Valentin Valchev created FELIX-4652:
---------------------------------------
Summary: Security problem with
AbstractWebConsolePlugin.spoolResource
Key: FELIX-4652
URL: https://issues.apache.org/jira/browse/FELIX-4652
Project: Felix
Issue Type: Bug
Components: Web Console
Affects Versions: webconsole-4.2.2
Reporter: Valentin Valchev
Assignee: Valentin Valchev
Fix For: webconsole-4.2.4
In AbstractWebConsolePlugin.spoolResource() reflection is used to find the
method that will actually provide the resource. However, using reflection will
require that the web console plugin to have the following permissions:
(java.lang.RuntimePermission "getClassLoader")
(java.lang.RuntimePermission "accessDeclaredMembers")
(java.lang.reflect.ReflectPermission "suppressAccessChecks")
This is due to some internals of the AbstractWebConsole, which actually should
be run in a privileged block.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
