java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) at com.google.appengine.runtime.Request.process-b35531ed0170125f(Request.java)

Spring JIRA | David Fuelling | 2 years ago
  1. 0

    My Error ======= I have a Spring webapp running in Google App Engine (GAE). It has been running fine for more than a year, but once I upgraded to Spring 3.2.9.RELEASE, I started getting java.security.AccessControlException's (see stack trace below) when running the app in the AppEngine runtime (Note: the app works fine locally in the AppEngine devserver, which is basically a Jetty container). This is typical for appengine - the runtime classloader permissions are more restrictive in the production runtime than in the development server. Cause ===== My app has an HttpSessionEventPublisher configured to publish session events. It appears that SPR-11606 introduced subtle changes to AbstractApplicationEventMulticaster (https://github.com/spring-projects/spring-framework/commit/e1602f7f83ded6438ce1307605d4de2366cfb8f7#diff-2047c68c136729519797ac17b17a5bcc) on line 178 that start accessing the classloader of each event's "source" and "type". From my own investigation, it appears that while using SpringSocial (Facebook), the ProviderSignInUtils kicks off a new session, and when the AbstractApplicationEventMulticaster encounters this event, it attempts to get the ClassLoader for the following class, which is not allowed in Appengine: com.google.apphosting.runtime.jetty.SessionManager$AppEngineSession (throws the AccessControlException). I realize this is somewhat of an AppEngine issue, but am wondering if it makes sense for Spring to try and do something more appropriate here? As-is, anyone using HttpSessions with HttpSessionEventPublisher in AppEngine will probably break. Here's the stack trace: -- org.springframework.social.connect.web.ProviderSignInController signIn: Exception while building authorization URL: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) at com.google.appengine.runtime.Request.process-b35531ed0170125f(Request.java) at java.lang.Class.getClassLoader(Class.java:445) at org.springframework.util.ClassUtils.isCacheSafe(ClassUtils.java:400) at org.springframework.context.event.AbstractApplicationEventMulticaster.getApplicationListeners(AbstractApplicationEventMulticaster.java:178) at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:86) at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:334) at org.springframework.security.web.session.HttpSessionEventPublisher.sessionCreated(HttpSessionEventPublisher.java:69) at org.mortbay.jetty.servlet.AbstractSessionManager.addSession(AbstractSessionManager.java:577) at org.mortbay.jetty.servlet.AbstractSessionManager.newHttpSession(AbstractSessionManager.java:415) at org.mortbay.jetty.Request.getSession(Request.java:1242) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216) at org.springframework.web.context.request.ServletRequestAttributes.getSession(ServletRequestAttributes.java:79) at org.springframework.web.context.request.ServletRequestAttributes.setAttribute(ServletRequestAttributes.java:127) at org.springframework.social.connect.web.HttpSessionSessionStrategy.setAttribute(HttpSessionSessionStrategy.java:8) at org.springframework.social.connect.web.ConnectSupport.buildOAuth2Url(ConnectSupport.java:223) at org.springframework.social.connect.web.ConnectSupport.buildOAuthUrl(ConnectSupport.java:128) at org.springframework.social.connect.web.ProviderSignInController.signIn(ProviderSignInController.java:175) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:45) at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215) at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132) at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:745) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:685) at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:919) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:851) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:953) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:855) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:829) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511) at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)

    Spring JIRA | 2 years ago | David Fuelling
    java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) at com.google.appengine.runtime.Request.process-b35531ed0170125f(Request.java)
  2. 0

    Issue 11121 - googleappengine - java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) for com.google.apphosting.runtime.jetty.SessionManager$AppEngineSession - Google App Engine - Google Project Hosting

    google.com | 8 months ago
    java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) at com.google.appengine.runtime.Request.process-b35531ed0170125f(Request.java)
  3. 0

    My Error ======= I have a Spring webapp running in Google App Engine (GAE). It has been running fine for more than a year, but once I upgraded to Spring 3.2.9.RELEASE, I started getting java.security.AccessControlException's (see stack trace below) when running the app in the AppEngine runtime (Note: the app works fine locally in the AppEngine devserver, which is basically a Jetty container). This is typical for appengine - the runtime classloader permissions are more restrictive in the production runtime than in the development server. Cause ===== My app has an HttpSessionEventPublisher configured to publish session events. It appears that SPR-11606 introduced subtle changes to AbstractApplicationEventMulticaster (https://github.com/spring-projects/spring-framework/commit/e1602f7f83ded6438ce1307605d4de2366cfb8f7#diff-2047c68c136729519797ac17b17a5bcc) on line 178 that start accessing the classloader of each event's "source" and "type". From my own investigation, it appears that while using SpringSocial (Facebook), the ProviderSignInUtils kicks off a new session, and when the AbstractApplicationEventMulticaster encounters this event, it attempts to get the ClassLoader for the following class, which is not allowed in Appengine: com.google.apphosting.runtime.jetty.SessionManager$AppEngineSession (throws the AccessControlException). I realize this is somewhat of an AppEngine issue, but am wondering if it makes sense for Spring to try and do something more appropriate here? As-is, anyone using HttpSessions with HttpSessionEventPublisher in AppEngine will probably break. Here's the stack trace: -- org.springframework.social.connect.web.ProviderSignInController signIn: Exception while building authorization URL: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) at com.google.appengine.runtime.Request.process-b35531ed0170125f(Request.java) at java.lang.Class.getClassLoader(Class.java:445) at org.springframework.util.ClassUtils.isCacheSafe(ClassUtils.java:400) at org.springframework.context.event.AbstractApplicationEventMulticaster.getApplicationListeners(AbstractApplicationEventMulticaster.java:178) at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:86) at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:334) at org.springframework.security.web.session.HttpSessionEventPublisher.sessionCreated(HttpSessionEventPublisher.java:69) at org.mortbay.jetty.servlet.AbstractSessionManager.addSession(AbstractSessionManager.java:577) at org.mortbay.jetty.servlet.AbstractSessionManager.newHttpSession(AbstractSessionManager.java:415) at org.mortbay.jetty.Request.getSession(Request.java:1242) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216) at javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216) at org.springframework.web.context.request.ServletRequestAttributes.getSession(ServletRequestAttributes.java:79) at org.springframework.web.context.request.ServletRequestAttributes.setAttribute(ServletRequestAttributes.java:127) at org.springframework.social.connect.web.HttpSessionSessionStrategy.setAttribute(HttpSessionSessionStrategy.java:8) at org.springframework.social.connect.web.ConnectSupport.buildOAuth2Url(ConnectSupport.java:223) at org.springframework.social.connect.web.ConnectSupport.buildOAuthUrl(ConnectSupport.java:128) at org.springframework.social.connect.web.ProviderSignInController.signIn(ProviderSignInController.java:175) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:45) at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215) at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132) at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:745) at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:685) at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:919) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:851) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:953) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:855) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:829) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511) at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)

    Spring JIRA | 2 years ago | David Fuelling
    java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) at com.google.appengine.runtime.Request.process-b35531ed0170125f(Request.java)
  4. Speed up your debug routine!

    Automated exception search integrated into your IDE

  5. 0

    Trouble with Connector/J in an applet

    Google Groups | 1 decade ago | apchar
    java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
  6. 0

    JRuby 1.6.4 not compatible with AppEngine Java...

    Google Groups | 5 years ago | Francis
    java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) at com.google.appengine.runtime.Request.process- cf6eefcb9b61eeaa(Request.java)

    Not finding the right solution?
    Take a tour to get the most out of Samebug.

    Tired of useless tips?

    Automated exception search integrated into your IDE

    Root Cause Analysis

    1. java.security.AccessControlException

      access denied (java.lang.RuntimePermission getClassLoader) at com.google.appengine.runtime.Request.process-b35531ed0170125f(Request.java)

      at java.lang.Class.getClassLoader()
    2. Java RT
      Class.getClassLoader
      1. java.lang.Class.getClassLoader(Class.java:445)
      1 frame
    3. Spring Core
      ClassUtils.isCacheSafe
      1. org.springframework.util.ClassUtils.isCacheSafe(ClassUtils.java:400)
      1 frame
    4. Spring Context
      AbstractApplicationContext.publishEvent
      1. org.springframework.context.event.AbstractApplicationEventMulticaster.getApplicationListeners(AbstractApplicationEventMulticaster.java:178)
      2. org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:86)
      3. org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:334)
      3 frames
    5. Spring Security
      HttpSessionEventPublisher.sessionCreated
      1. org.springframework.security.web.session.HttpSessionEventPublisher.sessionCreated(HttpSessionEventPublisher.java:69)
      1 frame
    6. Jetty Server
      Request.getSession
      1. org.mortbay.jetty.servlet.AbstractSessionManager.addSession(AbstractSessionManager.java:577)
      2. org.mortbay.jetty.servlet.AbstractSessionManager.newHttpSession(AbstractSessionManager.java:415)
      3. org.mortbay.jetty.Request.getSession(Request.java:1242)
      3 frames
    7. JavaServlet
      HttpServletRequestWrapper.getSession
      1. javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216)
      2. javax.servlet.http.HttpServletRequestWrapper.getSession(HttpServletRequestWrapper.java:216)
      2 frames
    8. Spring
      ServletRequestAttributes.setAttribute
      1. org.springframework.web.context.request.ServletRequestAttributes.getSession(ServletRequestAttributes.java:79)
      2. org.springframework.web.context.request.ServletRequestAttributes.setAttribute(ServletRequestAttributes.java:127)
      2 frames
    9. Spring Web Integration
      ProviderSignInController.signIn
      1. org.springframework.social.connect.web.HttpSessionSessionStrategy.setAttribute(HttpSessionSessionStrategy.java:8)
      2. org.springframework.social.connect.web.ConnectSupport.buildOAuth2Url(ConnectSupport.java:223)
      3. org.springframework.social.connect.web.ConnectSupport.buildOAuthUrl(ConnectSupport.java:128)
      4. org.springframework.social.connect.web.ProviderSignInController.signIn(ProviderSignInController.java:175)
      4 frames
    10. Java RT
      Method.invoke
      1. sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      2. sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      3. sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      4. java.lang.reflect.Method.invoke(Method.java:45)
      4 frames
    11. Spring
      InvocableHandlerMethod.invokeForRequest
      1. org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215)
      2. org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
      2 frames
    12. Spring MVC
      FrameworkServlet.doPost
      1. org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
      2. org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:745)
      3. org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:685)
      4. org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80)
      5. org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:919)
      6. org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:851)
      7. org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:953)
      8. org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:855)
      8 frames
    13. JavaServlet
      HttpServlet.service
      1. javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
      1 frame
    14. Spring MVC
      FrameworkServlet.service
      1. org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:829)
      1 frame
    15. JavaServlet
      HttpServlet.service
      1. javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      1 frame
    16. Jetty Server
      ServletHandler$CachedChain.doFilter
      1. org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
      2. org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)
      2 frames