218690 – Dangerous reflection access to sun.misc.JavaNetAccess by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!

This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 218690 - Dangerous reflection access to sun.misc.JavaNetAccess by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!

Summary: Dangerous reflection access to sun.misc.JavaNetAccess by class org.netbeans.m...

Status:	VERIFIED FIXED

Alias:	None

Product:	javaee
Classification:	Unclassified
Component:	JSP Parser (show other bugs)
Version:	7.3
Hardware:	PC Windows 7

Importance:	P3 normal (vote)
Assignee:	Petr Jiricka

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-09-20 12:09 UTC by Jiri Skrivanek
Modified:	2012-12-17 13:28 UTC (History)
CC List:	1 user (show)

See Also:
Issue Type:	DEFECT
Exception Reporter:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jiri Skrivanek 2012-09-20 12:09:20 UTC

Several messages in logs:

java.lang.Exception: Dangerous reflection access to sun.misc.SharedSecrets by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
[catch] at org.netbeans.TopSecurityManager.checkMemberAccess(TopSecurityManager.java:437)
	at java.lang.Class.checkMemberAccess(Class.java:2174)
	at java.lang.Class.getMethod(Class.java:1619)
	at org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader.reset(WebAppParseSupport.java:1000)
	at org.netbeans.modules.web.jspparser_ext.WebAppParseSupport.resetClassLoaders(WebAppParseSupport.java:354)
	at org.netbeans.modules.web.jspparser_ext.WebAppParseSupport.analyzePage(WebAppParseSupport.java:472)
	at org.netbeans.modules.web.jspparser.JspParserImpl.analyzePage(JspParserImpl.java:202)
	at org.netbeans.modules.web.core.jsploader.TagLibParseSupport$ParsingRunnable.run(TagLibParseSupport.java:366)
	at org.openide.util.RequestProcessor$Task.run(RequestProcessor.java:1454)
	at org.openide.util.RequestProcessor$Processor.run(RequestProcessor.java:2036)
INFO [org.netbeans.TopSecurityManager]: Dangerous reflection access to sun.misc.JavaNetAccess by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
INFO [org.netbeans.TopSecurityManager]: Dangerous reflection access to sun.misc.URLClassPath by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
INFO [org.netbeans.TopSecurityManager]: Dangerous reflection access to sun.misc.ClassLoaderUtil by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
INFO [org.netbeans.TopSecurityManager]: Dangerous reflection access to sun.misc.SharedSecrets by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
INFO [org.netbeans.TopSecurityManager]: Dangerous reflection access to sun.misc.JavaNetAccess by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
INFO [org.netbeans.TopSecurityManager]: Dangerous reflection access to sun.misc.URLClassPath by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!
INFO [org.netbeans.TopSecurityManager]: Dangerous reflection access to sun.misc.ClassLoaderUtil by class org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader detected!

Comment 1 Jaroslav Havlin 2012-09-20 13:56:30 UTC

I'm not sure whether the reflection access is correct. Please evaluate.

If it is correct, consider adding a new item to whitelist in method TopSecurityManager.createCallerWhiteList, module o.n.bootstrap.
See http://hg.netbeans.org/core-main/rev/3068362b02f0 for inspiration.
Thank you.

Comment 2 Petr Jiricka 2012-12-14 15:28:43 UTC

Yes, reflection access is correct. The code in question (reset method in WebAppParseSupport.ParserClassLoader) uses reflection to close the classloader, to avoid jar locking problems on JDK prior to version 7. There is no other way to do this on JDK 6 and earlier. From JDK 7, this is no longer needed, as there is official API to close URLClassLoader. See this link for the background:
http://docs.oracle.com/javase/7/docs/technotes/guides/net/ClassLoader.html

I added org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader to the whitelist - is that ok Jardo?
http://hg.netbeans.org/web-main/rev/a5ce0913dbf9

I am assuming this is fixed, but since there are no steps to reproduce, could you please verify Jirko? Thanks.

Comment 3 Jaroslav Havlin 2012-12-14 15:45:06 UTC

> I added
> org.netbeans.modules.web.jspparser_ext.WebAppParseSupport$ParserClassLoader
> to the whitelist - is that ok Jardo?
> http://hg.netbeans.org/web-main/rev/a5ce0913dbf9
It is OK.

Comment 4 Quality Engineering 2012-12-17 12:37:56 UTC

Integrated into 'main-golden', will be available in build *201212170919* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)
Changeset: http://hg.netbeans.org/main-golden/rev/a5ce0913dbf9
User: Petr Jiricka <pjiricka@netbeans.org>
Log: #218690 - adding classloader used by JSP parser to the whitelist for sun.misc