This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.6.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/3.6.x-fixes by this push:
new 8fec5b32eb6 [CXF-9227] - Fix SecurityManager permission regressions
(#3274)
8fec5b32eb6 is described below
commit 8fec5b32eb645e89b64ad6c3450fe1e9542f6ab1
Author: Fabio Burzigotti <[email protected]>
AuthorDate: Fri Jul 3 18:18:49 2026 +0200
[CXF-9227] - Fix SecurityManager permission regressions (#3274)
---
core/src/main/java/org/apache/cxf/resource/URIResolver.java | 13 ++++++++++++-
.../apache/cxf/ws/addressing/EndpointReferenceUtils.java | 12 +++++++++++-
2 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/core/src/main/java/org/apache/cxf/resource/URIResolver.java
b/core/src/main/java/org/apache/cxf/resource/URIResolver.java
index a694fb1fe61..f1ba2b029f0 100644
--- a/core/src/main/java/org/apache/cxf/resource/URIResolver.java
+++ b/core/src/main/java/org/apache/cxf/resource/URIResolver.java
@@ -32,6 +32,8 @@ import java.net.URLDecoder;
import java.nio.file.Files;
import java.security.AccessController;
import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
@@ -270,7 +272,16 @@ public class URIResolver implements AutoCloseable {
private HttpURLConnection createInputStream() throws IOException {
checkAllowedScheme(url);
- HttpURLConnection huc = (HttpURLConnection)url.openConnection();
+ // Wrap the network connection in doPrivileged so that callers
(including
+ // user deployments) do not need SocketPermission for the target host.
+ final HttpURLConnection huc;
+ try {
+ huc = AccessController.doPrivileged(
+ (PrivilegedExceptionAction<HttpURLConnection>) () ->
+ (HttpURLConnection)url.openConnection());
+ } catch (PrivilegedActionException e) {
+ throw (IOException) e.getException();
+ }
String host = SystemPropertyAction.getPropertyOrNull("http.proxyHost");
if (host != null) {
diff --git
a/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java
b/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java
index 9bad1732625..75bf5d6600f 100644
---
a/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java
+++
b/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java
@@ -27,6 +27,8 @@ import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.List;
@@ -199,7 +201,15 @@ public final class EndpointReferenceUtils {
systemId = publicId;
}
if (systemId != null) {
- InputSource source = resolver.resolve(systemId, baseURI);
+ // Run inside doPrivileged so that sm.checkPermission()
calls
+ // inside the resolver chain (SecurityActions.fileExists)
stop
+ // at this boundary and check only CXF's own permissions
rather
+ // than walking up through the JAXP schema-validator
frames that
+ // lack CXF-internal permissions.
+ final String sid = systemId;
+ final String buri = baseURI;
+ InputSource source = AccessController.doPrivileged(
+ (PrivilegedAction<InputSource>) () ->
resolver.resolve(sid, buri));
if (source != null) {
impl = new LSInputImpl();
impl.setByteStream(source.getByteStream());