Description of problem: I have the following simple server CLI script: var utils = require("rhq://downloads/util"); Execution of this script fails with exception. Version-Release number of selected component (if applicable): Version: 4.8.0-SNAPSHOT Build Number: ff37cd9 How reproducible: Always Steps to Reproduce: 1. create an alarm definition with notification on some resource (i.e. platform) a. go to Alerts->Definitions->New b. fill some name c. add a condition - i.e. when some operation is invoked d. add a notification - choose a CLI script as a notification sender->upload the file (js file containing just var utils = require("rhq://downloads/util");) e. save the alert definition 2. invoke the operation from step c. 3. go to Alerts->History 4. open relevant alert and check notification tab Actual results: from server log: 11:34:51,724 INFO [org.rhq.enterprise.server.plugins.alertCli.CliSender] (Thread-328) The script execution for CLI notification of alert [org.rhq.core.domain.alert.Alert[id=10071, alertDefinition=org.rhq.core.domain.alert.AlertDefinition[ id=10001, name=test, conditionExpression=ANY, priority=Medium, resourceId=10001 ], ctime=1369668891466]] failed.: java.security.AccessControlException: access denied (java.lang.RuntimePermission canAccessModelController) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393) [rt.jar:1.6.0_24] at java.security.AccessController.checkPermission(AccessController.java:553) [rt.jar:1.6.0_24] at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) [rt.jar:1.6.0_24] at org.jboss.as.controller.ModelControllerImpl.createClient(ModelControllerImpl.java:311) [jboss-as-controller-7.2.0.Alpha1-redhat-4.jar:7.2.0.Alpha1-redhat-4] at org.rhq.enterprise.server.core.service.ManagementService.getClient(ManagementService.java:59) [rhq-enterprise-server-ejb3.jar:4.8.0-SNAPSHOT] at org.rhq.enterprise.server.core.CoreServer.getEarDeploymentDir(CoreServer.java:139) [rhq-enterprise-server-ejb3.jar:4.8.0-SNAPSHOT] at sun.reflect.GeneratedMethodAccessor205.invoke(Unknown Source) [:1.6.0_24] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.6.0_24] at java.lang.reflect.Method.invoke(Method.java:616) [rt.jar:1.6.0_24] at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java:111) [rt.jar:1.6.0_24] at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java:45) [rt.jar:1.6.0_24] at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:226) [rt.jar:1.6.0_24] at com.sun.jmx.mbeanserver.PerInterface.getAttribute(PerInterface.java:83) [rt.jar:1.6.0_24] at com.sun.jmx.mbeanserver.MBeanSupport.getAttribute(MBeanSupport.java:205) [rt.jar:1.6.0_24] at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getAttribute(DefaultMBeanServerInterceptor.java:683) [rt.jar:1.6.0_24] at com.sun.jmx.mbeanserver.JmxMBeanServer.getAttribute(JmxMBeanServer.java:672) [rt.jar:1.6.0_24] at org.jboss.as.jmx.PluggableMBeanServerImpl$TcclMBeanServer.getAttribute(PluggableMBeanServerImpl.java:448) at org.jboss.as.jmx.PluggableMBeanServerImpl.getAttribute(PluggableMBeanServerImpl.java:171) at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:140) [jboss-jmx-4.2.3.GA.jar:4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807192035)] at $Proxy1033.getEarDeploymentDir(Unknown Source) at org.rhq.enterprise.client.RhqDownloadsScriptSourceProvider.getDownloadHomeDir(RhqDownloadsScriptSourceProvider.java:74) [rhq-server-client-api-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.rhq.enterprise.client.RhqDownloadsScriptSourceProvider.doGetScriptSource(RhqDownloadsScriptSourceProvider.java:61) [rhq-server-client-api-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.rhq.bindings.script.BaseRhqSchemeScriptSourceProvider.getScriptSource(BaseRhqSchemeScriptSourceProvider.java:50) [rhq-script-bindings-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.rhq.bindings.util.MultiScriptSourceProvider.getScriptSource(MultiScriptSourceProvider.java:57) [rhq-script-bindings-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.rhq.scripting.javascript.util.ScriptSourceToModuleSourceProviderAdapter.loadFromUri(ScriptSourceToModuleSourceProviderAdapter.java:75) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.rhq.scripting.javascript.util.ScriptSourceToModuleSourceProviderAdapter.loadFromPrivilegedLocations(ScriptSourceToModuleSourceProviderAdapter.java:59) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.mozilla.javascript.commonjs.module.provider.ModuleSourceProviderBase.loadSource(ModuleSourceProviderBase.java:41) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.mozilla.javascript.commonjs.module.provider.CachingModuleScriptProviderBase.getModuleScript(CachingModuleScriptProviderBase.java:69) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.mozilla.javascript.commonjs.module.provider.SoftCachingModuleScriptProvider.getModuleScript(SoftCachingModuleScriptProvider.java:67) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.mozilla.javascript.commonjs.module.Require.getModule(Require.java:363) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.mozilla.javascript.commonjs.module.Require.getExportedModuleInterface(Require.java:264) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.mozilla.javascript.commonjs.module.Require.call(Require.java:218) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.mozilla.javascript.Interpreter.interpretLoop(Interpreter.java:1473) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.mozilla.javascript.Interpreter.interpret(Interpreter.java:815) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.mozilla.javascript.InterpretedFunction.call(InterpretedFunction.java:109) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.mozilla.javascript.ContextFactory.doTopCall(ContextFactory.java:394) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.rhq.scripting.javascript.engine.RhinoScriptEngine$1.superDoTopCall(RhinoScriptEngine.java:235) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.rhq.scripting.javascript.engine.RhinoScriptEngine$1.access$000(RhinoScriptEngine.java:199) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.rhq.scripting.javascript.engine.RhinoScriptEngine$1$1.run(RhinoScriptEngine.java:215) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_24] at org.rhq.scripting.javascript.engine.RhinoScriptEngine$1.doTopCall(RhinoScriptEngine.java:212) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.mozilla.javascript.ScriptRuntime.doTopCall(ScriptRuntime.java:3091) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.mozilla.javascript.InterpretedFunction.exec(InterpretedFunction.java:120) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.mozilla.javascript.Context.evaluateReader(Context.java:1110) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at org.rhq.scripting.javascript.engine.RhinoScriptEngine.eval(RhinoScriptEngine.java:363) [rhq-scripting-javascript-4.8.0-SNAPSHOT.jar:4.8.0-SNAPSHOT] at javax.script.AbstractScriptEngine.eval(AbstractScriptEngine.java:249) [rt.jar:1.6.0_24] at org.rhq.enterprise.server.plugins.alertCli.CliSender$1.run(CliSender.java:168) at java.lang.Thread.run(Thread.java:679) [rt.jar:1.6.0_24] Expected results: No exception
commit eeffaed93e68612eb6a88226479702d4f373e510 Author: Lukas Krejci <lkrejci> Date: Tue May 28 03:11:56 2013 +0200 [BZ 967622 - Server CLI script can't require modules from rhq://downloads] This was primarily caused by a new permission required by EAP 6.1 we've switched to. To access the ModelControllerClient, the code now needs a RuntimePermission("canAccessModelController"). We need the ModelControllerClient when determining the EAR installation dir, which we in turn need when determining where to locate the scripts in the "rhq://downloads" location. This is done while running a script, which is done in a restricted access control context which does not and should not have that permission. The minimal fix is to wrap the getting of the ModelControllerClient in a privileged action but some more "defensive" code was added in the RhqDownloadScriptSourceProvider, too, to guard against different times it might get instantiated during the script execution. Javadocs were updated to warn about the security considerations when writing a script source provider available on the server side.
Verified on: Version: 4.8.0-SNAPSHOT Build Number: eeffaed
Bulk closing of old issues now that HRQ 4.9 is in front of the door. If you think the issue has not been solved, then please open a new bug and mention this one in the description.