This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
Summary: | Security problems: Cannot create a class in DynamicJava | ||
---|---|---|---|
Product: | obsolete | Reporter: | _ hkrug <hkrug> |
Component: | languages | Assignee: | issues@ide <issues> |
Status: | CLOSED DUPLICATE | ||
Severity: | blocker | CC: | dstrupl, jglick |
Priority: | P3 | ||
Version: | 3.x | ||
Hardware: | PC | ||
OS: | Linux | ||
Issue Type: | DEFECT | Exception Reporter: |
Description
_ hkrug
2002-06-04 18:45:24 UTC
hmm.. what version of netbeans are you using? it works for me in the dev build 200206030100. I think I've done some fixes that deal with the issue in the 3.4 codebase. please try to modify the Netbeans/bin/ide.policy file grant all permissions to everyone grant codeBase "file:/-" { permission java.security.AllPermission; }; I'm sorry, I've tried the example with Beanshell, rather than dynamic java.. it doesn't work for me either.. I've searched the history of bugs and I think your problme is a duplicate of #19133. please add the switch -J-Dnetbeans.security.nocheck=true to your ide.cfg file and it should work, however there's more to the problem of DynamicJava, for details and how to workaround the problme see #19133 *** This issue has been marked as a duplicate of 19133 *** Thanks for your answer and the hint to issue 19133. Your analysis given there of the exception appearing after -J-Dnetbeans.security.nocheck=true has been added to ide.cfg is clear and corresponds to my own thoughts. But the first exception reported in issue 19133 seems strange to me. It appears when -J-Dnetbeans.security.nocheck=true is not added to ide.cfg. It is identical to the exception I reported in this issue. This exception is thrown because access is denied to create a new class loader. Why is access denied to create a new class loader ? The ide.policy explicitely provides all permissions to all local files and also the TopSecurityManager does not disallow class loader creation. So why this problem ? The answer seems to be that an entry like grant codeBase "file:/-" { permission java.security.AllPermission; }; seems not to be sufficient. If I try: grant { permissions java.lang.RuntimePermission "createClassLoader"; }; grant codeBase "file:/-" { permission whatever-appropriate; }; the first exception does not appear and I get the second one. Hence it is not necessary to add -J-Dnetbeans.security.nocheck=true to ide.cfg. It suffices to add grant { permissions java.lang.RuntimePermission "createClassLoader"; }; to the policy file. This allows all classes, not only those retrieved from a local file but also dynamically generated ones to create a class loader. Unfortunately this permission is quite heavy and one would like to add it only to the classes created by the DynamicJava interpreter. Is it possible to add the `createClassLoader' permission only to DynamicJava generated classes ? Thanks for the analysis, Holger. I must admit I don't have deep knowledge of security managers, I've CCed people that could answer your questions. Jesse I wonder if that's worth the fix in ide.cfg.. I think this is a clear duplicate of #19133, right? where the details are covered nicely. Adding general permission to create new classloaders to ide.cfg is unacceptable for security reasons, and should not be necessary if #19133 is fixed properly. Hi Jesse, yes it is a duplicate of #19133. I added a DynamicJava patch to #19133 which, if applied to DynamicJava, would solve the problems without compromising security at all. Holger Resolved for 3.4.x or earlier, no new info since then -> closing. Resolved for 3.4.x or earlier, no new info since then -> closing. |