Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Spring Expression Language creates systemProperties bean calling System.getProperties() which in enterprise shared containers is locked down [SPR-6308] #10974

Closed
spring-projects-issues opened this issue Nov 5, 2009 · 6 comments
Assignees
Labels
in: core Issues in core modules (aop, beans, core, context, expression) type: enhancement A general enhancement
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

spring-projects-issues commented Nov 5, 2009

Matt Goldspink opened SPR-6308 and commented

We have a shared hosting environment for all our Tomcat containers in the firm and multiple teams may have webapps in the same Tomcat instance. As such the security policy is setup to disallow access to System.getProperties() as this will return a mutable view of all the system properties and if one application were to manipulate these it may adversely affect other applications in the same container.

We know the workaround for now is to simply drop in a bean named systemProperties but we would prefer a fix on the Spring side for this because it will likely catch all other groups that run a similar model to us. It seams like adding a simple bean which just delegates the call to System.getProperty("name") (which is not locked down) would be good enough to do this.


Affects: 3.0 RC1

Issue Links:

Referenced from: commits 68f57aa

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Nov 11, 2009

Arjen Poutsma commented

Fixed.

When access to System.getProperties() is denied, we now lazily access system properties via System.getProperty(String). If that is denied too, we log a warning.

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Nov 11, 2009

Matt Goldspink commented

This looks great. Thanks Arjen.

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Nov 12, 2009

Sree Vaddi commented

Hi,

http://jira.springframework.org/browse/SPR-6287
I verified my app with spring build 458.
I still see error in my server.log but my app loads up OK.

As suggested by Matt in http://jira.springframework.org/browse/SPR-6308

The only way, I could get rid of the exception is,
by dropping systemProperties and systemEnvironment beans.

Now, my app loads smoothly without any exceptions.

By the way, when is 3.0 RC2 release due ?

Thank you very much.

With Regards
Sree

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Mar 7, 2013

Gagandeep Singh commented

I am acing this issue in Was 7 and Spring 3.1.3 Release . I added the following two properties
<beans:bean id="systemProperties" class="java.util.HashMap"></beans:bean>
<beans:bean id="systemEnvironment" class="java.util.HashMap"></bean:bean>
However i still get the following error
Code Base Location:

[3/7/13 17:20:29:365 EST] 0000000b webapp I com.ibm.ws.webcontainer.webapp.WebApp log SRVE0292I: Servlet Message - [bst-51881#bst.war]:.Initializing Spring FrameworkServlet 'appServlet'
[3/7/13 17:20:29:684 EST] 0000000b SecurityManag W SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Refer to the InfoCenter for further information.

Permission:

getenv.* : Access denied (java.lang.RuntimePermission getenv.*)

Code:

org.springframework.core.env.AbstractEnvironment  in  {file:/opt/httpd/root/apps/ibm7/ccix/xyz.war/WEB-INF/lib/spring-core-3.1.3.RELEASE.jar}

Stack Trace:

java.security.AccessControlException: Access denied (java.lang.RuntimePermission getenv.*)
at java.security.AccessController.checkPermission(AccessController.java:132)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:544)
at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:206)
at java.lang.System.getenv(System.java:687)
at org.springframework.core.env.AbstractEnvironment.getSystemEnvironment(AbstractEnvironment.java:345)
at org.springframework.core.env.StandardEnvironment.customizePropertySources(StandardEnvironment.java:79)

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Jan 9, 2014

Juergen Hoeller commented

I suppose this is just a warning, not a fatal exception? I suppose it is logging any attempt to call System.getEnv there, even when guarded by a catch clause...

Juergen

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Jan 9, 2014

Juergen Hoeller commented

Haven't noticed before: Let's continue the discussion at #15921, the follow-up to this one...

Juergen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: core Issues in core modules (aop, beans, core, context, expression) type: enhancement A general enhancement
Projects
None yet
Development

No branches or pull requests

2 participants