IBM Support

PI67719: AccessControlException from JTMThreadFactory, JNDI lookup, and J msManagedConnectionFactoryImpl

Fixes are available

16.0.0.3: WebSphere Application Server Liberty 16.0.0.3
16.0.0.4: WebSphere Application Server Liberty 16.0.0.4
17.0.0.1: WebSphere Application Server Liberty 17.0.0.1
17.0.0.2: WebSphere Application Server Liberty 17.0.0.2
17.0.0.3: WebSphere Application Server Liberty 17.0.0.3
17.0.0.4: WebSphere Application Server Liberty 17.0.0.4
18.0.0.1: WebSphere Application Server Liberty 18.0.0.1
18.0.0.2: WebSphere Application Server Liberty 18.0.0.2
18.0.0.3: WebSphere Application Server Liberty 18.0.0.3
18.0.0.4: WebSphere Application Server Liberty 18.0.0.4
19.0.0.1: WebSphere Application Server Liberty 19.0.0.1
19.0.0.2: WebSphere Application Server Liberty 19.0.0.2
19.0.0.3: WebSphere Application Server Liberty 19.0.0.3
19.0.0.4: WebSphere Application Server Liberty 19.0.0.4
19.0.0.5: WebSphere Application Server Liberty 19.0.0.5
19.0.0.6: WebSphere Application Server Liberty 19.0.0.6
19.0.0.7: WebSphere Application Server Liberty 19.0.0.7
19.0.0.8: WebSphere Application Server Liberty 19.0.0.8
19.0.0.9: WebSphere Application Server Liberty 19.0.0.9
19.0.0.10: WebSphere Application Server Liberty 19.0.0.10
19.0.0.11: WebSphere Application Server Liberty 19.0.0.11
19.0.0.12: WebSphere Application Server Liberty 19.0.0.12
20.0.0.1: WebSphere Application Server Liberty 20.0.0.1
20.0.0.2: WebSphere Application Server Liberty 20.0.0.2
20.0.0.3: WebSphere Application Server Liberty 20.0.0.3
20.0.0.4: WebSphere Application Server Liberty 20.0.0.4
20.0.0.5: WebSphere Application Server Liberty 20.0.0.5
20.0.0.6: WebSphere Application Server Liberty 20.0.0.6
20.0.0.7: WebSphere Application Server Liberty 20.0.0.7
20.0.0.8: WebSphere Application Server Liberty 20.0.0.8
20.0.0.9: WebSphere Application Server Liberty 20.0.0.9
20.0.0.10: WebSphere Application Server Liberty 20.0.0.10
20.0.0.11: WebSphere Application Server Liberty 20.0.0.11
20.0.0.12: WebSphere Application Server Liberty 20.0.0.12

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When running a Java EE7 application with a Java 2 security
    manager, a user may see exceptions similar to the following:
    java.security.AccessControlException: access denied
    ("java.lang.RuntimePermission" "setContextClassLoader")
    at
    java.security.AccessControlContext.checkPermission(AccessCon
    trolContext.java:395)
    at
    java.security.AccessController.checkPermission(AccessControl
    ler.java:559)
    at
    java.lang.SecurityManager.checkPermission(SecurityManager.ja
    va:549)
    at
    com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecu
    rityManager.checkPermission(MissingDoPrivDetectionSecurityMa
    nager.java:41)
    at java.lang.Thread.setContextClassLoader(Thread.java:1504)
    at
    com.ibm.tx.jta.util.alarm.JTMThreadFactory.newThread(JTMThre
    adFactory.java:46)
    at
    java.util.concurrent.ThreadPoolExecutor$Worker.<init>(Thread
    PoolExecutor.java:610)
    at
    java.util.concurrent.ThreadPoolExecutor.addWorker(ThreadPool
    Executor.java:924)
           ...
    or
    java.security.AccessControlException: access denied
    ("java.util.PropertyPermission"
    "com.ibm.ws.sib.api.isManaged"
    "read")java.security.AccessControlContext.checkPermission(Ac
    cessControlContext.java:395)
    java.security.AccessController.checkPermission(AccessControl
    ler.java:559)
    java.lang.SecurityManager.checkPermission(SecurityManager.ja
    va:549)
    com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecu
    rityManager.checkPermission(MissingDoPrivDetectionSecurityMa
    nager.java:41)
    java.lang.SecurityManager.checkPropertyAccess(SecurityManage
    r.java:1298)
    java.lang.System.getProperty(System.java:708)
    com.ibm.ws.sib.api.jms.impl.JmsManagedConnectionFactoryImpl.
    isManaged(JmsManagedConnectionFactoryImpl.java:267)
    com.ibm.ws.sib.api.jms.impl.JmsManagedTopicConnectionFactory
    Impl.instantiateConnection(JmsManagedTopicConnectionFactoryI
    mpl.java:93)
    ...
    or
    java.security.AccessControlException: access denied
    ("org.osgi.framework.ServicePermission" "(service.id=550)"
    "get")java.security.AccessControlContext.checkPermission(Acc
    essControlContext.java:395)
    java.security.AccessController.checkPermission(AccessControl
    ler.java:559)
    java.lang.SecurityManager.checkPermission(SecurityManager.ja
    va:549)
    com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecu
    rityManager.checkPermission(MissingDoPrivDetectionSecurityMa
    nager.java:41)
    org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.ch
    eckGetServicePermission(ServiceRegistry.java:1080)
    org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.ge
    tService(ServiceRegistry.java:460)
    org.eclipse.osgi.internal.framework.BundleContextImpl.getSer
    vice(BundleContextImpl.java:619)
    com.ibm.ws.jndi.internal.WSContext.resolveObject(WSContext.j
    ava:130)
    com.ibm.ws.jndi.internal.WSContext.lookup(WSContext.java:298
    )
    com.ibm.ws.jndi.WSContextBase.lookup(WSContextBase.java:62)
    org.apache.aries.jndi.DelegateContext.lookup(DelegateContext
    .java:161)
    javax.naming.InitialContext.lookup(InitialContext.java:411)
    com.ibm.ws.testtooling.msgcli.jms.JMSQueueClient.<init>(JMSQ
    ueueClient.java:47)
    ...
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of IBM WebSphere Application      *
    *                  Server Liberty - JNDI                       *
    ****************************************************************
    * PROBLEM DESCRIPTION: AccessControlException from             *
    *                      JTMThreadFactory, JNDI lookup, and      *
    *                      JmsManagedConnectionFactoryImpl         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    When running a Java EE7 application with a Java 2 security
    manager, a user may see exceptions similar to the following:
    java.security.AccessControlException: access denied
    ("java.lang.RuntimePermission" "setContextClassLoader")
    	at
    java.security.AccessControlContext.checkPermission(AccessControl
    Context.java:395)
    	at
    java.security.AccessController.checkPermission(AccessController.
    java:559)
    	at
    java.lang.SecurityManager.checkPermission(SecurityManager.java:5
    49)
    	at
    com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurity
    Manager.checkPermission(MissingDoPrivDetectionSecurityManager.ja
    va:41)
    	at java.lang.Thread.setContextClassLoader(Thread.java:1504)
    	at
    com.ibm.tx.jta.util.alarm.JTMThreadFactory.newThread(JTMThreadFa
    ctory.java:46)
    	at
    java.util.concurrent.ThreadPoolExecutor$Worker.<init>(ThreadPool
    Executor.java:610)
    	at
    java.util.concurrent.ThreadPoolExecutor.addWorker(ThreadPoolExec
    utor.java:924)
           ...
    or
    java.security.AccessControlException: access denied
    ("java.util.PropertyPermission" "com.ibm.ws.sib.api.isManaged"
    "read")java.security.AccessControlContext.checkPermission(Access
    ControlContext.java:395)
    java.security.AccessController.checkPermission(AccessController.
    java:559)
    java.lang.SecurityManager.checkPermission(SecurityManager.java:5
    49)
    com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurity
    Manager.checkPermission(MissingDoPrivDetectionSecurityManager.ja
    va:41)
    java.lang.SecurityManager.checkPropertyAccess(SecurityManager.ja
    va:1298)
    java.lang.System.getProperty(System.java:708)
    com.ibm.ws.sib.api.jms.impl.JmsManagedConnectionFactoryImpl.isMa
    naged(JmsManagedConnectionFactoryImpl.java:267)
    com.ibm.ws.sib.api.jms.impl.JmsManagedTopicConnectionFactoryImpl
    .instantiateConnection(JmsManagedTopicConnectionFactoryImpl.java
    :93)
    ...
    or
    java.security.AccessControlException: access denied
    ("org.osgi.framework.ServicePermission" "(service.id=550)"
    "get")java.security.AccessControlContext.checkPermission(AccessC
    ontrolContext.java:395)
    java.security.AccessController.checkPermission(AccessController.
    java:559)
    java.lang.SecurityManager.checkPermission(SecurityManager.java:5
    49)
    com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurity
    Manager.checkPermission(MissingDoPrivDetectionSecurityManager.ja
    va:41)
    org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.checkG
    etServicePermission(ServiceRegistry.java:1080)
    org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.getSer
    vice(ServiceRegistry.java:460)
    org.eclipse.osgi.internal.framework.BundleContextImpl.getService
    (BundleContextImpl.java:619)
    com.ibm.ws.jndi.internal.WSContext.resolveObject(WSContext.java:
    130)
    com.ibm.ws.jndi.internal.WSContext.lookup(WSContext.java:298)
    com.ibm.ws.jndi.WSContextBase.lookup(WSContextBase.java:62)
    org.apache.aries.jndi.DelegateContext.lookup(DelegateContext.jav
    a:161)
    javax.naming.InitialContext.lookup(InitialContext.java:411)
    com.ibm.ws.testtooling.msgcli.jms.JMSQueueClient.<init>(JMSQueue
    Client.java:47)
    ...
    

Problem conclusion

  • The fix for this APAR wraps the calls to these protected methods
    inside doPriviledged blocks which enable them to complete
    successfully with a security manager installed.
    
    The fix for this APAR is currently targeted for inclusion in fix
    pack 16.0.0.3.  Please refer to the Recommended Updates page for
    delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI67719

  • Reported component name

    WAS LIBERTY COR

  • Reported component ID

    5725L2900

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-08-17

  • Closed date

    2016-08-18

  • Last modified date

    2016-08-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WAS LIBERTY COR

  • Fixed component ID

    5725L2900

Applicable component levels

  • R855 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
14 October 2021