Access Keys:
Skip to content (Access Key - 0)









Security Problem with AspectJ

Print this page

Question

I am getting classloader permission exceptions with Aspectj. From the stack trace I believe that Aspectj tries to get the classloader.

The Aspectj runtime is deployed using a library. That library jar has classloader permission. Now the code weaving during compilation will weave the aspectJ calls into the SBB code. What is the security policy now? The SBB runs its classloader -> The aspectJ has permission -> The code of aspectJ is called -> Now as aspectJ is not calling priviledged action it is executed with SBB permissions -> Then it fails.

Is that the right interpretation? Do we have to enable class loader access for the complete container?

Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
...

Answer

Register/login to use all DevPortal features - Log in | Sign up )

  1. June 7, 2011

    richard bock says:

    After some time I am trying to change again to make the security-permissions wor...

    After some time I am trying to change again to make the security-permissions work for my SBBs without switching the security manager off. I learned that you can add security-permissions to

    • LIBJAR
    • RAJAR
    • SBBJAR

    So I added the follwing tag to each of the JSLEE entities:
    <security-permissions>
    <security-permission-spec>
    grant

    Unknown macro: { permission java.security.AllPermission; }
    ;
    </security-permission-spec>
    </security-permissions>

    And I was expecting that now as all security domains have the AllPermission the aspectj classloader access problem would be gone. But nevertheless I am getting the access error. I cannot add the AccessController.doProviliged() block as I cannot control the aspectj inserted code.

    Should this approach work or do I miss something in the concept of given access permissions via the deployment descriptors?

    Do I have to give more permissions? E.g. to the service or any other entity?

Adaptavist Theme Builder Powered by Atlassian Confluence