PI67028: AccessControlExceptionthrown from AppClassLoader.getResources() call

Fixes are available

APAR status

Closed as program error.

Error description

If Java 2 security is enabled in a WebSphere Application
Server Liberty server, it is possible that calls to the
application's classloader might throw a SecurityException or
AccessControlException.  Here is an example stack trace of
such an exception:

java.security.AccessControlException: Access denied
("java.lang.RuntimePermission" "getClassLoader")
at
java.security.AccessController.throwACE(AccessController.jav
a:157)
at
java.security.AccessController.checkPermissionHelper(AccessC
ontroller.java:217)
at
java.security.AccessController.checkPermission(AccessControl
ler.java:349)
at
java.lang.SecurityManager.checkPermission(SecurityManager.ja
va:562)
  at java.lang.ClassLoader.getParent(ClassLoader.java:514)
at
com.ibm.ws.classloading.internal.AppClassLoader.getResources
(AppClassLoader.java:204)
at
org.slf4j.LoggerFactory.findPossibleStaticLoggerBinderPathSe
t(LoggerFactory.java:227)
  at org.slf4j.LoggerFactory.bind(LoggerFactory.java:126)
at
org.slf4j.LoggerFactory.performInitialization(LoggerFactory.
java:108)
at
org.slf4j.LoggerFactory.getILoggerFactory(LoggerFactory.java
:302)
at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:276)
at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:288)
at
org.apache.wink.jcdi.server.internal.extension.JCDIExtension
.<clinit>(JCDIExtension.java:33)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Nativ
e Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(Native
ConstructorAccessorImpl.java:88)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De
legatingConstructorAccessorImpl.java:57)
at
java.lang.reflect.Constructor.newInstance(Constructor.java:4
37)
at
org.jboss.weld.util.ServiceLoader.prepareInstance(ServiceLoa
der.java:240)
at
org.jboss.weld.util.ServiceLoader.loadService(ServiceLoader.
java:214)
at
org.jboss.weld.util.ServiceLoader.loadServiceFile(ServiceLoa
der.java:182)
at
org.jboss.weld.util.ServiceLoader.reload(ServiceLoader.java:
162)
at
org.jboss.weld.util.ServiceLoader.iterator(ServiceLoader.jav
a:297)
at
com.ibm.ws.cdi.impl.weld.WebSphereCDIDeploymentImpl.getExten
sions(WebSphereCDIDeploymentImpl.java:444)
at
com.ibm.ws.cdi.impl.CDIContainerImpl.applicationStarting(CDI
ContainerImpl.java:136)
at
com.ibm.ws.cdi.liberty.CDIRuntimeImpl.applicationStarting(CD
IRuntimeImpl.java:353)
at
com.ibm.ws.container.service.state.internal.ApplicationState
Manager.fireStarting(ApplicationStateManager.java:29)
at
com.ibm.ws.container.service.state.internal.StateChangeServi
ceImpl.fireApplicationStarting(StateChangeServiceImpl.java:5
1)
at
com.ibm.ws.app.manager.module.internal.DeployedAppInfoBase.p
reDeployApp(DeployedAppInfoBase.java:788)
at
com.ibm.ws.app.manager.module.internal.DeployedAppInfoBase.d
eployApp(DeployedAppInfoBase.java:815)
at
com.ibm.ws.app.manager.ear.internal.EARApplicationHandlerImp
l.install(EARApplicationHandlerImpl.java:84)
at
com.ibm.ws.app.manager.internal.statemachine.StartAction.exe
cute(StartAction.java:141)
at
com.ibm.ws.app.manager.internal.statemachine.ApplicationStat
eMachineImpl.enterState(ApplicationStateMachineImpl.java:119
2)
at
com.ibm.ws.app.manager.internal.statemachine.ApplicationStat
eMachineImpl.run(ApplicationStateMachineImpl.java:805)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
Executor.java:1153)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
lExecutor.java:628)
  at java.lang.Thread.run(Thread.java:785)

The problem is that the AppClassLoader is attempting to get
it's parent classloader without sufficient security
privileges.

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server Liberty                              *
****************************************************************
* PROBLEM DESCRIPTION: AccessControlExceptionthrown from       *
*                      AppClassLoader.getResources() call      *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
If Java 2 security is enabled in a WebSphere Application Server
Liberty server, it is possible that calls to the application's
classloader might throw a SecurityException or
AccessControlException.  Here is an example stack trace of such
an exception:

java.security.AccessControlException: Access denied
("java.lang.RuntimePermission" "getClassLoader")
  at
java.security.AccessController.throwACE(AccessController.java:15
7)
  at
java.security.AccessController.checkPermissionHelper(AccessContr
oller.java:217)
  at
java.security.AccessController.checkPermission(AccessController.
java:349)
  at
java.lang.SecurityManager.checkPermission(SecurityManager.java:5
62)
  at java.lang.ClassLoader.getParent(ClassLoader.java:514)
  at
com.ibm.ws.classloading.internal.AppClassLoader.getResources(App
ClassLoader.java:204)
  at
org.slf4j.LoggerFactory.findPossibleStaticLoggerBinderPathSet(Lo
ggerFactory.java:227)
  at org.slf4j.LoggerFactory.bind(LoggerFactory.java:126)
  at
org.slf4j.LoggerFactory.performInitialization(LoggerFactory.java
:108)
  at
org.slf4j.LoggerFactory.getILoggerFactory(LoggerFactory.java:302
)
  at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:276)
  at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:288)
  at
org.apache.wink.jcdi.server.internal.extension.JCDIExtension.<cl
init>(JCDIExtension.java:33)
  at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
  at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeCons
tructorAccessorImpl.java:88)
  at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega
tingConstructorAccessorImpl.java:57)
  at
java.lang.reflect.Constructor.newInstance(Constructor.java:437)
  at
org.jboss.weld.util.ServiceLoader.prepareInstance(ServiceLoader.
java:240)
  at
org.jboss.weld.util.ServiceLoader.loadService(ServiceLoader.java
:214)
  at
org.jboss.weld.util.ServiceLoader.loadServiceFile(ServiceLoader.
java:182)
  at
org.jboss.weld.util.ServiceLoader.reload(ServiceLoader.java:162)
at
org.jboss.weld.util.ServiceLoader.iterator(ServiceLoader.java:29
7)
  at
com.ibm.ws.cdi.impl.weld.WebSphereCDIDeploymentImpl.getExtension
s(WebSphereCDIDeploymentImpl.java:444)
  at
com.ibm.ws.cdi.impl.CDIContainerImpl.applicationStarting(CDICont
ainerImpl.java:136)
  at
com.ibm.ws.cdi.liberty.CDIRuntimeImpl.applicationStarting(CDIRun
timeImpl.java:353)
  at
com.ibm.ws.container.service.state.internal.ApplicationStateMana
ger.fireStarting(ApplicationStateManager.java:29)
  at
com.ibm.ws.container.service.state.internal.StateChangeServiceIm
pl.fireApplicationStarting(StateChangeServiceImpl.java:51)
  at
com.ibm.ws.app.manager.module.internal.DeployedAppInfoBase.preDe
ployApp(DeployedAppInfoBase.java:788)
  at
com.ibm.ws.app.manager.module.internal.DeployedAppInfoBase.deplo
yApp(DeployedAppInfoBase.java:815)
  at
com.ibm.ws.app.manager.ear.internal.EARApplicationHandlerImpl.in
stall(EARApplicationHandlerImpl.java:84)
  at
com.ibm.ws.app.manager.internal.statemachine.StartAction.execute
(StartAction.java:141)
  at
com.ibm.ws.app.manager.internal.statemachine.ApplicationStateMac
hineImpl.enterState(ApplicationStateMachineImpl.java:1192)
  at
com.ibm.ws.app.manager.internal.statemachine.ApplicationStateMac
hineImpl.run(ApplicationStateMachineImpl.java:805)
  at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
utor.java:1153)
  at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java:628)
  at java.lang.Thread.run(Thread.java:785)

The problem is that the AppClassLoader is attempting to get it's
parent classloader without sufficient security privileges.

Problem conclusion

The fix for this APAR allows the AppClassLoader to obtain a
reference to it's parent classloader with sufficient
privileges.

The fix for this APAR is currently targeted for inclusion in fix
pack 16.0.0.3.  Please refer to the Recommended Updates page for
delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Temporary fix

Comments

APAR Information

APAR number
PI67028
Reported component name
WAS LIBERTY COR
Reported component ID
5725L2900
Reported release
855
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-08-04
Closed date
2016-08-09
Last modified date
2016-08-09

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
WAS LIBERTY COR
Fixed component ID
5725L2900

Applicable component levels

R855 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 May 2022

Tips

PI67028: AccessControlExceptionthrown from AppClassLoader.getResources() call

Fixes are available

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R855 PSY

Document Information

Share your feedback

Need support?