Hi Colm, It sounds good, thanks for sharing this. Best Regards, Fabio. ________________________________ From: Colm O hEigeartaigh <[email protected]> Sent: Tuesday, July 7, 2026 6:09 PM To: Fabio Burzigotti <[email protected]> Cc: [email protected] <[email protected]>; Freeman Fang <[email protected]> Subject: [EXTERNAL] Re: [PR] [CXF-9227] Fix SecurityManager permission regressions introduced in 4… [cxf]
Hi Fabio, We don't have an exact date, I think though we should try to get it done before the end of July. Colm. On Mon, Jul 6, 2026 at 12:31 PM Fabio Burzigotti <[email protected]> wrote: > > Hi Colm, and CC @Freeman Fang, > This is just for my own information as I'd have to plan with the team the > right moves for the upcoming WildFly and JBoss EAP releases. > We'd like to know whether you'd confirm that a release of Apache CXF 4.1.8 is > planned soon, and if there's a date that we can pin in order to synchronize > for the required component upgrades. > > Thanks for your support, > Fabio. > ________________________________ > From: Colm O hEigeartaigh <[email protected]> > Sent: Wednesday, July 1, 2026 10:55 AM > To: [email protected] <[email protected]> > Cc: Fabio Burzigotti <[email protected]> > Subject: [EXTERNAL] Re: [PR] [CXF-9227] Fix SecurityManager permission > regressions introduced in 4… [cxf] > > Hi, > > I think we might try to get some new CXF releases out in a few weeks, > after backporting the security fixes to 3.6.x. > > Colm. > > On Tue, Jun 30, 2026 at 3:50 PM Freeman Fang <[email protected]> wrote: > > > > Hi Fabio, > > > > We don't have a scheduled date to release 4.1.8 for now. We normally > > release CXF every 3-4 months. Given we just released CXF 4.1.7 this month > > in June, I don't think we will release 4.1.8 very soon. Could you please > > test against the snapshot build and verify the fix is good for you. > > > > Thanks! Regards > > Freeman > > > > On Tue, Jun 30, 2026 at 10:42 AM Fabio Burzigotti <[email protected]> wrote: > > > > > Hi Freeman, > > > And thanks for this fix. > > > Do you think we can have a 4.1.8 release that we can integrate into > > > WildFly now that the issue is solved? > > > > > > Best Regards, > > > Fabio. > > > > > > ------------------------------ > > > *From:* ffang (via GitHub) <[email protected]> > > > *Sent:* Friday, June 26, 2026 6:30 PM > > > *To:* [email protected] <[email protected]> > > > *Subject:* [EXTERNAL] [PR] [CXF-9227] Fix SecurityManager permission > > > regressions introduced in 4… [cxf] > > > > > > > > > ffang opened a new pull request, #3256: > > > URL: > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_cxf_pull_3256&d=DwIDaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=6DfnpHA4c8_1RRukaC5NgaPkggwObJL3tohfoe-PGLI&m=h8ZbGPzK1UOTjEy4pwxKK-JicNP2s-z_1UMrr48Ysav9etdughRM0Lm5Xu_3_DFO&s=Ybso3ajxEZB6JYMIF7uHjOfsogpZiKju23goOBWmndQ&e= > > > > > > ….1.7 > > > > > > ## Summary > > > > > > Fixes three SecurityManager permission regressions introduced in CXF > > > 4.1.7 > > > that break deployments running under a tight SecurityManager policy > > > (reported > > > by the WildFly team during their 4.1.6 → 4.1.7 upgrade CI checks). > > > > > > ## Root Cause > > > > > > **Issue 1 — `NetPermission("getProxySelector")`** (introduced by #3154) > > > > > > `ProxyFactory.getSystemProxy()` calls `ProxySelector.getDefault()` > > > without > > > `doPrivileged`, forcing all callers including user deployments to hold > > > this > > > permission. > > > > > > **Issues 2 & 3 — `RuntimePermission("org.apache.cxf.permission")` and > > > `SocketPermission`** (introduced by #3157) > > > > > > Setting `ACCESS_EXTERNAL_SCHEMA=""` on `SchemaFactory` routes all > > > schema > > > resolution through `SchemaLSResourceResolver` → `ExtendedURIResolver` → > > > `URIResolver.tryFileSystem()` — a code path never previously reached in > > > this > > > context under a SecurityManager. This exposed two pre-existing gaps: > > > - `SecurityActions.fileExists()` called `sm.checkPermission()` > > > **outside** > > > `doPrivileged`, walking the full call stack into user deployment > > > code. > > > - `URIResolver.createInputStream()` called `url.openConnection()` > > > without > > > `doPrivileged`, requiring callers to hold `SocketPermission`. > > > > > > ## Fix > > > > > > | File | Change | > > > |------|--------| > > > | `ProxyFactory.java` | Wrap `ProxySelector.getDefault()` in > > > `doPrivileged` | > > > | `SecurityActions.java` | Move `sm.checkPermission()` inside the > > > `doPrivileged` block so the stack walk stops at the CXF privilege boundary > > > (confused-deputy guard preserved) | > > > | `URIResolver.java` | Wrap `url.openConnection()` in `doPrivileged` | > > > > > > > > > > > > -- > > > This is an automated message from the Apache Git Service. > > > To respond to the message, please log on to GitHub and use the > > > URL above to go to the specific comment. > > > > > > To unsubscribe, e-mail: [email protected] > > > > > > For queries about this service, please contact Infrastructure at: > > > [email protected] > > > > > > Unless otherwise stated above: > > > > > > IBM Italia S.p.A. > > > Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI) > > > Cap. Soc. euro 247.656.998.20 > > > C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 > > > Società con unico azionista > > > Società soggetta all'attività di direzione e coordinamento di > > > International Business Machines Corporation > > > > Unless otherwise stated above: > > IBM Italia S.p.A. > Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI) > Cap. Soc. euro 247.656.998.20 > C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 > Società con unico azionista > Società soggetta all'attività di direzione e coordinamento di International > Business Machines Corporation Unless otherwise stated above: IBM Italia S.p.A. Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI) Cap. Soc. euro 247.656.998.20 C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 Società con unico azionista Società soggetta all'attività di direzione e coordinamento di International Business Machines Corporation
