[jira] [Created] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
StringUtils throws java.security.AccessControlException on Google App Engine
----------------------------------------------------------------------------

                 Key: LANG-744
                 URL: https://issues.apache.org/jira/browse/LANG-744
             Project: Commons Lang
          Issue Type: Bug
          Components: lang.*
    Affects Versions: 3.0.1
         Environment: Google App Engine
            Reporter: Clément Denis


In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.

{code}
Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
        at java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
        at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
        at java.lang.Class.checkMemberAccess(Class.java:2164)
        at java.lang.Class.getMethod(Class.java:1602)
        at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
{code}

The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").

Commons lang 2 worked fine on GAE.


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13088637#comment-13088637 ]

Sebb commented on LANG-744:
---------------------------

The static code should probably just catch Exception.

Do we really want any RuntimeExceptions to escape into the calling code?

> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13089311#comment-13089311 ]

Henri Yandell commented on LANG-744:
------------------------------------

No, but equally I'd like to hear when issues are found rather than hide them before hand.

> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Resolved] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

     [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Henri Yandell resolved LANG-744.
--------------------------------

       Resolution: Fixed
    Fix Version/s: 3.0.2

I've added the new exception. Feel free to reopen if you disagree Sebb.

svn ci -m "Adding an exception to catch AccessControlExceptions in Google App Engine as reported by Clément Denis in LANG-744" src/main/java/org/apache/commons/lang3/StringUtils.java
Sending        src/main/java/org/apache/commons/lang3/StringUtils.java
Transmitting file data .
Committed revision 1160568.


> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Reopened] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

     [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sebb reopened LANG-744:
-----------------------


Why do we care which Exceptions can be generated?

We take the same action in each case, so I don't see the point of enumerating the Exceptions, unless there is different action to be taken for some of them.

But even then, we would probably need a catchall Exception.

> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13091043#comment-13091043 ]

Gary D. Gregory commented on LANG-744:
--------------------------------------

This is not a bug but the way Java Security Manager is designed to work.

The patch should be reverted IMO because the exception is correct.

This does not only happen with GAE, it happens anytime when running under Java's security manager ({{-Djava.security.manager}})

I do not think we should swallow the exception. In my case, I need to give proper rights to the code.

In my test at work with the security manager enabled I see:

{{java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)}}

Which means I need to add the following to my .policy file:

{noformat}
grant {
  // ...  
  // Apache Commons Lang3
  permission java.lang.RuntimePermission "accessClassInPackage.sun.text";
  // ...
};
{noformat}



> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13091062#comment-13091062 ]

Clément Denis commented on LANG-744:
------------------------------------

I don't agree with that.
The security manager cannot be changed in GAE, or in any other managed environment with strong security policiy.

The use of a sun.* class is basically a hack, so I don't see why it should prevent me from using StringUtils in GAE.
From a user point of view, it's a huge regression (I think I'm right when I say that StringUtils is one of the most widely used class in commons-lang).

It would be acceptable if the method stripAccents raised a RuntimeError if no Normalizer could be found.
But this bug prevents the use of the whole class.


> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13091073#comment-13091073 ]

Gary D. Gregory commented on LANG-744:
--------------------------------------

The current exception tell you what to do for a normal set up with a security manager, clean and simple.

If you do not control the security manager, then you are in a pickle. Perhaps we need some toggle.

The current implementation should at least be revisited because it is wrong to set sunAvailable to false when in fact I can fix the exception as a user by editing a text file that can be passed in on the JVM CLI. If I never know that an exception was thrown, I cannot fix the problem.

> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13091661#comment-13091661 ]

Henri Yandell commented on LANG-744:
------------------------------------

Much as System.out is weak; should we simply output a printStackTrace on the exception?

> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13091776#comment-13091776 ]

Gary D. Gregory commented on LANG-744:
--------------------------------------

That would be a minimum but I still do not like the design of {{catch (java.security.AccessControlException e)}}.

If we do that it means that we should go through all [lang] (and [commons]) static initializers to possibly add this block. It is also inconsistent with methods that we do not even know may throw ACE? In one place we catch it, in others we do not. Not great. I need to think about this some more. Crazy day here...




> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13091797#comment-13091797 ]

Stephen Colebourne commented on LANG-744:
-----------------------------------------

[lang] already handles something similar in SystemUtils, line 1266
http://svn.apache.org/viewvc/commons/proper/lang/trunk/src/main/java/org/apache/commons/lang3/SystemUtils.java?revision=1160564&view=markup


> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13095123#comment-13095123 ]

Henri Yandell commented on LANG-744:
------------------------------------

I've added a similar item while Gary ruminates on this:

+            System.err.println("Caught a AccessControlException loading sun.text.Normalizer. " +
+                               "Adjust your security manager if you want to use the stripAccents method. ");

Committed as r1163906.

> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13095211#comment-13095211 ]

Sebb commented on LANG-744:
---------------------------

The message will be thrown even if the sun method is not needed; that does not seem right.

If the sun method is unavailable, the code that conditionally calls it throws UnsupportedOperationException:

"The stripAccents(CharSequence) method requires at least Java 1.6 or a Sun JVM");

We could record the Exception in the static block, and add it as the cause for the UOE.
It would then only appear when necessary.

> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13095689#comment-13095689 ]

Gary D. Gregory commented on LANG-744:
--------------------------------------

Well, I've ruminated, pondered and experimented.

Running all unit tests with a security managers results in:

Tests run: 2046, Failures: 2, Errors: 115, Skipped: 0

Clearly, we need a good overall solution to avoid 117 new Jiras (an exaggeration I know.)

I've created a JAAS policy file to grant just enough permissions to run the unit tests in {{src/test/resource/java.policy}}

The file contains instructions for using it with JAAS.

What this shows is that we should either:

# Run all unit tests a second time with JAAS enabled, or
# Run all unit tests with JAAS enabled, always

We should our solution as a pattern for other Commons component.

Specifically for StringUtils, should we have a SunStringUtils? This would let you know that you are depending on com.sun code.

> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13098076#comment-13098076 ]

Sebb commented on LANG-744:
---------------------------

Reworked static init in r1165701.

> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13102219#comment-13102219 ]

Henri Yandell commented on LANG-744:
------------------------------------

Gary - are you +1 on Sebb's change?

ie) Keep the exception, but only when stripAccents is invoked (making it the same as other examples presumably are).

> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13102304#comment-13102304 ]

Gary D. Gregory commented on LANG-744:
--------------------------------------

Yes, it's better. I'm not crazy about saving the exception but it's a good pragmatic solution.

Q: Could a JAAS policy be changed dynamically such that the original code work normally?

> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13102456#comment-13102456 ]

Henri Yandell commented on LANG-744:
------------------------------------

Who is the question to?

[As I turn into a release manager and clearly am thinking "how do I close this?"] :)

> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13102623#comment-13102623 ]

Gary D. Gregory commented on LANG-744:
--------------------------------------

The question is to myself or anyone willing to dig in to JAAS. It should not hold up a release.

What I am wondering is this: Is it technically possible to change JAAS permissions at runtime such that the code now in the static initializer could fail and then later, pass.

It might be a far fetched scenario, I am not sure, but JAAS has a some pluggable pieces.

I am pointing this out because we are low level library and we should do our best not to lock out a feature if we don't have to.

Our code could be changed later to move the check or in the actual method that needs it instead of the class initializer.

> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (LANG-744) StringUtils throws java.security.AccessControlException on Google App Engine

ASF GitHub Bot (Jira)
In reply to this post by ASF GitHub Bot (Jira)

    [ https://issues.apache.org/jira/browse/LANG-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13102665#comment-13102665 ]

Sebb commented on LANG-744:
---------------------------

It might be worth changing the static init to a lazy init (IOD).
This would reduce the overhead for applications that don't call stripAccents.

Even if it is possible to change permissions without reloading the class, I'm not sure we check the methods each time.



> StringUtils throws java.security.AccessControlException on Google App Engine
> ----------------------------------------------------------------------------
>
>                 Key: LANG-744
>                 URL: https://issues.apache.org/jira/browse/LANG-744
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.0.1
>         Environment: Google App Engine
>            Reporter: Clément Denis
>             Fix For: 3.0.2
>
>
> In the static initializer of org.apache.commons.lang3.StringUtils, there is an attempt to load the class sun.text.Normalizer.
> Such a class is prohibited on Google App Engine, and the static intializer throws a java.security.AccessControlException.
> {code}
> Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.text)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> at java.security.AccessController.checkPermission(AccessController.java:546)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:166)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
> at java.lang.Class.checkMemberAccess(Class.java:2164)
> at java.lang.Class.getMethod(Class.java:1602)
> at org.apache.commons.lang3.StringUtils.<clinit>(StringUtils.java:739)
> {code}
> The exception should be caught in the catch clauses around loadClass("sun.text.Normalizer").
> Commons lang 2 worked fine on GAE.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira


12