[
https://issues.apache.org/jira/browse/CXF-7537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16216575#comment-16216575
]
ASF GitHub Bot commented on CXF-7537:
-------------------------------------
sberyozkin commented on issue #325: [CXF-7537] Use doPriv when calling methods
needing Java 2 permissions
URL: https://github.com/apache/cxf/pull/325#issuecomment-338923405
Hi Andy, looks fine to me. In general, please do not hesitate to merge
directly when the changes are not sensitive (bug fixes, minor improvements,
etc), thanks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Java 2 security failures - doPrivs needed to run with Java 2 security mgr
> -------------------------------------------------------------------------
>
> Key: CXF-7537
> URL: https://issues.apache.org/jira/browse/CXF-7537
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 3.1.11, 3.2.0
> Reporter: Andy McCright
>
> While doing some Java 2 security testing, I found the following stacks that
> should be wrapped in doPriv blocks:
> Caused by: java.security.AccessControlException: Access denied
> ("java.util.PropertyPermission"
> "org.apache.cxf.io.CachedOutputStream.MaxSize" "read")
> at java.security.AccessController.throwACE(AccessController.java:157)
> at
> java.security.AccessController.checkPermissionHelper(AccessController.java:217)
> at
> java.security.AccessController.checkPermission(AccessController.java:349)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
> at
> java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1307)
> at java.lang.System.getProperty(System.java:443)
> at
> org.apache.cxf.io.CachedOutputStream.setDefaultMaxSize(CachedOutputStream.java:572)
> at
> org.apache.cxf.io.CachedOutputStream.<clinit>(CachedOutputStream.java:70)
> java.security.AccessControlException: Access denied
> ("java.lang.RuntimePermission" "accessDeclaredMembers")
> at java.security.AccessController.throwACE(AccessController.java:157)
> at
> java.security.AccessController.checkPermissionHelper(AccessController.java:217)
> at
> java.security.AccessController.checkPermission(AccessController.java:349)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
> at java.lang.Class.checkMemberAccess(Class.java:200)
> at java.lang.Class.getDeclaredMethods(Class.java:992)
> at
> org.apache.cxf.jaxrs.utils.ResourceUtils.findPreDestroyMethod(ResourceUtils.java:186)
> at
> org.apache.cxf.jaxrs.utils.ResourceUtils.findPreDestroyMethod(ResourceUtils.java:179)
> at
> org.apache.cxf.jaxrs.lifecycle.PerRequestResourceProvider.<init>(PerRequestResourceProvider.java:63)
> Caused by: java.lang.RuntimeException: java.security.AccessControlException:
> Access denied ("java.net.SocketPermission" "127.0.0.1:8010" "connect,resolve")
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1503)
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489)
> at
> sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3034)
> at
> java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:500)
> at
> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:370)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1586)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1615)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1559)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1356)
> ... 47 more
> More may be exposed after resolving these...
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
