[jira] [Commented] (CXF-7537) Java 2 security failures - doPrivs needed to run with Java 2 security mgr

Thu, 26 Oct 2017 13:07:16 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-7537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16221129#comment-16221129
 ] 

ASF GitHub Bot commented on CXF-7537:
-------------------------------------

andymc12 commented on issue #326: [CXF-7537] Use doPriv when calling methods 
needing Java 2 permissions - 3.1.X
URL: https://github.com/apache/cxf/pull/326#issuecomment-339785475
 
 
   I must've mixes streams here... I'm planning to close this PR and resubmit 
the doPriv changes from PR #325 into the 3.1.X stream directly.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Java 2 security failures - doPrivs needed to run with Java 2 security mgr
> -------------------------------------------------------------------------
>
>                 Key: CXF-7537
>                 URL: https://issues.apache.org/jira/browse/CXF-7537
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS
>    Affects Versions: 3.1.11, 3.2.0
>            Reporter: Andy McCright
>
> While doing some Java 2 security testing, I found the following stacks that 
> should be wrapped in doPriv blocks:
> Caused by: java.security.AccessControlException: Access denied 
> ("java.util.PropertyPermission" 
> "org.apache.cxf.io.CachedOutputStream.MaxSize" "read")
>       at java.security.AccessController.throwACE(AccessController.java:157)
>       at 
> java.security.AccessController.checkPermissionHelper(AccessController.java:217)
>       at 
> java.security.AccessController.checkPermission(AccessController.java:349)
>       at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
>       at 
> java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1307)
>       at java.lang.System.getProperty(System.java:443)
>       at 
> org.apache.cxf.io.CachedOutputStream.setDefaultMaxSize(CachedOutputStream.java:572)
>       at 
> org.apache.cxf.io.CachedOutputStream.<clinit>(CachedOutputStream.java:70)
> java.security.AccessControlException: Access denied 
> ("java.lang.RuntimePermission" "accessDeclaredMembers")
>       at java.security.AccessController.throwACE(AccessController.java:157)
>       at 
> java.security.AccessController.checkPermissionHelper(AccessController.java:217)
>       at 
> java.security.AccessController.checkPermission(AccessController.java:349)
>       at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
>       at java.lang.Class.checkMemberAccess(Class.java:200)
>       at java.lang.Class.getDeclaredMethods(Class.java:992)
>       at 
> org.apache.cxf.jaxrs.utils.ResourceUtils.findPreDestroyMethod(ResourceUtils.java:186)
>       at 
> org.apache.cxf.jaxrs.utils.ResourceUtils.findPreDestroyMethod(ResourceUtils.java:179)
>       at 
> org.apache.cxf.jaxrs.lifecycle.PerRequestResourceProvider.<init>(PerRequestResourceProvider.java:63)
> Caused by: java.lang.RuntimeException: java.security.AccessControlException: 
> Access denied ("java.net.SocketPermission" "127.0.0.1:8010" "connect,resolve")
>       at 
> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1503)
>       at 
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489)
>       at 
> sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3034)
>       at 
> java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:500)
>       at 
> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:370)
>       at 
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1586)
>       at 
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1615)
>       at 
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1559)
>       at 
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1356)
>       ... 47 more
> More may be exposed after resolving these...



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to