Menu
▾
▴
jython-users
|
From: Boudewijn R. <bo...@re...> - 2000-12-01 15:00:45
|
Well, thanks to all the help I've succeeded in getting the Console.py compiled in to a jarfile, and I can call the code from my application. However, the app uses the java.security features, and it appears that the Jython BytecodeLoader classloader is wreaking havoc in the subtle scheme of security. First we got this: onal> <additional-text>Exception is java.security.AccessControlException, message is access denied (java.lang.RuntimePermission createClassLoader)</additional-text> <additional-trace>java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272) at java.security.AccessController.checkPermission(AccessController.java:399) at java.lang.SecurityManager.checkPermission(SecurityManager.java:545) at com.tryllian.are.security.SecurityManager.checkPermission(SecurityManager.java:188) at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:610) at java.lang.ClassLoader.<init>(ClassLoader.java:234) at org.python.core.BytecodeLoader.<init>(BytecodeLoader.java:8) at org.python.core.BytecodeLoader.makeCode(BytecodeLoader.java:148) at org.python.core.Py.compile(Py.java:1449) at org.python.modules.codeop.compile_command(codeop.java:23) at org.python.modules.code.compile_command(code.java:8) at java.lang.reflect.Method.invoke(Native Method) at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:158) at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:166) at org.python.core.PyObject.__call__(PyObject.java:272) at org.python.pyconsole.Console$_PyInner.handleLine$20(Console.java:426) at org.python.pyconsole.Console$_PyInner.call_function(Console.java:222) at org.python.core.PyTableCode.call(PyTableCode.java:155) at org.python.core.PyTableCode.call(PyTableCode.java:222) at org.python.core.PyFunction.__call__(PyFunction.java:99) at org.python.core.PyInstance.invoke(PyInstance.java:267) at org.python.pyconsole.Console$_PyInner.enter$13(Console.java:350) at org.python.pyconsole.Console$_PyInner.call_function(Console.java:208) at org.python.core.PyTableCode.call(PyTableCode.java:155) at org.python.core.PyTableCode.call(PyTableCode.java:353) at org.python.core.PyTableCode.call(PyTableCode.java:258) at org.python.core.PyFunction.__call__(PyFunction.java:110) at org.python.core.PyMethod.__call__(PyMethod.java:83) at org.python.core.PyObject.__call__(PyObject.java:260) at org.python.core.PyInstance.invoke(PyInstance.java:256) at org.python.pyconsole.Action$_PyInner.actionPerformed$2(Action.java:90) at org.python.pyconsole.Action$_PyInner.call_function(Action.java:46) at org.python.core.PyTableCode.call(PyTableCode.java:155) at org.python.core.PyTableCode.call(PyTableCode.java:353) at org.python.core.PyTableCode.call(PyTableCode.java:258) at org.python.core.PyFunction.__call__(PyFunction.java:110) at org.python.core.PyMethod.__call__(PyMethod.java:83) at org.python.core.PyObject.__call__(PyObject.java:250) at org.python.core.PyObject._jcallexc(PyObject.java:2017) at org.python.core.PyObject._jcall(PyObject.java:2049) at org.python.proxies.Action$Action$0.actionPerformed(Unknown Source) at javax.swing.SwingUtilities.notifyAction(SwingUtilities.java:1702) at javax.swing.JComponent.processKeyBinding(JComponent.java:2156) at javax.swing.JComponent.processKeyBindings(JComponent.java:2182) at javax.swing.JComponent.processKeyEvent(JComponent.java:2119) at javax.swing.JEditorPane.processKeyEvent(JEditorPane.java:1159) at java.awt.Component.processEvent(Component.java:3555) at java.awt.Container.processEvent(Container.java:1164) at java.awt.Component.dispatchEventImpl(Component.java:2595) at java.awt.Container.dispatchEventImpl(Container.java:1213) at java.awt.Component.dispatchEvent(Component.java:2499) at java.awt.LightweightDispatcher.processKeyEvent(Container.java:2155) at java.awt.LightweightDispatcher.dispatchEvent(Container.java:2135) at java.awt.Container.dispatchEventImpl(Container.java:1200) at java.awt.Window.dispatchEventImpl(Window.java:912) at java.awt.Component.dispatchEvent(Component.java:2499) at java.awt.EventQueue.dispatchEvent(EventQueue.java:319) at java.awt.EventDispatchThread.pumpOneEvent(EventDispatchThread.java:103) at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93) at java.awt.EventDispatchThread.run(EventDispatchThread.java:84) </additional-trace> </additional></info> Our local security expert traced this to Class: class org.python.proxies.Action$Action$0 ClassLoader: org.python.core.BytecodeLoader@61dadb CodeSource: (null <no certificates>) Permissions: java.security.Permissions@24c414 ( (java.util.PropertyPermission java.vendor read) (java.util.PropertyPermission java.specification.version read) (java.util.PropertyPermission line.separator read) (java.util.PropertyPermission java.class.version read) (java.util.PropertyPermission java.specification.name read) (java.util.PropertyPermission java.vendor.url read) (java.util.PropertyPermission java.vm.version read) (java.util.PropertyPermission os.name read) (java.util.PropertyPermission os.arch read) (java.util.PropertyPermission os.version read) (java.util.PropertyPermission java.version read) (java.util.PropertyPermission java.vm.specification.version read) (java.util.PropertyPermission java.vm.specification.name read) (java.util.PropertyPermission java.specification.vendor read) (java.util.PropertyPermission java.vm.vendor read) (java.util.PropertyPermission file.separator read) (java.util.PropertyPermission path.separator read) (java.util.PropertyPermission java.vm.name read) (java.util.PropertyPermission java.vm.specification.vendor read) ) Which appears not to come from any jarfile, which means that it can't be signed - which means that the secureClassLoader chokes on it. We couldn't find the origin of proxies.Action, anyway. I'm going to try whether deriving the BytecodeLoader from a SecureClassLoader makes any difference, but I feel that that's a rather long shot. Boudewijn Rempt | http://www.valdyas.org |
|
From: <bc...@wo...> - 2000-12-01 17:18:02
|
[Boudewijn Rempt] >Well, thanks to all the help I've succeeded in getting the >Console.py compiled in to a jarfile, and I can call the code from my >application. However, the app uses the java.security features, and it >appears that the Jython BytecodeLoader classloader is wreaking havoc in >the subtle scheme of security. >... >Class: class org.python.proxies.Action$Action$0 > ClassLoader: org.python.core.BytecodeLoader@61dadb > CodeSource: (null <no certificates>) > Permissions: java.security.Permissions@24c414 ( >Which appears not to come from any jarfile, which means that it can't >be signed - which means that the secureClassLoader chokes on it. We couldn't >find the origin of proxies.Action, anyway. The org.python.proxies.Action$Action$0 class is a dynamicly generated class, created because the static jythonc compiler failed to detect that the Action class in Action.py is subclassing a java class. Try changing the Action.py file like this: --- Action.py.org Wed Feb 24 15:45:27 1999 +++ Action.py Fri Dec 01 17:53:37 2000 @@ -1,5 +1,5 @@ # I don't really like the design of this one... -from pawt import swing +from javax import swing class Action(swing.AbstractAction): The "pawt" module is a clever and dynamic way to detect the name of the swing package, much to clever for jythonc. When jythonc failes to create a proxy for swing.AbstractAction at compile time, jython will instead create it at runtime. regards, finn |
|
From: Samuele P. <pe...@in...> - 2000-12-01 20:34:17
|
Hi. One problem we encounter is that for the classes in Action.py jythonc does not really compile proxies, so these are created at runtime. The line: from pawt import swing in Action.py should be changed in something more explicit like from javax import swing so proxies are created. I have not tried if the resulting Console class works. I can imagine that the new context of not-runtime created proxies could possibly avoid the problem. From your stack trace I deduce that under your security settings code in the Console jar can call code that creates classloaders without creating security problems. This is not true for runtime created proxies because they have no permissions. regards, Samuele Pedroni. ----- Original Message ----- From: Boudewijn Rempt <bo...@re...> To: <jyt...@so...> Sent: Friday, December 01, 2000 3:58 PM Subject: [Jython-users] Embedding a python console in java - security problems > Well, thanks to all the help I've succeeded in getting the > Console.py compiled in to a jarfile, and I can call the code from my > application. However, the app uses the java.security features, and it > appears that the Jython BytecodeLoader classloader is wreaking havoc in > the subtle scheme of security. > > First we got this: > > onal> > <additional-text>Exception is java.security.AccessControlException, message is access denied (java.lang.RuntimePermission > createClassLoader)</additional-text> > <additional-trace>java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader) > at java.security.AccessControlContext.checkPermission(AccessControlContext.java :272) > at java.security.AccessController.checkPermission(AccessController.java:399) > at java.lang.SecurityManager.checkPermission(SecurityManager.java:545) > at com.tryllian.are.security.SecurityManager.checkPermission(SecurityManager.ja va:188) > at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:610) > at java.lang.ClassLoader.<init>(ClassLoader.java:234) > at org.python.core.BytecodeLoader.<init>(BytecodeLoader.java:8) > at org.python.core.BytecodeLoader.makeCode(BytecodeLoader.java:148) > at org.python.core.Py.compile(Py.java:1449) > at org.python.modules.codeop.compile_command(codeop.java:23) > at org.python.modules.code.compile_command(code.java:8) > at java.lang.reflect.Method.invoke(Native Method) > at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:158) > at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:166) > at org.python.core.PyObject.__call__(PyObject.java:272) > at org.python.pyconsole.Console$_PyInner.handleLine$20(Console.java:426) > at org.python.pyconsole.Console$_PyInner.call_function(Console.java:222) > at org.python.core.PyTableCode.call(PyTableCode.java:155) > at org.python.core.PyTableCode.call(PyTableCode.java:222) > at org.python.core.PyFunction.__call__(PyFunction.java:99) > at org.python.core.PyInstance.invoke(PyInstance.java:267) > at org.python.pyconsole.Console$_PyInner.enter$13(Console.java:350) > at org.python.pyconsole.Console$_PyInner.call_function(Console.java:208) > at org.python.core.PyTableCode.call(PyTableCode.java:155) > at org.python.core.PyTableCode.call(PyTableCode.java:353) > at org.python.core.PyTableCode.call(PyTableCode.java:258) > at org.python.core.PyFunction.__call__(PyFunction.java:110) > at org.python.core.PyMethod.__call__(PyMethod.java:83) > at org.python.core.PyObject.__call__(PyObject.java:260) > at org.python.core.PyInstance.invoke(PyInstance.java:256) > at org.python.pyconsole.Action$_PyInner.actionPerformed$2(Action.java:90) > at org.python.pyconsole.Action$_PyInner.call_function(Action.java:46) > at org.python.core.PyTableCode.call(PyTableCode.java:155) > at org.python.core.PyTableCode.call(PyTableCode.java:353) > at org.python.core.PyTableCode.call(PyTableCode.java:258) > at org.python.core.PyFunction.__call__(PyFunction.java:110) > at org.python.core.PyMethod.__call__(PyMethod.java:83) > at org.python.core.PyObject.__call__(PyObject.java:250) > at org.python.core.PyObject._jcallexc(PyObject.java:2017) > at org.python.core.PyObject._jcall(PyObject.java:2049) > at org.python.proxies.Action$Action$0.actionPerformed(Unknown Source) > at javax.swing.SwingUtilities.notifyAction(SwingUtilities.java:1702) > at javax.swing.JComponent.processKeyBinding(JComponent.java:2156) > at javax.swing.JComponent.processKeyBindings(JComponent.java:2182) > at javax.swing.JComponent.processKeyEvent(JComponent.java:2119) > at javax.swing.JEditorPane.processKeyEvent(JEditorPane.java:1159) > at java.awt.Component.processEvent(Component.java:3555) > at java.awt.Container.processEvent(Container.java:1164) > at java.awt.Component.dispatchEventImpl(Component.java:2595) > at java.awt.Container.dispatchEventImpl(Container.java:1213) > at java.awt.Component.dispatchEvent(Component.java:2499) > at java.awt.LightweightDispatcher.processKeyEvent(Container.java:2155) > at java.awt.LightweightDispatcher.dispatchEvent(Container.java:2135) > at java.awt.Container.dispatchEventImpl(Container.java:1200) > at java.awt.Window.dispatchEventImpl(Window.java:912) > at java.awt.Component.dispatchEvent(Component.java:2499) > at java.awt.EventQueue.dispatchEvent(EventQueue.java:319) > at java.awt.EventDispatchThread.pumpOneEvent(EventDispatchThread.java:103) > at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:93) > at java.awt.EventDispatchThread.run(EventDispatchThread.java:84) > </additional-trace> > </additional></info> > > Our local security expert traced this to > > Class: class org.python.proxies.Action$Action$0 > ClassLoader: org.python.core.BytecodeLoader@61dadb > CodeSource: (null <no certificates>) > Permissions: java.security.Permissions@24c414 ( > (java.util.PropertyPermission java.vendor read) > (java.util.PropertyPermission java.specification.version read) > (java.util.PropertyPermission line.separator read) > (java.util.PropertyPermission java.class.version read) > (java.util.PropertyPermission java.specification.name read) > (java.util.PropertyPermission java.vendor.url read) > (java.util.PropertyPermission java.vm.version read) > (java.util.PropertyPermission os.name read) > (java.util.PropertyPermission os.arch read) > (java.util.PropertyPermission os.version read) > (java.util.PropertyPermission java.version read) > (java.util.PropertyPermission java.vm.specification.version read) > (java.util.PropertyPermission java.vm.specification.name read) > (java.util.PropertyPermission java.specification.vendor read) > (java.util.PropertyPermission java.vm.vendor read) > (java.util.PropertyPermission file.separator read) > (java.util.PropertyPermission path.separator read) > (java.util.PropertyPermission java.vm.name read) > (java.util.PropertyPermission java.vm.specification.vendor read) > ) > > Which appears not to come from any jarfile, which means that it can't > be signed - which means that the secureClassLoader chokes on it. We couldn't > find the origin of proxies.Action, anyway. > > I'm going to try whether deriving the BytecodeLoader from a SecureClassLoader > makes any difference, but I feel that that's a rather long shot. > > Boudewijn Rempt | http://www.valdyas.org > > _______________________________________________ > Jython-users mailing list > Jyt...@li... > http://lists.sourceforge.net/mailman/listinfo/jython-users > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X