GF Quicklook fails with JDK7U25 or later

[glassfishrobot]

Running GF Quicklook with JDK7U25 or later causes a test failure:
[testng] ===============================================
[testng] ejb_remoteview
[testng] Tests run: 3, Failures: 1, Skips: 2
[testng] ===============================================

To reproduce:
1. Unzip glassfish.zip from GF 4.0.1 (I assume GF 4.0 would fail too).
2. Remove the temporary workaround from the GF domain.xml file:
-Djdk.corba.allowOutputStreamSubclass=true
3. Run quicklook tests with JDK7U25 or later.

Quicklook output:

[testng] javax.naming.NamingException: Lookup failed for 'java:global/remoteview/HelloBean!remoteview.HelloHome' in Se
rialContext[myEnv=

{java.naming.factory.initial=com.sun.enterprise.naming.impl.SerialInitContextFactory, java.naming.facto ry.url.pkgs=com.sun.enterprise.naming, java.naming.factory.state=com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryI mpl}

[Root exception is javax.naming.NameNotFoundException: HelloBean!remoteview.HelloHome not found]
[testng] at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:491)
[testng] at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:438)
[testng] at javax.naming.InitialContext.lookup(InitialContext.java:411)
[testng] at test.ejb.remoteview.RemoteViewTestNG.helloRemote(RemoteViewTestNG.java:58)
[testng] Caused by: javax.naming.NameNotFoundException: HelloBean!remoteview.HelloHome not found
[testng] at com.sun.enterprise.naming.impl.TransientContext.doLookup(TransientContext.java:237)
[testng] at com.sun.enterprise.naming.impl.TransientContext.lookup(TransientContext.java:204)
[testng] at com.sun.enterprise.naming.impl.TransientContext.lookup(TransientContext.java:208)
[testng] at com.sun.enterprise.naming.impl.TransientContext.lookup(TransientContext.java:208)
[testng] at com.sun.enterprise.naming.impl.SerialContextProviderImpl.lookup(SerialContextProviderImpl.java:66)
[testng] at com.sun.enterprise.naming.impl.RemoteSerialContextProviderImpl.lookup(RemoteSerialContextProviderImpl.
java:109)
[testng] at com.sun.corba.ee.impl.presentation.rmi.ReflectiveTie.dispatchToMethod(ReflectiveTie.java:143)
[testng] at com.sun.corba.ee.impl.presentation.rmi.ReflectiveTie._invoke(ReflectiveTie.java:173)
[testng] at com.sun.corba.ee.impl.protocol.ServerRequestDispatcherImpl.dispatchToServant(ServerRequestDispatcherIm
pl.java:528)
[testng] at com.sun.corba.ee.impl.protocol.ServerRequestDispatcherImpl.dispatch(ServerRequestDispatcherImpl.java:1
99)
[testng] at com.sun.corba.ee.impl.protocol.MessageMediatorImpl.handleRequestRequest(MessageMediatorImpl.java:1549)
[testng] at com.sun.corba.ee.impl.protocol.MessageMediatorImpl.handleRequest(MessageMediatorImpl.java:1425)
[testng] at com.sun.corba.ee.impl.protocol.MessageMediatorImpl.handleInput(MessageMediatorImpl.java:930)
[testng] at com.sun.corba.ee.impl.protocol.giopmsgheaders.RequestMessage_1_2.callback(RequestMessage_1_2.java:213)
[testng] at com.sun.corba.ee.impl.protocol.MessageMediatorImpl.handleRequest(MessageMediatorImpl.java:694)
[testng] at com.sun.corba.ee.impl.protocol.MessageMediatorImpl.dispatch(MessageMediatorImpl.java:496)
[testng] at com.sun.corba.ee.impl.protocol.MessageMediatorImpl.doWork(MessageMediatorImpl.java:2222)
[testng] at com.sun.corba.ee.impl.threadpool.ThreadPoolImpl$WorkerThread.performWork(ThreadPoolImpl.java:497)
[testng] at com.sun.corba.ee.impl.threadpool.ThreadPoolImpl$WorkerThread.run(ThreadPoolImpl.java:540)
[testng] ... Removed 26 stack frames
[testng] SKIPPED: nonPortableGlobal
[testng] SKIPPED: portableGlobal
[testng]

---

server.log output:

Caused by: java.rmi.RemoteException: ; nested exception is:
java.security.AccessControlException: access denied ("java.io.SerializablePermission" "enableSubclassImplementation")
at com.sun.enterprise.naming.impl.LocalSerialContextProviderImpl.lookup(LocalSerialContextProviderImpl.java:142)
at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:478)
... 93 more
Caused by: java.security.AccessControlException: access denied ("java.io.SerializablePermission" "enableSubclassImplementation")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at org.omg.CORBA_2_3.portable.OutputStream.checkPermission(OutputStream.java:65)
at org.omg.CORBA_2_3.portable.OutputStream.(OutputStream.java:81)
at com.sun.corba.ee.impl.encoding.CDROutputObject.(CDROutputObject.java:136)
at com.sun.corba.ee.impl.encoding.EncapsOutputStream.(EncapsOutputStream.java:97)
at com.sun.corba.ee.impl.encoding.EncapsOutputStream.(EncapsOutputStream.java:89)
at com.sun.corba.ee.impl.orb.ORBImpl.create_output_stream(ORBImpl.java:706)
at com.sun.corba.ee.impl.corba.AnyImpl.create_input_stream(AnyImpl.java:544)
at org.omg.CosTransactions.OTSPolicyValueHelper.extract(OTSPolicyValueHelper.java:25)
at com.sun.jts.pi.InterceptorImpl.send_request(InterceptorImpl.java:253)
at com.sun.corba.ee.impl.interceptors.InterceptorInvoker.invokeClientInterceptorStartingPoint(InterceptorInvoker.java:290)
at com.sun.corba.ee.impl.interceptors.PIHandlerImpl.invokeClientPIStartingPoint(PIHandlerImpl.java:378)
at com.sun.corba.ee.impl.protocol.ClientRequestDispatcherImpl.beginRequest(ClientRequestDispatcherImpl.java:324)
at com.sun.corba.ee.impl.protocol.ClientDelegateImpl.request(ClientDelegateImpl.java:227)
at com.sun.corba.ee.impl.protocol.ClientDelegateImpl.is_a(ClientDelegateImpl.java:392)
at org.omg.CORBA.portable.ObjectImpl._is_a(ObjectImpl.java:130)
at org.omg.CosNaming.NamingContextHelper.narrow(NamingContextHelper.java:69)
at com.sun.jndi.cosnaming.CNCtx.callResolve(CNCtx.java:490)
at com.sun.jndi.cosnaming.CNCtx.lookup(CNCtx.java:541)
at com.sun.jndi.cosnaming.CNCtx.lookup(CNCtx.java:519)
at javax.naming.InitialContext.lookup(InitialContext.java:411)
at com.sun.enterprise.naming.util.IIOPObjectFactory.getObjectInstance(IIOPObjectFactory.java:71)
at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:321)
at com.sun.enterprise.naming.impl.LocalSerialContextProviderImpl.lookup(LocalSerialContextProviderImpl.java:133)
... 94 more

---

Here is some mail from the JDK sust team about changes to JDK7U25

we fixed a vulnerability in JDK code around the org.omg.CORBA_2_3.portable.OutputStream class (7u25 fix). Any code extending that class will now need extra permission check if a security manager is installed.

See following for references :

CCC request : http://ccc.us.oracle.com/8004625
Bug DB report : might not be visible if you can't view vulnerabilities :

https://bug.oraclecorp.com/pls/bug/webbug_print.show?c_rptno=14127656

changesets :
src change : http://closedjdk.us.oracle.com/jdk7u/jdk7u25/corba/rev/161ec4dd450d
test case : http://closedjdk.us.oracle.com/jdk7u/jdk7u25/jdk/test/closed/rev/44ba7a614c1e

As per CCC, there is a property flag is allow subclass instantiations without the security check (jdk.corba.allowOutputStreamSubclass=true)

---

We have added this property to the GF domain.xml file (domain.xml) as a temporary workaround to get QL to pass with JDK7U25 and JDK7U40.
-Djdk.corba.allowOutputStreamSubclass=true

When this issue is resolved, PLEASE remove those lines from the domain.xml file.

---

Environment

solaris, linux, mac, windows

[glassfishrobot]

Reported by jill-sato

[glassfishrobot]

@jill-sato said:
I temporarily modified domain.xml as a temporary workaround to get QL tests to pass.
-Djdk.corba.allowOutputStreamSubclass=true

To reproduce, remove that line from domain.xml.
That line lightens the security so it should be a temporary workaround.
This should be fixed in 4.0.1

Once this issue is resolved, remove that line permanently from domain.xml.

[glassfishrobot]

ebratt said:
Please have a look. Thanks

[glassfishrobot]

This issue was imported from java.net JIRA GLASSFISH_CORBA-14

[glassfishrobot]

Closing this as this issue is migrated to eclipse-ee4j/orb#14