense to me. Do you have any ideas?

  • 6. Re: Privileged Blocks Issue : JBAOP-675
    Anil Saldhana Master

    Flavia, who is generating the AspectManager.getAdvisor statement in the weaved code? You need to wrap this "AM.getAdvisor" call in a priv block and not the contents of AM.getAdvisor.

  • 7. Re: Privileged Blocks Issue : JBAOP-675
    Flavia Rainone Master

    I have to fix this inside AspectManager.

    This is what is happening. JBoss AOP inserts an advisor field into the weaved class. This field is static and is initialized with AspectManager.getAdvisor(this.getClass()):

    public WeavedClass
    {
    
    private static final Advisor aop$advisor$aop = AspectManager.instance().getAdvisor(this.getClass);
    ...
    }
    


    So, I'm not sure if Javassist allows to edit clinit, and I can't edit the aop$advisor$aop field initialization, replacing the call to getAdvisor by an if/else field.

    Plus, I need to know exactly what kind of permission it needs (why is the check failing on line 707 exactly?), as this method is called elsewhere inside of JBoss AOP.

  • 8. Re: Privileged Blocks Issue : JBAOP-675
    Anil Saldhana Master

    I do not know what the dangers are of making the entire content of getAdvisor method in a privileged block. I have an inclination to suggest that.

    Have you tried weaving in a block into the weaved class as:

    public WeavedClass
    {
    
    private static final Advisor aop$advisor$aop = SecurityActions.getAdvisor(AspectManager, this.getClass);
    ...
    }
    


    or

    public WeavedClass
    {
    
    private static final Advisor aop$advisor$aop =
    AccessController.doPrivileged(new PrivilegedAction<Advisor>() {
     public Advisor run()
     {
     return AspectManager.instance().getAdvisor(this.getClass);
     }
     );
    ...
    }
    



    Is that doable?

  • 9. Re: Privileged Blocks Issue : JBAOP-675
    Flavia Rainone Master

    Yes, this is doable. I think I'll go with the first suggestion.

    I still would like to know which part of line 707 of AspectManager is triggering a security check...

  • 10. Re: Privileged Blocks Issue : JBAOP-675
    Flavia Rainone Master

    Anil, taking a second look, I have a question. Are you running tests with pre-woven code? If this code is already woven, it is already calling AspectManager.getAdvisor. So, it won't help making aopc change this behavior if you need to make things work with somethinig that is already woven.

  • 11. Re: Privileged Blocks Issue : JBAOP-675
    Adrian Brock Master

     

    "flavia.rainone@jboss.com" wrote:
    Yes, this is doable. I think I'll go with the first suggestion.

    I still would like to know which part of line 707 of AspectManager is triggering a security check...


    Yep, it doesn't make any sense to me either.
    Neither the cast or the virtual method call should do a permission check.

    I suspect this isn't the same code?

    Anil, can you show the full error which includes the name of the permission that failed.

  • 12. Re: Privileged Blocks Issue : JBAOP-675
    Anil Saldhana Master

    Messaging build uses aopc to weave in the aspects. Then the jboss-messaging.jar is created and we use that in the AS.

    Flavia, I have been taking your test jars, drop them in messaging/thirdparty/jboss/aop/lib and then build the messaging jar and use it in AS. Each time I have got an updated jar, I have got a shorter stack trace.

    Let me run one more time and get the complete stack trace for Adrian.

  • 13. Re: Privileged Blocks Issue : JBAOP-675
    Anil Saldhana Master

     

    09:41:03,645 ERROR [STDERR] access: access allowed (java.io.FilePermission /home/anil/jboss-5.0/jboss-head/build/output/jboss-5.0.0.GA/common/lib read)
    09:41:03,647 ERROR [STDERR] access: access denied (java.lang.RuntimePermission getClassLoader)
    09:41:03,648 ERROR [STDERR] java.lang.Exception: Stack trace
    09:41:03,648 ERROR [STDERR] at java.lang.Thread.dumpStack(Thread.java:1158)
    09:41:03,648 ERROR [STDERR] at java.security.AccessControlContext.checkPermission(AccessControlContext.java:253)
    09:41:03,648 ERROR [STDERR] at java.security.AccessController.checkPermission(AccessController.java:427)
    09:41:03,648 ERROR [STDERR] at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
    09:41:03,648 ERROR [STDERR] at java.lang.Class.getClassLoader(Class.java:588)
    09:41:03,648 ERROR [STDERR] at org.jboss.aop.classpool.AOPClassPoolRepository.registerClass(AOPClassPoolRepository.java:166)
    09:41:03,648 ERROR [STDERR] at org.jboss.aop.AspectManager.registerClass(AspectManager.java:825)
    09:41:03,649 ERROR [STDERR] at org.jboss.aop.AspectManager.initialiseClassAdvisor(AspectManager.java:730)
    09:41:03,649 ERROR [STDERR] at org.jboss.aop.AspectManager.getAdvisor(AspectManager.java:712)
    09:41:03,649 ERROR [STDERR] at org.jboss.jms.server.endpoint.advised.ConnectionAdvised.<clinit>(ConnectionAdvised.java)
    09:41:03,649 ERROR [STDERR] at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegateInternal(ServerConnectionFactoryEndpoint.java:288)
    09:41:03,649 ERROR [STDERR] at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegate(ServerConnectionFactoryEndpoint.java:171)
    09:41:03,649 ERROR [STDERR] at org.jboss.jms.server.endpoint.advised.ConnectionFactoryAdvised.org$jboss$jms$server$endpoint$advised$ConnectionFactoryAdvised$createConnectionDelegate$aop(ConnectionFactoryAdvised.java:108)
    09:41:03,649 ERROR [STDERR] at org.jboss.jms.server.endpoint.advised.ConnectionFactoryAdvised.createConnectionDelegate(ConnectionFactoryAdvised.java)
    09:41:03,649 ERROR [STDERR] at org.jboss.jms.wireformat.ConnectionFactoryCreateConnectionDelegateRequest.serverInvoke(ConnectionFactoryCreateConnectionDelegateRequest.java:91)
    09:41:03,649 ERROR [STDERR] at org.jboss.jms.server.remoting.JMSServerInvocationHandler.invoke(JMSServerInvocationHandler.java:143)
    09:41:03,649 ERROR [STDERR] at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:908)
    09:41:03,649 ERROR [STDERR] at org.jboss.remoting.transport.local.LocalClientInvoker.invoke(LocalClientInvoker.java:106)
    09:41:03,649 ERROR [STDERR] at org.jboss.remoting.Client.invoke(Client.java:1708)
    09:41:03,649 ERROR [STDERR] at org.jboss.remoting.Client.invoke(Client.java:612)
    09:41:03,649 ERROR [STDERR] at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.org$jboss$jms$client$delegate$ClientConnectionFactoryDelegate$createConnectionDelegate$aop(ClientConnectionFactoryDelegate.java:171)
    09:41:03,649 ERROR [STDERR] at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_N3019492359065420858.invokeTarget(ClientConnectionFactoryDelegate$createConnectionDelegate_N3019492359065420858.java)
    09:41:03,649 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
    09:41:03,649 ERROR [STDERR] at org.jboss.jms.client.container.StateCreationAspect.handleCreateConnectionDelegate(StateCreationAspect.java:81)
    09:41:03,649 ERROR [STDERR] at org.jboss.aop.advice.org.jboss.jms.client.container.StateCreationAspect_z_handleCreateConnectionDelegate_994617574.invoke(StateCreationAspect_z_handleCreateConnectionDelegate_994617574.java)
    09:41:03,649 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    09:41:03,650 ERROR [STDERR] at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.createConnectionDelegate(ClientConnectionFactoryDelegate.java)
    ....
    ....09:41:03,651 ERROR [STDERR] access: domain that failed ProtectionDomain (vfsmemory://3j001-kwvps2-fnszzu3k-1-fnt004dg-6/ <no signer certificates>)
     null
     <no principals>
    
    


    Flavia, this is with messaging built with your updated jar. I have not updated AS with your updated aop jar.

  • 14. Re: Privileged Blocks Issue : JBAOP-675
    Anil Saldhana Master

    Flavia, when I update your aop jar in AS also, I do not see issues with aop anymore. I think you can go ahead, make the aop release. After that, messaging can get their release done.

1 2 Previous Next