Skip to content

fix AccessControlException from SecurityManager in ClasspathOrder#594

Merged
lukehutch merged 1 commit into
classgraph:latestfrom
elkman:feature/fix_AccessControlException_in_ClasspathOrder
Nov 9, 2021
Merged

fix AccessControlException from SecurityManager in ClasspathOrder#594
lukehutch merged 1 commit into
classgraph:latestfrom
elkman:feature/fix_AccessControlException_in_ClasspathOrder

Conversation

@elkman

@elkman elkman commented Nov 8, 2021

Copy link
Copy Markdown

Hi @lukehutch,

yes, it's me and SecurityManger again =)

We have a new SecurityException after upgrading from 4.8.69 to 4.8.129 with our SecurityManager enabled Tomcat target platform.

In ClasspathOrder, class path elements are converted to URLs by pathElementURL = new File(pathElementToStr).toURI().toURL().

File#toUri() requires read access to the directory containing the file. If the JVM is running with SecurityManager enabled, this file system access may represent a security policy violation (e.g., in Tomcat, the CATALINA_HOME/bin folder containing classpath elements such as bootstrap.jar, etc.).
In this case, the existing fallback handling can be used.

This PR works fine in our case, but we are only searching for some WebJars.

fix AccessControlException from SecurityManager in ClasspathOrder
c36cf6c 
In ClasspathOrder, class path elements are converted to URLs by pathElementURL = new File(pathElementToStr).toURI().toURL().
File#toUri() requires read access to the directory containing the file. If the JVM is running with SecurityManager enabled, this file system access may represent a security policy violation (e.g., in Tomcat, the `CATALINA_HOME/bin` folder containing classpath elements such as bootstrap.jar, etc.).
In this case, the existing fallback handling can be used.
@lukehutch

lukehutch commented Nov 9, 2021
edited
Loading

Copy link
Copy Markdown
Member

@elkman I can't believe people are still using a SecurityManager these days! You know it has been deprecated for removal in JDK 17, right? :-)

One of the most annoying thing about SecurityManager is the number of Java library calls that can throw SecurityException -- and the fact it's an unchecked exception. Do you know of any way to find all places in a project where SecurityException can be thrown by library code called by the project? There are probably more of these fixes that are needed...

@lukehutch lukehutch merged commit 8d85e25 into classgraph:latest Nov 9, 2021
lukehutch added a commit that referenced this pull request Nov 9, 2021
@lukehutch
Catch some additional unchecked exceptions (#594)
c398d19
@lukehutch

lukehutch commented Nov 9, 2021

Copy link
Copy Markdown
Member

I found a few more places where SecurityException or IllegalArgumentException or IOError should be caught. Released in 4.8.131. Thank you for the pull request!

@elkman elkman deleted the feature/fix_AccessControlException_in_ClasspathOrder branch November 9, 2021 07:21
@elkman

elkman commented Nov 9, 2021
edited
Loading

Copy link
Copy Markdown
Author

Hi @lukehutch

@elkman I can't believe people are still using a SecurityManager these days!

yes, it is quite annoying, but this particular datacenter (public sector) decided to use it for its managed Tomcat hosting, which includes an option to get a Tomcat instance on a shared VM (like PHP in the 90s, the times without VMs, containers, SELinux and AppArmor).

You know it has been deprecated for removal in JDK 17, right? :-)

In fact, AccessControlException is already deprecated with JDK 17, SecurityException will remain. So at least there is no need to catch deprecated exceptions.

One of the most annoying thing about SecurityManager is the number of Java library calls that can throw SecurityException -- and the fact it's an unchecked exception. Do you know of any way to find all places in a project where SecurityException can be thrown by library code called by the project? There are probably more of these fixes that are needed...

No, I don't know and I also think that there is no easy way to find all missed RuntimeExeptions, because if programmers should care too much about them, they were not derived from RuntimeExeption.

I could think of a test that sets up a SecurityManager for some common cases of missing read permissions for the current directory, a jar file, a directory of a jar file and maybe some more. But I am not sure if it is worth the time spent on an already almost dead feature like the SecurityManager.

Thank you for the quick response and all your work on classgraph!

@lukehutch

lukehutch commented Nov 9, 2021

Copy link
Copy Markdown
Member

You're welcome, and all good points. OK, I think I caught most of them. I searched for all uses of Path.toUri, new URL, new URI, URI.toURL, etc.

We can just leave it at that for now, but please report any further problems. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elkman @lukehutch