Hi Freeman,
 And thanks for this fix.
Do you think we can have a 4.1.8 release that we can integrate into WildFly now 
that the issue is solved?

Best Regards,
Fabio.

________________________________
From: ffang (via GitHub) <[email protected]>
Sent: Friday, June 26, 2026 6:30 PM
To: [email protected] <[email protected]>
Subject: [EXTERNAL] [PR] [CXF-9227] Fix SecurityManager permission regressions 
introduced in 4… [cxf]


ffang opened a new pull request, #3256:
URL: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_cxf_pull_3256&d=DwIDaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=6DfnpHA4c8_1RRukaC5NgaPkggwObJL3tohfoe-PGLI&m=h8ZbGPzK1UOTjEy4pwxKK-JicNP2s-z_1UMrr48Ysav9etdughRM0Lm5Xu_3_DFO&s=Ybso3ajxEZB6JYMIF7uHjOfsogpZiKju23goOBWmndQ&e=

   ….1.7

   ## Summary

   Fixes three SecurityManager permission regressions introduced in CXF 4.1.7
   that break deployments running under a tight SecurityManager policy (reported
   by the WildFly team during their 4.1.6 → 4.1.7 upgrade CI checks).

   ## Root Cause

   **Issue 1 — `NetPermission("getProxySelector")`** (introduced by #3154)

   `ProxyFactory.getSystemProxy()` calls `ProxySelector.getDefault()` without
   `doPrivileged`, forcing all callers including user deployments to hold this
   permission.

   **Issues 2 & 3 — `RuntimePermission("org.apache.cxf.permission")` and
   `SocketPermission`** (introduced by #3157)

   Setting `ACCESS_EXTERNAL_SCHEMA=""` on `SchemaFactory` routes all schema
   resolution through `SchemaLSResourceResolver` → `ExtendedURIResolver` →
   `URIResolver.tryFileSystem()` — a code path never previously reached in this
   context under a SecurityManager. This exposed two pre-existing gaps:
   - `SecurityActions.fileExists()` called `sm.checkPermission()` **outside**
     `doPrivileged`, walking the full call stack into user deployment code.
   - `URIResolver.createInputStream()` called `url.openConnection()` without
     `doPrivileged`, requiring callers to hold `SocketPermission`.

   ## Fix

   | File | Change |
   |------|--------|
   | `ProxyFactory.java` | Wrap `ProxySelector.getDefault()` in `doPrivileged` |
   | `SecurityActions.java` | Move `sm.checkPermission()` inside the 
`doPrivileged` block so the stack walk stops at the CXF privilege boundary 
(confused-deputy guard preserved) |
   | `URIResolver.java` | Wrap `url.openConnection()` in `doPrivileged` |



--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


Unless otherwise stated above:

IBM Italia S.p.A.
Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI)
Cap. Soc. euro 247.656.998.20
C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153
Società con unico azionista
Società soggetta all'attività di direzione e coordinamento di International 
Business Machines Corporation

Reply via email to