[jira] Updated: (CXF-2087) CXFServlet / URIResolver tries to load file "" (empty file name)

Greg Vanore (JIRA) Wed, 04 Mar 2009 14:30:18 -0800

     [ 
https://issues.apache.org/jira/browse/CXF-2087?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Greg Vanore updated CXF-2087:
-----------------------------

    Description: 
When I enable Java security, I get the following stack trace after allowing 
permission to 'cxf.xml' and '/WEB-INF/cxf-servlet.xml':

java.security.AccessControlException: access denied (java.io.FilePermission  
read)
        
java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
        
java.security.AccessController.checkPermission(AccessController.java:546)
        java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        java.lang.SecurityManager.checkRead(SecurityManager.java:871)
        java.io.File.exists(File.java:731)
        org.apache.cxf.resource.URIResolver.tryFileSystem(URIResolver.java:158)
        org.apache.cxf.resource.URIResolver.<init>(URIResolver.java:84)
        org.apache.cxf.resource.URIResolver.<init>(URIResolver.java:72)
        org.apache.cxf.resource.URIResolver.<init>(URIResolver.java:68)
        
org.apache.cxf.transport.servlet.CXFServlet.loadAdditionalConfig(CXFServlet.java:148)
        
org.apache.cxf.transport.servlet.CXFServlet.updateContext(CXFServlet.java:134)
        
org.apache.cxf.transport.servlet.CXFServlet.loadSpringBus(CXFServlet.java:101)
        org.apache.cxf.transport.servlet.CXFServlet.loadBus(CXFServlet.java:70)
        
org.apache.cxf.transport.servlet.AbstractCXFServlet.init(AbstractCXFServlet.java:79)

Looking through the code, I see that CXFServlet uses the URIResolver 
constructor that calls this("", path). (lines 67-69).

Later in the tryFileSystem method, URIResolver null-checks the baseUriStr (line 
154) and then attempts to analyze it.  The first File.exists() call triggers 
the FilePermission exception.

I believe that this can be fixed if the URIResolver constructor calls 
this(null, path) instead of this("", path).  Granting read permission to "" 
*DOES* solve the issue as a workaround, but it's less than ideal - security 
policies are often scrutinized and something like that may raise flags.

  was:
When I enable Java security, I get the following stack trace after allowing 
permission to 'cxf.xml' and '/WEB-INF/cxf-servlet.xml':

java.security.AccessControlException: access denied (java.io.FilePermission  
read)
        
java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
        
java.security.AccessController.checkPermission(AccessController.java:546)
        java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        java.lang.SecurityManager.checkRead(SecurityManager.java:871)
        java.io.File.exists(File.java:731)
        org.apache.cxf.resource.URIResolver.tryFileSystem(URIResolver.java:158)
        org.apache.cxf.resource.URIResolver.<init>(URIResolver.java:84)
        org.apache.cxf.resource.URIResolver.<init>(URIResolver.java:72)
        org.apache.cxf.resource.URIResolver.<init>(URIResolver.java:68)
        
org.apache.cxf.transport.servlet.CXFServlet.loadAdditionalConfig(CXFServlet.java:148)
        
org.apache.cxf.transport.servlet.CXFServlet.updateContext(CXFServlet.java:134)
        
org.apache.cxf.transport.servlet.CXFServlet.loadSpringBus(CXFServlet.java:101)
        org.apache.cxf.transport.servlet.CXFServlet.loadBus(CXFServlet.java:70)
        
org.apache.cxf.transport.servlet.AbstractCXFServlet.init(AbstractCXFServlet.java:79)

Looking through the code, I see that CXFServlet uses the URIResolver 
constructor that calls this("", path). (lines 67-69).

Later in the tryFileSystem method, URIResolver null-checks the baseUriStr and 
then attempts to analyze it.  The first File.exists() call triggers the 
FilePermission exception.

I believe that this can be fixed if the URIResolver constructor calls 
this(null, path) instead of this("", path).  Granting read permission to "" 
*DOES* solve the issue as a workaround, but it's less than ideal - security 
policies are often scrutinized and something like that may raise flags.


Added line number to description.

> CXFServlet / URIResolver tries to load file "" (empty file name)
> ----------------------------------------------------------------
>
>                 Key: CXF-2087
>                 URL: https://issues.apache.org/jira/browse/CXF-2087
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 2.1.4
>         Environment: Redhat 5.2; Java 1.6.0u12; Tomcat 6.0.18; CXF 2.1.4 - 
> java security enabled
>            Reporter: Greg Vanore
>            Priority: Minor
>
> When I enable Java security, I get the following stack trace after allowing 
> permission to 'cxf.xml' and '/WEB-INF/cxf-servlet.xml':
> java.security.AccessControlException: access denied (java.io.FilePermission  
> read)
>       
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
>       
> java.security.AccessController.checkPermission(AccessController.java:546)
>       java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>       java.lang.SecurityManager.checkRead(SecurityManager.java:871)
>       java.io.File.exists(File.java:731)
>       org.apache.cxf.resource.URIResolver.tryFileSystem(URIResolver.java:158)
>       org.apache.cxf.resource.URIResolver.<init>(URIResolver.java:84)
>       org.apache.cxf.resource.URIResolver.<init>(URIResolver.java:72)
>       org.apache.cxf.resource.URIResolver.<init>(URIResolver.java:68)
>       
> org.apache.cxf.transport.servlet.CXFServlet.loadAdditionalConfig(CXFServlet.java:148)
>       
> org.apache.cxf.transport.servlet.CXFServlet.updateContext(CXFServlet.java:134)
>       
> org.apache.cxf.transport.servlet.CXFServlet.loadSpringBus(CXFServlet.java:101)
>       org.apache.cxf.transport.servlet.CXFServlet.loadBus(CXFServlet.java:70)
>       
> org.apache.cxf.transport.servlet.AbstractCXFServlet.init(AbstractCXFServlet.java:79)
> Looking through the code, I see that CXFServlet uses the URIResolver 
> constructor that calls this("", path). (lines 67-69).
> Later in the tryFileSystem method, URIResolver null-checks the baseUriStr 
> (line 154) and then attempts to analyze it.  The first File.exists() call 
> triggers the FilePermission exception.
> I believe that this can be fixed if the URIResolver constructor calls 
> this(null, path) instead of this("", path).  Granting read permission to "" 
> *DOES* solve the issue as a workaround, but it's less than ideal - security 
> policies are often scrutinized and something like that may raise flags.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (CXF-2087) CXFServlet / URIResolver tries to load file "" (empty file name)

Reply via email to