[
https://issues.apache.org/jira/browse/MYFACES-4540?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul Nicolucci resolved MYFACES-4540.
-------------------------------------
Fix Version/s: 4.0.0-RC4
Resolution: Fixed
> Missing doPriv in WebXmlParser
> ------------------------------
>
> Key: MYFACES-4540
> URL: https://issues.apache.org/jira/browse/MYFACES-4540
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 4.0.0-RC2, 4.0.0-RC3
> Reporter: Paul Nicolucci
> Assignee: Paul Nicolucci
> Priority: Minor
> Fix For: 4.0.0-RC4
>
>
> The following AccessControlException can occur when Java2 Security is enabled
> with MyFaces 4.0:
>
> {noformat}
> ("java.io.FilePermission"
> "...\server\apps\expanded\test.war\WEB-INF\web.xml" "read")
> Stack:
> java.security.AccessControlException: Access denied
> ("java.io.FilePermission" "...\server\apps\expanded\test.war\WEB-INF\web.xml"
>
> "read")java.base/java.security.AccessController.throwACE(AccessController.java:176)
>
> java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
>
> java.base/java.security.AccessController.checkPermission(AccessController.java:385)
>
> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
>
> com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
>
> java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661)
> java.base/java.io.File.isDirectory(File.java:856)
>
> java.base/sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:78)
>
> java.base/sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:184)
> java.base/java.net.URL.openStream(URL.java:1165)
> <unknown class>.toDocument(WebXmlParser.java:192)
> <unknown class>.getWebXmlErrorPages(WebXmlParser.java:112)
> <unknown class>.getErrorPages(WebXmlParser.java:84)
> <unknown class>.isErrorPagePresent(DefaultWebConfigProvider.java:43)
> <unknown class>.init(MyFacesExceptionHandlerWrapperImpl.java:92)
> <unknown class>.init(MyFacesExceptionHandlerWrapperImpl.java:77)
> <unknown
> class>.getUnhandledExceptionQueuedEvents(MyFacesExceptionHandlerWrapperImpl.java:171)
> <unknown
> class>.getUnhandledExceptionQueuedEvents(ExceptionHandlerWrapper.java:65)
> <unknown
> class>.getUnhandledExceptionQueuedEvents(ExceptionHandlerWrapper.java:65)
> <unknown class>.handle(TestExceptionHandler.java:34)
> <unknown class>.executePhase(LifecycleImpl.java:193)
> <unknown class>.execute(LifecycleImpl.java:125)
> <unknown class>.service(FacesServlet.java:223)
> <unknown class>.service(ServletWrapper.java:1258){noformat}
> The occurs when
> {code:java}
> url.openStream() {code}
> is called which eventually calls into:
> https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/io/File.html#isDirectory()
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
