ffang commented on code in PR #3256:
URL: https://github.com/apache/cxf/pull/3256#discussion_r3484967407
##########
core/src/main/java/org/apache/cxf/resource/SecurityActions.java:
##########
@@ -33,9 +33,14 @@ static boolean fileExists(final File file, Permission
permission) {
if (sm == null) {
return file.exists();
}
- sm.checkPermission(permission);
+ // Move the permission check inside doPrivileged so the stack walk
stops
+ // at the doPrivileged boundary. Checking outside doPrivileged walks
all
+ // the way up to user-deployment code, which must not be required to
hold
+ // a CXF-internal permission. Inside doPrivileged only CXF's own
privilege
+ // context is checked, preserving the confused-deputy guard.
return AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
public Boolean run() {
+ sm.checkPermission(permission);
Review Comment:
@reta You're absolutely right — thank you for catching this. Moving
sm.checkPermission() inside doPrivileged does weaken the caller-check semantics
and is not a good fix.
The root cause of Issues 2 & 3 is that PR #3157's ACCESS_EXTERNAL_SCHEMA=""
change routes schema resolution through SchemaLSResourceResolver →
ExtendedURIResolver → URIResolver.tryFileSystem() — a code path that was never
reached in this context before. When the JAXP schema validator (JDK code)
drives that resolution under a SecurityManager, sm.checkPermission(RESOLVE_URI)
walks all the way up through the JDK validator frames, which don't hold a
CXF-internal permission, causing the failure.
The correct fix is to leave SecurityActions.fileExists() untouched — worth
noting that SecurityActions is a package-private class so only CXF's own code
in org.apache.cxf.resource can call into it directly(So any caller in your
concern is restricted in CXF code, though we still should avoid it). Instead we
wrap the resolver.resolve() call in SchemaLSResourceResolver.resolveResource()
with AccessController.doPrivileged(). That establishes the boundary at CXF's
own code: the sm.checkPermission(RESOLVE_URI) stack walk stops there, finds
that CXF's JARs hold the permission, and passes — without granting any
privilege to the JAXP/user frames above.
Will push a revised commit shortly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
