[jira] [Commented] (SOLR-14598) Security Manager causing reflection exceptions

Sat, 27 Jun 2020 05:03:39 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-14598?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17146917#comment-17146917
 ] 

Robert Muir commented on SOLR-14598:
------------------------------------

I've reopened the issue as this is really the wrong way. If SOLR does things 
this way (add shitty code, then blame security manager, and just add 
exceptions), then security manager will be useless in 6 months time.

The actual code needs to be fixed.

> Security Manager causing reflection exceptions
> ----------------------------------------------
>
>                 Key: SOLR-14598
>                 URL: https://issues.apache.org/jira/browse/SOLR-14598
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Ishan Chattopadhyaya
>            Assignee: Ishan Chattopadhyaya
>            Priority: Blocker
>             Fix For: 8.6
>
>         Attachments: SOLR-14598.patch
>
>
> With SOLR-14404, after few requests (around 10 requests), every request is 
> failing with:
> {code}
> 2020-06-27 08:26:00.708 ERROR (qtp65488937-22) [   ] o.a.s.s.HttpSolrCall 
> null:org.apache.solr.common.SolrException: 
> java.security.AccessControlException: access denied 
> ("java.lang.RuntimePermission" "accessClassInPackage.jdk.internal.reflect")
>       at org.apache.solr.api.AnnotatedApi$Cmd.invoke(AnnotatedApi.java:311)
>       at org.apache.solr.api.AnnotatedApi.call(AnnotatedApi.java:178)
>       at 
> org.apache.solr.api.CustomContainerPlugins$ApiHolder.call(CustomContainerPlugins.java:166)
>       at org.apache.solr.api.V2HttpCall.handleAdmin(V2HttpCall.java:340)
>       at 
> org.apache.solr.servlet.HttpSolrCall.handleAdminRequest(HttpSolrCall.java:818)
>       at org.apache.solr.servlet.HttpSolrCall.call(HttpSolrCall.java:566)
>       at 
> org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:415)
>       at 
> org.apache.solr.servlet.SolrDispatchFilter.doFilter(SolrDispatchFilter.java:345)
>       at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1596)
>       at 
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
>       at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
>       at 
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:590)
>       at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
>       at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
>       at 
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1610)
>       at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
>       at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1300)
>       at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
>       at 
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)
>       at 
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1580)
>       at 
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
>       at 
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1215)
>       at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
>       at 
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:221)
>       at 
> org.eclipse.jetty.server.handler.InetAccessHandler.handle(InetAccessHandler.java:177)
>       at 
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
>       at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
>       at 
> org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)
>       at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
>       at org.eclipse.jetty.server.Server.handle(Server.java:500)
>       at 
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)
>       at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)
>       at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)
>       at 
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
>       at 
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
>       at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
>       at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
>       at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
>       at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
>       at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
>       at 
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
>       at 
> org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
>       at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)
>       at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)
>       at java.base/java.lang.Thread.run(Thread.java:834)
> Caused by: java.security.AccessControlException: access denied 
> ("java.lang.RuntimePermission" "accessClassInPackage.jdk.internal.reflect")
>       at 
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
>       at 
> java.base/java.security.AccessController.checkPermission(AccessController.java:897)
>       at 
> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
>       at 
> java.base/java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1238)
>       at 
> java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:174)
>       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:576)
>       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
>       at 
> org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:543)
>       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:576)
>       at 
> java.base/java.net.FactoryURLClassLoader.loadClass(URLClassLoader.java:899)
>       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:576)
>       at 
> java.base/java.net.FactoryURLClassLoader.loadClass(URLClassLoader.java:899)
>       at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
>       at java.base/jdk.internal.misc.Unsafe.defineClass0(Native Method)
>       at java.base/jdk.internal.misc.Unsafe.defineClass(Unsafe.java:1192)
>       at 
> java.base/jdk.internal.reflect.ClassDefiner.defineClass(ClassDefiner.java:63)
>       at 
> java.base/jdk.internal.reflect.MethodAccessorGenerator$1.run(MethodAccessorGenerator.java:400)
>       at 
> java.base/jdk.internal.reflect.MethodAccessorGenerator$1.run(MethodAccessorGenerator.java:394)
>       at java.base/java.security.AccessController.doPrivileged(Native Method)
>       at 
> java.base/jdk.internal.reflect.MethodAccessorGenerator.generate(MethodAccessorGenerator.java:393)
>       at 
> java.base/jdk.internal.reflect.MethodAccessorGenerator.generateMethod(MethodAccessorGenerator.java:75)
>       at 
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:53)
>       at 
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>       at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>       at org.apache.solr.api.AnnotatedApi$Cmd.invoke(AnnotatedApi.java:286)
>       ... 44 more
> {code}
> I tried adding the following to security.policy:
> {code}
>   permission java.lang.RuntimePermission 
> "accessClassInPackage.com.chattopadhyaya";
>   permission java.lang.RuntimePermission "accessClassInPackage.org.apache";
>   permission java.lang.RuntimePermission "accessClassInPackage.org.eclipse";
>   permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
>   permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
>   permission java.lang.RuntimePermission "accessClassInPackage";
>   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
> {code}
> But, still there is no difference.
> The AnnotatedApi class uses annotations like @EndPoint.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to