0001008: Problems running jspwiki - Professional Licence

Mantis - Resin
Viewing Issue Advanced Details

ID:	Category:	Severity:	Reproducibility:	Date Submitted:	Last Update:
1008		major	always	03-22-06 12:31	08-21-06 15:27

Reporter:	robin.sharp	Platform:
Assigned To:	ferg	OS:
Priority:	high	OS Version:
Status:	closed	Product Version:	3.0.18
Product Build:		Resolution:	fixed
Projection:	none
ETA:	none	Fixed in Version:	3.0.22

Summary:	0001008: Problems running jspwiki - Professional Licence
Description:	I have a Reson Professional Licence, I'd like some help with this please. Can't run jspwiki
Steps To Reproduce:
Additional Information:	http://www.caucho.com/support/resin-interest/0602/0070.html [^] http://www.jspwiki.org/wiki/JSPWikiServletCompatibility#section-JSPWikiServletCompatibility-Resin [^] I have verified this. http://www.jspwiki.org/wiki/Security2.3FAQ#section-Security2.3FAQ-Downloaded2.3.72InstalledButEveryPageDemandsILoginEvenToViewPages [^] Its easy to replicate. Works on Tomcat, doesn't with Resin 3.x, all out of the box, no customization.
Relationships
Attached Files:

Notes

Hi. I'm the principal author of the security system for JSPWiki. I've traced the issue to a specific part of Resin, namely the com.caucho.vfs.JarPath. Specifcally, we rely on classes with custom Permission classes that (because they are custom) must be digitally signed. I've noticed that JarEntry(JarPath) creates CodeSource objects with a null Certificate[] parameter. What it should do is extract the certificates from the Jar and pass them to the new CodeSource object.

Looking at the source for JarPath and Jar (caucho), I'd recommend adding a Certificate[] getCertificates() method to both of these classes (JarPath delegates to Jar). Note that you have to read in the jar completely before its certificates are available.

Something like this for caucho's Jar/JarPath implementation would work nicely:

public Certificate getCertificates() {
      InputStream is = jar.getInputStream(entry);
      byte[] buf = new byte[1024];
      while (is.read(buf) > 0) {
      }
      is.close();
      Certificate[] signingCerts = entry.getCertificates();
      return signingCerts;
}

Then, in the JarEntry constructor you'd simply have:

  JarEntry(JarPath jarPath)
  {
    _jarPath = jarPath;
    Certificate[] certs = jarPath.getCertificates();
    try {
      _codeSource = new CodeSource(new URL(jarPath.getURL()),
                   (Certificate []) certs);
    } catch (Exception e) {
      log.log(Level.WARNING, e.toString(), e);
    }

    readManifest();
  }

Short of attempting these fixes myself, I can't verify this is the exact formula that will work. But the solution is probably similar to this.

Contact me at andrew AT freshcookies DOT org if you want to discuss further; I tried setting up an account on Caucho's bugtracker but the e-mail system appears to be down.

Needless to say this is a showstopper issue for us; JSPWiki will simply not run at all on Resin until this is resolved. Thanks in advance for your help.

--Andrew