This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 218690

Summary: Dangerous reflection access to sun.misc.JavaNetAccess by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
Product: javaee Reporter: Jiri Skrivanek <jskrivanek>
Component: JSP ParserAssignee: Petr Jiricka <pjiricka>
Status: VERIFIED FIXED    
Severity: normal CC: jhavlin
Priority: P3    
Version: 7.3   
Hardware: PC   
OS: Windows 7   
Issue Type: DEFECT Exception Reporter:

Description Jiri Skrivanek 2012-09-20 12:09:20 UTC 
Several messages in logs:

java.lang.Exception: Dangerous reflection access to sun.misc.SharedSecrets by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
[catch] at org.netbeans.TopSecurityManager.checkMemberAccess(TopSecurityManager.java:437)
	at java.lang.Class.checkMemberAccess(Class.java:2174)
	at java.lang.Class.getMethod(Class.java:1619)
	at org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader.reset(WebAppParseSupport.java:1000)
	at org.netbeans.modules.web.jspparser_ext.WebAppParseSupport.resetClassLoaders(WebAppParseSupport.java:354)
	at org.netbeans.modules.web.jspparser_ext.WebAppParseSupport.analyzePage(WebAppParseSupport.java:472)
	at org.netbeans.modules.web.jspparser.JspParserImpl.analyzePage(JspParserImpl.java:202)
	at org.netbeans.modules.web.core.jsploader.TagLibParseSupport$ParsingRunnable.run(TagLibParseSupport.java:366)
	at org.openide.util.RequestProcessor$Task.run(RequestProcessor.java:1454)
	at org.openide.util.RequestProcessor$Processor.run(RequestProcessor.java:2036)
INFO [org.netbeans.TopSecurityManager]: Dangerous reflection access to sun.misc.JavaNetAccess by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
INFO [org.netbeans.TopSecurityManager]: Dangerous reflection access to sun.misc.URLClassPath by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
INFO [org.netbeans.TopSecurityManager]: Dangerous reflection access to sun.misc.ClassLoaderUtil by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
INFO [org.netbeans.TopSecurityManager]: Dangerous reflection access to sun.misc.SharedSecrets by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
INFO [org.netbeans.TopSecurityManager]: Dangerous reflection access to sun.misc.JavaNetAccess by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
INFO [org.netbeans.TopSecurityManager]: Dangerous reflection access to sun.misc.URLClassPath by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
INFO [org.netbeans.TopSecurityManager]: Dangerous reflection access to sun.misc.ClassLoaderUtil by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
Comment 1 Jaroslav Havlin 2012-09-20 13:56:30 UTC 
I'm not sure whether the reflection access is correct. Please evaluate.

If it is correct, consider adding a new item to whitelist in method TopSecurityManager.createCallerWhiteList, module o.n.bootstrap.
See http://hg.netbeans.org/core-main/rev/3068362b02f0 for inspiration.
Thank you.
Comment 2 Petr Jiricka 2012-12-14 15:28:43 UTC 
Yes, reflection access is correct. The code in question (reset method in WebAppParseSupport.ParserClassLoader) uses reflection to close the classloader, to avoid jar locking problems on JDK prior to version 7. There is no other way to do this on JDK 6 and earlier. From JDK 7, this is no longer needed, as there is official API to close URLClassLoader. See this link for the background:
http://docs.oracle.com/javase/7/docs/technotes/guides/net/ClassLoader.html

I added org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader to the whitelist - is that ok Jardo?
http://hg.netbeans.org/web-main/rev/a5ce0913dbf9

I am assuming this is fixed, but since there are no steps to reproduce, could you please verify Jirko? Thanks.
Comment 3 Jaroslav Havlin 2012-12-14 15:45:06 UTC 
> I added
> org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader
> to the whitelist - is that ok Jardo?
> http://hg.netbeans.org/web-main/rev/a5ce0913dbf9
It is OK.
Comment 4 Quality Engineering 2012-12-17 12:37:56 UTC 
Integrated into 'main-golden', will be available in build *201212170919* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main-golden/rev/a5ce0913dbf9
User: Petr Jiricka <pjiricka@netbeans.org>
Log: #218690 - adding classloader used by JSP parser to the whitelist for sun.misc