This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.6.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/3.6.x-fixes by this push:
     new 8fec5b32eb6 [CXF-9227] - Fix SecurityManager permission regressions 
(#3274)
8fec5b32eb6 is described below

commit 8fec5b32eb645e89b64ad6c3450fe1e9542f6ab1
Author: Fabio Burzigotti <[email protected]>
AuthorDate: Fri Jul 3 18:18:49 2026 +0200

    [CXF-9227] - Fix SecurityManager permission regressions (#3274)
---
 core/src/main/java/org/apache/cxf/resource/URIResolver.java | 13 ++++++++++++-
 .../apache/cxf/ws/addressing/EndpointReferenceUtils.java    | 12 +++++++++++-
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/core/src/main/java/org/apache/cxf/resource/URIResolver.java 
b/core/src/main/java/org/apache/cxf/resource/URIResolver.java
index a694fb1fe61..f1ba2b029f0 100644
--- a/core/src/main/java/org/apache/cxf/resource/URIResolver.java
+++ b/core/src/main/java/org/apache/cxf/resource/URIResolver.java
@@ -32,6 +32,8 @@ import java.net.URLDecoder;
 import java.nio.file.Files;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
@@ -270,7 +272,16 @@ public class URIResolver implements AutoCloseable {
 
     private HttpURLConnection createInputStream() throws IOException {
         checkAllowedScheme(url);
-        HttpURLConnection huc = (HttpURLConnection)url.openConnection();
+        // Wrap the network connection in doPrivileged so that callers 
(including
+        // user deployments) do not need SocketPermission for the target host.
+        final HttpURLConnection huc;
+        try {
+            huc = AccessController.doPrivileged(
+                (PrivilegedExceptionAction<HttpURLConnection>) () ->
+                    (HttpURLConnection)url.openConnection());
+        } catch (PrivilegedActionException e) {
+            throw (IOException) e.getException();
+        }
 
         String host = SystemPropertyAction.getPropertyOrNull("http.proxyHost");
         if (host != null) {
diff --git 
a/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java 
b/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java
index 9bad1732625..75bf5d6600f 100644
--- 
a/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java
+++ 
b/core/src/main/java/org/apache/cxf/ws/addressing/EndpointReferenceUtils.java
@@ -27,6 +27,8 @@ import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
 import java.util.List;
@@ -199,7 +201,15 @@ public final class EndpointReferenceUtils {
                     systemId = publicId;
                 }
                 if (systemId != null) {
-                    InputSource source = resolver.resolve(systemId, baseURI);
+                    // Run inside doPrivileged so that sm.checkPermission() 
calls
+                    // inside the resolver chain (SecurityActions.fileExists) 
stop
+                    // at this boundary and check only CXF's own permissions 
rather
+                    // than walking up through the JAXP schema-validator 
frames that
+                    // lack CXF-internal permissions.
+                    final String sid = systemId;
+                    final String buri = baseURI;
+                    InputSource source = AccessController.doPrivileged(
+                        (PrivilegedAction<InputSource>) () -> 
resolver.resolve(sid, buri));
                     if (source != null) {
                         impl = new LSInputImpl();
                         impl.setByteStream(source.getByteStream());

Reply via email to