Spring Expression Language creates systemProperties bean calling System.getProperties() which in enterprise shared containers is locked down [SPR-6308]

[spring-projects-issues]

Matt Goldspink opened SPR-6308 and commented

We have a shared hosting environment for all our Tomcat containers in the firm and multiple teams may have webapps in the same Tomcat instance. As such the security policy is setup to disallow access to System.getProperties() as this will return a mutable view of all the system properties and if one application were to manipulate these it may adversely affect other applications in the same container.

We know the workaround for now is to simply drop in a bean named systemProperties but we would prefer a fix on the Spring side for this because it will likely catch all other groups that run a similar model to us. It seams like adding a simple bean which just delegates the call to System.getProperty("name") (which is not locked down) would be good enough to do this.

---

Affects: 3.0 RC1

Issue Links:

• SPR-6308 problem still exists in Spring Release 3.1.3 [SPR-10362] #14994 SPR-6308 problem still exists in Spring Release 3.1.3
• StandardEnvironment's system environment access produces warning with stacktrace on WebSphere [SPR-11297] #15921 StandardEnvironment's system environment access produces warning with stacktrace on WebSphere
• getenv.* : Access denied (java.lang.RuntimePermission getenv.*) [SPR-6287] #10954 getenv.* : Access denied (java.lang.RuntimePermission getenv.*)

Referenced from: commits 68f57aa

[spring-projects-issues]

Arjen Poutsma commented

Fixed.

When access to System.getProperties() is denied, we now lazily access system properties via System.getProperty(String). If that is denied too, we log a warning.

[spring-projects-issues]

Matt Goldspink commented

This looks great. Thanks Arjen.

[spring-projects-issues]

Sree Vaddi commented

Hi,

http://jira.springframework.org/browse/SPR-6287
I verified my app with spring build 458.
I still see error in my server.log but my app loads up OK.

As suggested by Matt in http://jira.springframework.org/browse/SPR-6308

The only way, I could get rid of the exception is,
by dropping systemProperties and systemEnvironment beans.

Now, my app loads smoothly without any exceptions.

By the way, when is 3.0 RC2 release due ?

Thank you very much.

With Regards
Sree

[spring-projects-issues]

Gagandeep Singh commented

I am acing this issue in Was 7 and Spring 3.1.3 Release . I added the following two properties
<beans:bean id="systemProperties" class="java.util.HashMap"></beans:bean>
<beans:bean id="systemEnvironment" class="java.util.HashMap"></bean:bean>
However i still get the following error
Code Base Location:

[3/7/13 17:20:29:365 EST] 0000000b webapp I com.ibm.ws.webcontainer.webapp.WebApp log SRVE0292I: Servlet Message - [bst-51881#bst.war]:.Initializing Spring FrameworkServlet 'appServlet'
[3/7/13 17:20:29:684 EST] 0000000b SecurityManag W SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Refer to the InfoCenter for further information.

Permission:

getenv.* : Access denied (java.lang.RuntimePermission getenv.*)

Code:

org.springframework.core.env.AbstractEnvironment  in  {file:/opt/httpd/root/apps/ibm7/ccix/xyz.war/WEB-INF/lib/spring-core-3.1.3.RELEASE.jar}

Stack Trace:

java.security.AccessControlException: Access denied (java.lang.RuntimePermission getenv.*)
at java.security.AccessController.checkPermission(AccessController.java:132)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:544)
at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:206)
at java.lang.System.getenv(System.java:687)
at org.springframework.core.env.AbstractEnvironment.getSystemEnvironment(AbstractEnvironment.java:345)
at org.springframework.core.env.StandardEnvironment.customizePropertySources(StandardEnvironment.java:79)

[spring-projects-issues]

Juergen Hoeller commented

I suppose this is just a warning, not a fatal exception? I suppose it is logging any attempt to call System.getEnv there, even when guarded by a catch clause...

Juergen

[spring-projects-issues]

Juergen Hoeller commented

Haven't noticed before: Let's continue the discussion at #15921, the follow-up to this one...

Juergen