Hi Freeman, And thanks for this fix. Do you think we can have a 4.1.8 release that we can integrate into WildFly now that the issue is solved?
Best Regards, Fabio. ________________________________ From: ffang (via GitHub) <[email protected]> Sent: Friday, June 26, 2026 6:30 PM To: [email protected] <[email protected]> Subject: [EXTERNAL] [PR] [CXF-9227] Fix SecurityManager permission regressions introduced in 4… [cxf] ffang opened a new pull request, #3256: URL: https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_cxf_pull_3256&d=DwIDaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=6DfnpHA4c8_1RRukaC5NgaPkggwObJL3tohfoe-PGLI&m=h8ZbGPzK1UOTjEy4pwxKK-JicNP2s-z_1UMrr48Ysav9etdughRM0Lm5Xu_3_DFO&s=Ybso3ajxEZB6JYMIF7uHjOfsogpZiKju23goOBWmndQ&e= ….1.7 ## Summary Fixes three SecurityManager permission regressions introduced in CXF 4.1.7 that break deployments running under a tight SecurityManager policy (reported by the WildFly team during their 4.1.6 → 4.1.7 upgrade CI checks). ## Root Cause **Issue 1 — `NetPermission("getProxySelector")`** (introduced by #3154) `ProxyFactory.getSystemProxy()` calls `ProxySelector.getDefault()` without `doPrivileged`, forcing all callers including user deployments to hold this permission. **Issues 2 & 3 — `RuntimePermission("org.apache.cxf.permission")` and `SocketPermission`** (introduced by #3157) Setting `ACCESS_EXTERNAL_SCHEMA=""` on `SchemaFactory` routes all schema resolution through `SchemaLSResourceResolver` → `ExtendedURIResolver` → `URIResolver.tryFileSystem()` — a code path never previously reached in this context under a SecurityManager. This exposed two pre-existing gaps: - `SecurityActions.fileExists()` called `sm.checkPermission()` **outside** `doPrivileged`, walking the full call stack into user deployment code. - `URIResolver.createInputStream()` called `url.openConnection()` without `doPrivileged`, requiring callers to hold `SocketPermission`. ## Fix | File | Change | |------|--------| | `ProxyFactory.java` | Wrap `ProxySelector.getDefault()` in `doPrivileged` | | `SecurityActions.java` | Move `sm.checkPermission()` inside the `doPrivileged` block so the stack walk stops at the CXF privilege boundary (confused-deputy guard preserved) | | `URIResolver.java` | Wrap `url.openConnection()` in `doPrivileged` | -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] Unless otherwise stated above: IBM Italia S.p.A. Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI) Cap. Soc. euro 247.656.998.20 C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 Società con unico azionista Società soggetta all'attività di direzione e coordinamento di International Business Machines Corporation
