Hi Freeman,
  I've tested the fix and at least the job that has the Security Manager 
enabled is currently passing.
I've started a wider set of test jobs now, but they'll take some more time to 
finish.

Best Regards,
Fabio.
________________________________
From: Freeman Fang <[email protected]>
Sent: Tuesday, June 30, 2026 4:50 PM
To: Fabio Burzigotti <[email protected]>
Cc: [email protected] <[email protected]>
Subject: [EXTERNAL] Re: [PR] [CXF-9227] Fix SecurityManager permission 
regressions introduced in 4… [cxf]

Hi Fabio, We don't have a scheduled date to release 4. 1. 8 for now. We 
normally release CXF every 3-4 months. Given we just released CXF 4. 1. 7 this 
month in June, I don't think we will release 4. 1. 8 very soon. Could you 
please test against

Hi Fabio,

We don't have a scheduled date to release 4.1.8 for now. We normally release 
CXF every 3-4 months. Given we just released CXF 4.1.7 this month in June, I 
don't think we will release 4.1.8 very soon. Could you please test against the 
snapshot build and verify the fix is good for you.

Thanks! Regards
Freeman

On Tue, Jun 30, 2026 at 10:42 AM Fabio Burzigotti 
<[email protected]<mailto:[email protected]>> wrote:
Hi Freeman,
 And thanks for this fix.
Do you think we can have a 4.1.8 release that we can integrate into WildFly now 
that the issue is solved?

Best Regards,
Fabio.

________________________________
From: ffang (via GitHub) <[email protected]<mailto:[email protected]>>
Sent: Friday, June 26, 2026 6:30 PM
To: [email protected]<mailto:[email protected]> 
<[email protected]<mailto:[email protected]>>
Subject: [EXTERNAL] [PR] [CXF-9227] Fix SecurityManager permission regressions 
introduced in 4… [cxf]


ffang opened a new pull request, #3256:
URL: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_cxf_pull_3256&d=DwIDaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=6DfnpHA4c8_1RRukaC5NgaPkggwObJL3tohfoe-PGLI&m=h8ZbGPzK1UOTjEy4pwxKK-JicNP2s-z_1UMrr48Ysav9etdughRM0Lm5Xu_3_DFO&s=Ybso3ajxEZB6JYMIF7uHjOfsogpZiKju23goOBWmndQ&e=

   ….1.7

   ## Summary

   Fixes three SecurityManager permission regressions introduced in CXF 4.1.7
   that break deployments running under a tight SecurityManager policy (reported
   by the WildFly team during their 4.1.6 → 4.1.7 upgrade CI checks).

   ## Root Cause

   **Issue 1 — `NetPermission("getProxySelector")`** (introduced by #3154)

   `ProxyFactory.getSystemProxy()` calls `ProxySelector.getDefault()` without
   `doPrivileged`, forcing all callers including user deployments to hold this
   permission.

   **Issues 2 & 3 — `RuntimePermission("org.apache.cxf.permission")` and
   `SocketPermission`** (introduced by #3157)

   Setting `ACCESS_EXTERNAL_SCHEMA=""` on `SchemaFactory` routes all schema
   resolution through `SchemaLSResourceResolver` → `ExtendedURIResolver` →
   `URIResolver.tryFileSystem()` — a code path never previously reached in this
   context under a SecurityManager. This exposed two pre-existing gaps:
   - `SecurityActions.fileExists()` called `sm.checkPermission()` **outside**
     `doPrivileged`, walking the full call stack into user deployment code.
   - `URIResolver.createInputStream()` called `url.openConnection()` without
     `doPrivileged`, requiring callers to hold `SocketPermission`.

   ## Fix

   | File | Change |
   |------|--------|
   | `ProxyFactory.java` | Wrap `ProxySelector.getDefault()` in `doPrivileged` |
   | `SecurityActions.java` | Move `sm.checkPermission()` inside the 
`doPrivileged` block so the stack walk stops at the CXF privilege boundary 
(confused-deputy guard preserved) |
   | `URIResolver.java` | Wrap `url.openConnection()` in `doPrivileged` |



--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: 
[email protected]<mailto:[email protected]>

For queries about this service, please contact Infrastructure at:
[email protected]<mailto:[email protected]>

Unless otherwise stated above:

IBM Italia S.p.A.
Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI)
Cap. Soc. euro 247.656.998.20
C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153
Società con unico azionista
Società soggetta all'attività di direzione e coordinamento di International 
Business Machines Corporation

Unless otherwise stated above:

IBM Italia S.p.A.
Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI)
Cap. Soc. euro 247.656.998.20
C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153
Società con unico azionista
Società soggetta all'attività di direzione e coordinamento di International 
Business Machines Corporation

Reply via email to