Skip to main content

XPages and Java security troubles

This is more a rant than classic post, but I hope it may help someone or someone could prove me wrong, which would be even better.

In recent app I use  XPages Scaffolding from Jesse Gallagher. He does some magic in his code that relies on Java reflection to access classes that you can define in your NSF as your model. As my dev server had Java AllPermission grant in global block of java.policy everything worked just fine. But just until I moved the app to production server, where this setting is not possible.

I started to get Exceptions like:
java.lang.SecurityException: not allowed to access members in class 
class model.Problem
lotus.notes.AgentSecurityManager.checkMemberAccess(Unknown Source)
java.lang.Class.checkMemberAccess(Class.java:123)
java.lang.Class.getDeclaredFields(Class.java:601)
frostillicus.xsp.model.AbstractModelObject.getGenericType(AbstractMo
delObject.java:215)
frostillicus.xsp.model.domino.AbstractDominoModel.setValueImmediate
(AbstractDominoModel.java:271)
frostillicus.xsp.model.domino.AbstractDominoModel.initFromDatabase
(AbstractDominoModel.java:64)
model.Problem.initFromDatabase(Problem.java:56)

The stack trace shows that  the exception is thrown from internal Notes class that tries to enforce security.

I still thought that is is not a big deal, since I'm allowed to modify java.policy on this server, so I would just grant correct permission to my app using grant codeBase "xspnsf://" syntax. But it just don't work. I checked XPages Portable Command Guide and other sources to see if I spelled it correctly. I tried to debug the code and validate the permission in code, it just looked OK. But it had no impact on the exception. Than I found a note in release notes of Threads and Jobs project.
Note that the following does not work since the Java code is put as class in NSF as opposed to a jar file in the/lib directory:
grant codeBase "xspnsf://server:0/threadsjob.nsf/-" {
   permission java.security.AllPermission;
};
I'm not willing to put my code into a jar as it would make development much harder, so I had to look for another solution.

The problem is caused by using some reflection calls between classes that are loaded by different classloaders. To kill this check you have to play games with SecurityManager and currentClassLoader() . So I decided to use AccessController.doPriviledges and wrap all code that caused my troubles into PrivilegedActions.

It is not the nicest solution for code readability, but it solved my problem and I can continue to focus on my app and not fighting with the platform. 

It took me couple hours to solve this issue and if anyone uses Scaffolding and has similar problem, you can try to use my fork, where these changes are implemented - https://github.com/mpradny/XPages-Scaffolding/tree/feature/priviledged (code probably needs some refactoring, since this is still first version that worked)

If anyone can show me that java.policy setting for a nsf could solve this problems, let me know. I have seen many posts on Stackoverflow where people couldn't get it to work and probably just ended up with AllPermission in global block.
Labels:

Comments

Post a Comment

Popular posts from this blog

XPages EL/class-loader memory leak (now with solution)

 We have recently experienced OutOfMemory crashes of XPages app server. The server was recently upgraded to 12.0.1FP1, but we were getting some panic crashes in HTTP even before the upgrade (it was 9.0.1FP10). Our hopes were that the upgrade would stabilize the server, but it's not the case. At least now I start to see what's the problem.  update 8.12.2022 There were actually 3 different leaks. I have rewritten the article to be a bit more clear. I also re-run some of the tests on 9.0.1FP10, so I assume the problems are also in earlier versions. Problem 1 The server is hosting over 1000 NSF sharing the same design + some other custom apps. Not all NSFs are used via web as the app still has classic Notes UI in parallel, so it's a bit tricky to estimate the load. By using tell http xsp show modules I usually see around 350 NSFs active. We kept the default application timeout that should provide reasonable application recycling if it's not used continuously.  We started to
Post a Comment
Read more

HCL Domino SSO with Microsoft Teams

 Microsoft Teams is probably one of the most used tools this year, it was already quite popular before the pandemic started to spread across the world this spring, but now most of the businesses I work with use it. After using it just like a chat/conferencing tool, many start to explore further capabilities of the platform. When working with Domino data in apps that are web-enabled, it can be quite easy - just add a web tab anywhere you want. The problem is, that you need to deal with user authentication. 
Post a Comment
Read more

HCL Domino 12.0.2, Engage 2022 and HCL Factory tour Milan

 I haven't published my recap after Engage this year and the recent HCL Factory tour in Milan is a great opportunity to write a summary about what's happening in HCL (mostly Domino) space. It's a mix of news about 12.0.2, future directions, and my impressions, so it can be a bit chaotic, but I got the impression that many people see it similarly.  Engage 2022 Engage 2022 was great (as always). I love the atmosphere in Brudges. I visited it once after Engage a few years ago and I was happy to come back. This was also the first time I had the opportunity to speak at Engage, which obviously made it a bit more stressful, but also more fun. Together with Domino Jams, HCL continued conversations with customers and partners about the future of their products at Engage. Many of these ideas were now discussed in greater detail in Milan, some of them were even demoed.  My main takeaways from Engage were: Nomad (web and mobile) are a great addition to Notes family Restyle is a great g
Post a Comment
Read more