Mantis Bugtracker
  

Viewing Issue Advanced Details Jump to Notes ] View Simple ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0001008 [Resin] major always 03-22-06 12:31 08-21-06 15:27
Reporter robin.sharp View Status public  
Assigned To ferg
Priority high Resolution fixed Platform
Status closed   OS
Projection none   OS Version
ETA none Fixed in Version 3.0.22 Product Version 3.0.18
  Product Build
Summary 0001008: Problems running jspwiki - Professional Licence
Description I have a Reson Professional Licence, I'd like some help with this please.

Can't run jspwiki

Steps To Reproduce
Additional Information http://www.caucho.com/support/resin-interest/0602/0070.html [^]
http://www.jspwiki.org/wiki/JSPWikiServletCompatibility#section-JSPWikiServletCompatibility-Resin [^]

I have verified this.

http://www.jspwiki.org/wiki/Security2.3FAQ#section-Security2.3FAQ-Downloaded2.3.72InstalledButEveryPageDemandsILoginEvenToViewPages [^]

Its easy to replicate.

Works on Tomcat, doesn't with Resin 3.x, all out of the box, no customization.
Attached Files

- Relationships

- Notes
(0001424)
anonymous
07-02-06 16:46

Hi. I'm the principal author of the security system for JSPWiki. I've traced the issue to a specific part of Resin, namely the com.caucho.vfs.JarPath. Specifcally, we rely on classes with custom Permission classes that (because they are custom) must be digitally signed. I've noticed that JarEntry(JarPath) creates CodeSource objects with a null Certificate[] parameter. What it should do is extract the certificates from the Jar and pass them to the new CodeSource object.

Looking at the source for JarPath and Jar (caucho), I'd recommend adding a Certificate[] getCertificates() method to both of these classes (JarPath delegates to Jar). Note that you have to read in the jar completely before its certificates are available.

Something like this for caucho's Jar/JarPath implementation would work nicely:

public Certificate getCertificates() {
      InputStream is = jar.getInputStream(entry);
      byte[] buf = new byte[1024];
      while (is.read(buf) > 0) {
      }
      is.close();
      Certificate[] signingCerts = entry.getCertificates();
      return signingCerts;
}

Then, in the JarEntry constructor you'd simply have:

  JarEntry(JarPath jarPath)
  {
    _jarPath = jarPath;
    Certificate[] certs = jarPath.getCertificates();
    try {
      _codeSource = new CodeSource(new URL(jarPath.getURL()),
                   (Certificate []) certs);
    } catch (Exception e) {
      log.log(Level.WARNING, e.toString(), e);
    }

    readManifest();
  }

Short of attempting these fixes myself, I can't verify this is the exact formula that will work. But the solution is probably similar to this.

Contact me at andrew AT freshcookies DOT org if you want to discuss further; I tried setting up an account on Caucho's bugtracker but the e-mail system appears to be down.

Needless to say this is a showstopper issue for us; JSPWiki will simply not run at all on Resin until this is resolved. Thanks in advance for your help.

--Andrew
 
(0001473)
ferg
08-21-06 15:27

Thanks for the help tracking this down.

server/1491
 

- Issue History
Date Modified Username Field Change
03-22-06 12:31 robin.sharp New Issue
03-01-06 07:23 sam Priority normal => high
07-02-06 16:46 anonymous Note Added: 0001424
08-21-06 15:27 ferg Note Added: 0001473
08-21-06 15:27 ferg Assigned To  => ferg
08-21-06 15:27 ferg Status new => closed
08-21-06 15:27 ferg Resolution open => fixed
08-21-06 15:27 ferg Fixed in Version  => 3.0.22
09-05-06 21:35 ajaquith2 Issue Monitored: ajaquith2


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
34 total queries executed.
29 unique queries executed.
Powered by Mantis Bugtracker