Bug 327482 - OSGI app binaries do not inherit Java 2 security

3 files changed, 57 insertions, 3 deletions

diff --git a/bundles/org.eclipse.equinox.jsp.jasper/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.jsp.jasper/META-INF/MANIFEST.MF
index d97a24baa..2e46923ad 100644
--- a/bundles/org.eclipse.equinox.jsp.jasper/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.jsp.jasper/META-INF/MANIFEST.MF
@@ -4,7 +4,7 @@ Bundle-Name: %bundleName
 Bundle-Vendor: %providerName
 Bundle-Localization: plugin
 Bundle-SymbolicName: org.eclipse.equinox.jsp.jasper
-Bundle-Version: 1.0.200.qualifier
+Bundle-Version: 1.0.300.qualifier
 Bundle-Activator: org.eclipse.equinox.internal.jsp.jasper.Activator
 Import-Package: javax.servlet;version="[2.4, 3.0)",
  javax.servlet.http;version="[2.4, 3.0)",
diff --git a/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/internal/jsp/jasper/JspClassLoader.java b/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/internal/jsp/jasper/JspClassLoader.java
index 330302600..944bdbce7 100644
--- a/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/internal/jsp/jasper/JspClassLoader.java
+++ b/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/internal/jsp/jasper/JspClassLoader.java
@@ -15,6 +15,8 @@ import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLClassLoader;
+import java.security.CodeSource;
+import java.security.PermissionCollection;
 import java.util.Dictionary;
 import java.util.Enumeration;
 import java.util.StringTokenizer;
@@ -61,8 +63,11 @@ public class JspClassLoader extends URLClassLoader {
 		}
 	};
 
-	public JspClassLoader(Bundle bundle) {
+	private PermissionCollection permissions;
+
+	public JspClassLoader(Bundle bundle, PermissionCollection permissions) {
 		super(new URL[0], new BundleProxyClassLoader(bundle, new BundleProxyClassLoader(JASPERBUNDLE, new JSPContextFinder(EMPTY_CLASSLOADER))));
+		this.permissions = permissions;
 		addBundleClassPathJars(bundle);
 		Bundle[] fragments = Activator.getFragments(bundle);
 		if (fragments != null) {
@@ -105,4 +110,8 @@ public class JspClassLoader extends URLClassLoader {
 	protected Class findClass(String name) throws ClassNotFoundException {
 		throw new ClassNotFoundException(name);
 	}
+
+	protected PermissionCollection getPermissions(CodeSource codesource) {
+		return permissions;
+	}
 }
diff --git a/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/jsp/jasper/JspServlet.java b/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/jsp/jasper/JspServlet.java
index 14068b046..58acfc6d8 100644
--- a/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/jsp/jasper/JspServlet.java
+++ b/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/jsp/jasper/JspServlet.java
@@ -13,10 +13,14 @@ package org.eclipse.equinox.jsp.jasper;
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.lang.reflect.Field;
 import java.lang.reflect.Method;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLClassLoader;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.Set;
@@ -61,9 +65,33 @@ import org.osgi.framework.Bundle;
  */
 
 public class JspServlet extends HttpServlet {
+
+	private static class BundlePermissionCollection extends PermissionCollection {
+		private static final long serialVersionUID = -6365478608043900677L;
+		private Bundle bundle;
+
+		public BundlePermissionCollection(Bundle bundle) {
+			this.bundle = bundle;
+			super.setReadOnly();
+		}
+
+		public void add(Permission permission) {
+			throw new SecurityException();
+		}
+
+		public boolean implies(Permission permission) {
+			return bundle.hasPermission(permission);
+		}
+
+		public Enumeration elements() {
+			return Collections.enumeration(Collections.EMPTY_LIST);
+		}
+	}
+
 	private static final long serialVersionUID = -4110476909131707652L;
 	private Servlet jspServlet = new org.apache.jasper.servlet.JspServlet();
 	Bundle bundle;
+	BundlePermissionCollection bundlePermissions;
 	private URLClassLoader jspLoader;
 	String bundleResourcePath;
 	String alias;
@@ -72,7 +100,10 @@ public class JspServlet extends HttpServlet {
 		this.bundle = bundle;
 		this.bundleResourcePath = (bundleResourcePath == null || bundleResourcePath.equals("/")) ? "" : bundleResourcePath; //$NON-NLS-1$ //$NON-NLS-2$
 		this.alias = (alias == null || alias.equals("/")) ? null : alias; //$NON-NLS-1$
-		jspLoader = new JspClassLoader(bundle);
+		if (System.getSecurityManager() != null) {
+			bundlePermissions = new BundlePermissionCollection(bundle);
+		}
+		jspLoader = new JspClassLoader(bundle, bundlePermissions);
 	}
 
 	public JspServlet(Bundle bundle, String bundleResourcePath) {
@@ -84,6 +115,20 @@ public class JspServlet extends HttpServlet {
 		try {
 			Thread.currentThread().setContextClassLoader(jspLoader);
 			jspServlet.init(new ServletConfigAdaptor(config));
+
+			// If a SecurityManager is set we need to override the permissions collection set in Jasper's JSPRuntimeContext
+			if (System.getSecurityManager() != null) {
+				try {
+					Field jspRuntimeContextField = jspServlet.getClass().getDeclaredField("rctxt"); //$NON-NLS-1$
+					jspRuntimeContextField.setAccessible(true);
+					Object jspRuntimeContext = jspRuntimeContextField.get(jspServlet);
+					Field permissionCollectionField = jspRuntimeContext.getClass().getDeclaredField("permissionCollection"); //$NON-NLS-1$
+					permissionCollectionField.setAccessible(true);
+					permissionCollectionField.set(jspRuntimeContext, bundlePermissions);
+				} catch (Exception e) {
+					throw new ServletException("Cannot initialize JSPServlet. Failed to set JSPRuntimeContext permission collection."); //$NON-NLS-1$
+				}
+			}
 		} finally {
 			Thread.currentThread().setContextClassLoader(original);
 		}