AccessControlException when using Spring Security with OpenID in Google App Engine

[RalphKretzler]

Hello,

I try to implement in Google App Engine, Spring Security with OpenID but I am getting a
AccessControlException: access denied (java.lang.RuntimePermission modifyThreadGroup)

The problem is that Google App Engine does not allow to create a thread.

Any ideas?

Thanks,
Ralph



access denied (java.lang.RuntimePermission modifyThreadGroup)
RequestURI=/j_spring_openid_security_check
Caused by:
java.security.AccessControlException: access denied (java.lang.RuntimePermission modifyThreadGroup)
at java.security.AccessControlContext.checkPermission (AccessControlContext.java:323)
at java.security.AccessController.checkPermission(Acc essController.java:546)
at java.lang.SecurityManager.checkPermission(Security Manager.java:532)
at com.google.appengine.tools.development.DevAppServe rFactory$CustomSecurityManager.checkPermission(Dev AppServerFactory.java:151)
at com.google.appengine.tools.development.DevAppServe rFactory$CustomSecurityManager.checkAccess(DevAppS erverFactory.java:176)
at java.lang.ThreadGroup.checkAccess(ThreadGroup.java :288)
at java.lang.Thread.init(Thread.java:332)
at java.lang.Thread.(Thread.java:379)
at org.apache.commons.httpclient.MultiThreadedHttpCon nectionManager$ReferenceQueueThread.(MultiThreaded HttpConnectionManager.java:1039)
at org.apache.commons.httpclient.MultiThreadedHttpCon nectionManager.storeReferenceToConnection(MultiThr eadedHttpConnectionManager.java:164)
at org.apache.commons.httpclient.MultiThreadedHttpCon nectionManager.access$900(MultiThreadedHttpConnect ionManager.java:64)
at org.apache.commons.httpclient.MultiThreadedHttpCon nectionManager$ConnectionPool.createConnection(Mul tiThreadedHttpConnectionManager.java:750)
at org.apache.commons.httpclient.MultiThreadedHttpCon nectionManager.doGetConnection(MultiThreadedHttpCo nnectionManager.java:469)
at org.apache.commons.httpclient.MultiThreadedHttpCon nectionManager.getConnectionWithTimeout(MultiThrea dedHttpConnectionManager.java:394)
at org.apache.commons.httpclient.HttpMethodDirector.e xecuteMethod(HttpMethodDirector.java:152)
at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMe thod(HttpClient.java:324)
at org.openid4java.util.HttpCache.head(HttpCache.java :296)
at org.openid4java.discovery.yadis.YadisResolver.retr ieveXrdsLocation(YadisResolver.java:360)
at org.openid4java.discovery.yadis.YadisResolver.disc over(YadisResolver.java:229)
at org.openid4java.discovery.yadis.YadisResolver.disc over(YadisResolver.java:221)
at org.openid4java.discovery.yadis.YadisResolver.disc over(YadisResolver.java:179)
at org.openid4java.discovery.Discovery.discover(Disco very.java:134)
at org.openid4java.discovery.Discovery.discover(Disco very.java:114)
at org.openid4java.consumer.ConsumerManager.discover( ConsumerManager.java:527)
at org.springframework.security.openid.OpenID4JavaCon sumer.beginConsumption(OpenID4JavaConsumer.java:80 )

[honeybunny]

Well, technically in an application server (and google app engine), you are not allowed to open a socket or create a thread, if I remember correctly. Both creating a thread and opening a socket are exactly what HttpClient does. You might get rid of the thread by using the SingleThreadedConnectionManager.

But, you should look to see if Google App engine provides a mechanism for making a Http invocation, perhaps through some kind of special google.appengine.xxx class; many appservers do this kind of thing.

(pure speculation, but I think it is because they override or modify the socket classes and HTTP options in the JVM to provide more control over how incoming connections are handled and make sure they go through the application server auditing, timeout, and stale connection handling layers they have built).

[pmularien]

Looking at the source for the HttpClientFactory class from the openid4java project, it looks like this is a static setting on the class that sets up the HTTP connection: SVN Ref

So, running some code like this at startup of your application should work:

Code:

 org.openid4java.util.HttpClientFactory.setMultiThreadedHttpClient(false);

I don't see that the Spring OpenID stack exposes this parameter anywhere.

[honeybunny]

Apparently you can use outgoing HTTP, though you need to make sure HttpClient uses the right connection factory.
http://code.google.com/appengine/doc...ngjavanet.html

Here is the google supplied API for using outgoing HTTP from within your app:
http://code.google.com/appengine/doc...e-summary.html

[RalphKretzler]

Thanks a lot for your help.

Just I try the proposal from pmularien with the static setting ... HttpClientFactory.setMultiThreadedHttpClient(false )

Now I have the problem that the socket factory is using a thread. I think I have to figure out the other propsoal.

Code:

java.security.AccessControlException: access denied (java.lang.RuntimePermission modifyThreadGroup)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkPermission(DevAppServerFactory.java:151)
at com.google.appengine.tools.development.DevAppServerFactory$CustomSecurityManager.checkAccess(DevAppServerFactory.java:176)
at java.lang.ThreadGroup.checkAccess(ThreadGroup.java:288)
at java.lang.Thread.init(Thread.java:332)
at java.lang.Thread.<init>(Thread.java:463)
at org.apache.commons.httpclient.util.TimeoutController.execute(TimeoutController.java:79)
at org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory.createSocket(ControllerThreadSocketFactory.java:94)
at org.apache.commons.httpclient.protocol.DefaultProtocolSocketFactory.createSocket(DefaultProtocolSocketFactory.java:127)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at org.openid4java.util.HttpCache.head(HttpCache.java:296)
at org.openid4java.discovery.yadis.YadisResolver.retrieveXrdsLocation(YadisResolver.java:360)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:229)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:221)
at org.openid4java.discovery.yadis.YadisResolver.discover(YadisResolver.java:179)
at org.openid4java.discovery.Discovery.discover(Discovery.java:134)
at org.openid4java.discovery.Discovery.discover(Discovery.java:114)
at org.openid4java.consumer.ConsumerManager.discover(ConsumerManager.java:527)
at org.springframework.security.openid.OpenID4JavaConsumer.beginConsumption(OpenID4JavaConsumer.java:80)

[pmularien]

I tried digging in to figure out how you could get around that problem, but I don't see a way (with the combination of Spring Sec + OpenID4Java) to set the connection to "no timeout". I don't think OpenID4Java (based on my 15 minute review of the code) consistently allows this parameter to be set

[RalphKretzler]

I started a new thread: 'what is the best way to exchange openid4java with dyuproject'
http://forum.springsource.org/showth...393#post268393

dyuproject is another implementation of openid in java that runs in google app engine.


Thanks a lot for your help

[bwalet]

Please refer to this site: http://esxx.blogspot.com/2009/06/usi...oogle-app.html how to get HttpClient 4 working on GAE.
You need to implement a custom ClientConnection and ClientConnectionManager that doesn't create a socket. Creating Sockets and Threads is not allowed on Google App Engine.

[atti187]

Check out http://technowobble.blogspot.com/201...ys-openid.html for a working example of Spring Security using OpenID on GAE...