diff options
author | Simon Kaegi | 2010-10-30 20:09:16 +0000 |
---|---|---|
committer | Simon Kaegi | 2010-10-30 20:09:16 +0000 |
commit | 3737bd466b4d5c7d8b8ae648085b7eb9915ca913 (patch) | |
tree | a5d594057ddf96392e71fc29329ec0885e0ff37e /bundles/org.eclipse.equinox.jsp.jasper | |
parent | beac856e02b61ef3e9af2ca73cca43b9e608e82d (diff) | |
download | rt.equinox.bundles-3737bd466b4d5c7d8b8ae648085b7eb9915ca913.tar.gz rt.equinox.bundles-3737bd466b4d5c7d8b8ae648085b7eb9915ca913.tar.xz rt.equinox.bundles-3737bd466b4d5c7d8b8ae648085b7eb9915ca913.zip |
Bug 327482 - OSGI app binaries do not inherit Java 2 security
Diffstat (limited to 'bundles/org.eclipse.equinox.jsp.jasper')
3 files changed, 57 insertions, 3 deletions
diff --git a/bundles/org.eclipse.equinox.jsp.jasper/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.jsp.jasper/META-INF/MANIFEST.MF index d97a24baa..2e46923ad 100644 --- a/bundles/org.eclipse.equinox.jsp.jasper/META-INF/MANIFEST.MF +++ b/bundles/org.eclipse.equinox.jsp.jasper/META-INF/MANIFEST.MF @@ -4,7 +4,7 @@ Bundle-Name: %bundleName Bundle-Vendor: %providerName Bundle-Localization: plugin Bundle-SymbolicName: org.eclipse.equinox.jsp.jasper -Bundle-Version: 1.0.200.qualifier +Bundle-Version: 1.0.300.qualifier Bundle-Activator: org.eclipse.equinox.internal.jsp.jasper.Activator Import-Package: javax.servlet;version="[2.4, 3.0)", javax.servlet.http;version="[2.4, 3.0)", diff --git a/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/internal/jsp/jasper/JspClassLoader.java b/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/internal/jsp/jasper/JspClassLoader.java index 330302600..944bdbce7 100644 --- a/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/internal/jsp/jasper/JspClassLoader.java +++ b/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/internal/jsp/jasper/JspClassLoader.java @@ -15,6 +15,8 @@ import java.io.IOException; import java.net.MalformedURLException; import java.net.URL; import java.net.URLClassLoader; +import java.security.CodeSource; +import java.security.PermissionCollection; import java.util.Dictionary; import java.util.Enumeration; import java.util.StringTokenizer; @@ -61,8 +63,11 @@ public class JspClassLoader extends URLClassLoader { } }; - public JspClassLoader(Bundle bundle) { + private PermissionCollection permissions; + + public JspClassLoader(Bundle bundle, PermissionCollection permissions) { super(new URL[0], new BundleProxyClassLoader(bundle, new BundleProxyClassLoader(JASPERBUNDLE, new JSPContextFinder(EMPTY_CLASSLOADER)))); + this.permissions = permissions; addBundleClassPathJars(bundle); Bundle[] fragments = Activator.getFragments(bundle); if (fragments != null) { @@ -105,4 +110,8 @@ public class JspClassLoader extends URLClassLoader { protected Class findClass(String name) throws ClassNotFoundException { throw new ClassNotFoundException(name); } + + protected PermissionCollection getPermissions(CodeSource codesource) { + return permissions; + } } diff --git a/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/jsp/jasper/JspServlet.java b/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/jsp/jasper/JspServlet.java index 14068b046..58acfc6d8 100644 --- a/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/jsp/jasper/JspServlet.java +++ b/bundles/org.eclipse.equinox.jsp.jasper/src/org/eclipse/equinox/jsp/jasper/JspServlet.java @@ -13,10 +13,14 @@ package org.eclipse.equinox.jsp.jasper; import java.io.IOException; import java.io.InputStream; +import java.lang.reflect.Field; import java.lang.reflect.Method; import java.net.MalformedURLException; import java.net.URL; import java.net.URLClassLoader; +import java.security.Permission; +import java.security.PermissionCollection; +import java.util.Collections; import java.util.Enumeration; import java.util.HashSet; import java.util.Set; @@ -61,9 +65,33 @@ import org.osgi.framework.Bundle; */ public class JspServlet extends HttpServlet { + + private static class BundlePermissionCollection extends PermissionCollection { + private static final long serialVersionUID = -6365478608043900677L; + private Bundle bundle; + + public BundlePermissionCollection(Bundle bundle) { + this.bundle = bundle; + super.setReadOnly(); + } + + public void add(Permission permission) { + throw new SecurityException(); + } + + public boolean implies(Permission permission) { + return bundle.hasPermission(permission); + } + + public Enumeration elements() { + return Collections.enumeration(Collections.EMPTY_LIST); + } + } + private static final long serialVersionUID = -4110476909131707652L; private Servlet jspServlet = new org.apache.jasper.servlet.JspServlet(); Bundle bundle; + BundlePermissionCollection bundlePermissions; private URLClassLoader jspLoader; String bundleResourcePath; String alias; @@ -72,7 +100,10 @@ public class JspServlet extends HttpServlet { this.bundle = bundle; this.bundleResourcePath = (bundleResourcePath == null || bundleResourcePath.equals("/")) ? "" : bundleResourcePath; //$NON-NLS-1$ //$NON-NLS-2$ this.alias = (alias == null || alias.equals("/")) ? null : alias; //$NON-NLS-1$ - jspLoader = new JspClassLoader(bundle); + if (System.getSecurityManager() != null) { + bundlePermissions = new BundlePermissionCollection(bundle); + } + jspLoader = new JspClassLoader(bundle, bundlePermissions); } public JspServlet(Bundle bundle, String bundleResourcePath) { @@ -84,6 +115,20 @@ public class JspServlet extends HttpServlet { try { Thread.currentThread().setContextClassLoader(jspLoader); jspServlet.init(new ServletConfigAdaptor(config)); + + // If a SecurityManager is set we need to override the permissions collection set in Jasper's JSPRuntimeContext + if (System.getSecurityManager() != null) { + try { + Field jspRuntimeContextField = jspServlet.getClass().getDeclaredField("rctxt"); //$NON-NLS-1$ + jspRuntimeContextField.setAccessible(true); + Object jspRuntimeContext = jspRuntimeContextField.get(jspServlet); + Field permissionCollectionField = jspRuntimeContext.getClass().getDeclaredField("permissionCollection"); //$NON-NLS-1$ + permissionCollectionField.setAccessible(true); + permissionCollectionField.set(jspRuntimeContext, bundlePermissions); + } catch (Exception e) { + throw new ServletException("Cannot initialize JSPServlet. Failed to set JSPRuntimeContext permission collection."); //$NON-NLS-1$ + } + } } finally { Thread.currentThread().setContextClassLoader(original); } |