[jira] [Created] (MYFACES-4540) Missing doPriv in WebXmlParser

Tue, 03 Jan 2023 09:10:07 -0800 

Paul Nicolucci created MYFACES-4540:
---------------------------------------

             Summary: Missing doPriv in WebXmlParser
                 Key: MYFACES-4540
                 URL: https://issues.apache.org/jira/browse/MYFACES-4540
             Project: MyFaces Core
          Issue Type: Bug
          Components: General
    Affects Versions: 4.0.0-RC2, 4.0.0-RC3
            Reporter: Paul Nicolucci
            Assignee: Paul Nicolucci


The following AccessControlException can occur when Java2 Security is enabled 
with MyFaces 4.0:

 
{noformat}
 ("java.io.FilePermission" "...\server\apps\expanded\test.war\WEB-INF\web.xml" 
"read")
        Stack: 
        java.security.AccessControlException: Access denied 
("java.io.FilePermission" "...\server\apps\expanded\test.war\WEB-INF\web.xml"
            
"read")java.base/java.security.AccessController.throwACE(AccessController.java:176)
        
java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
        
java.base/java.security.AccessController.checkPermission(AccessController.java:385)
        
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
        
com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
        java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661)
        java.base/java.io.File.isDirectory(File.java:856)
        
java.base/sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:78)
        
java.base/sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:184)
        java.base/java.net.URL.openStream(URL.java:1165)
        <unknown class>.toDocument(WebXmlParser.java:192)
        <unknown class>.getWebXmlErrorPages(WebXmlParser.java:112)
        <unknown class>.getErrorPages(WebXmlParser.java:84)
        <unknown class>.isErrorPagePresent(DefaultWebConfigProvider.java:43)
        <unknown class>.init(MyFacesExceptionHandlerWrapperImpl.java:92)
        <unknown class>.init(MyFacesExceptionHandlerWrapperImpl.java:77)
        <unknown 
class>.getUnhandledExceptionQueuedEvents(MyFacesExceptionHandlerWrapperImpl.java:171)
        <unknown 
class>.getUnhandledExceptionQueuedEvents(ExceptionHandlerWrapper.java:65)
        <unknown 
class>.getUnhandledExceptionQueuedEvents(ExceptionHandlerWrapper.java:65)
        <unknown class>.handle(TestExceptionHandler.java:34)
        <unknown class>.executePhase(LifecycleImpl.java:193)
        <unknown class>.execute(LifecycleImpl.java:125)
        <unknown class>.service(FacesServlet.java:223)
        <unknown class>.service(ServletWrapper.java:1258){noformat}
The occurs when 
{code:java}
url.openStream() {code}
is called which eventually calls into: 
https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/io/File.html#isDirectory()



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to