Hi Colm, I made an attempt to backport to 3.6.x, i.e. https://github.com/apache/cxf/pull/3274 CC @Freeman Fang<mailto:[email protected]>.
Feel free to let me know what you think. Best Regards, Fabio. ________________________________ From: Colm O hEigeartaigh <[email protected]> Sent: Wednesday, July 1, 2026 10:55 AM To: [email protected] <[email protected]> Cc: Fabio Burzigotti <[email protected]> Subject: [EXTERNAL] Re: [PR] [CXF-9227] Fix SecurityManager permission regressions introduced in 4… [cxf] Hi, I think we might try to get some new CXF releases out in a few weeks, after backporting the security fixes to 3.6.x. Colm. On Tue, Jun 30, 2026 at 3:50 PM Freeman Fang <[email protected]> wrote: > > Hi Fabio, > > We don't have a scheduled date to release 4.1.8 for now. We normally > release CXF every 3-4 months. Given we just released CXF 4.1.7 this month > in June, I don't think we will release 4.1.8 very soon. Could you please > test against the snapshot build and verify the fix is good for you. > > Thanks! Regards > Freeman > > On Tue, Jun 30, 2026 at 10:42 AM Fabio Burzigotti <[email protected]> wrote: > > > Hi Freeman, > > And thanks for this fix. > > Do you think we can have a 4.1.8 release that we can integrate into > > WildFly now that the issue is solved? > > > > Best Regards, > > Fabio. > > > > ------------------------------ > > *From:* ffang (via GitHub) <[email protected]> > > *Sent:* Friday, June 26, 2026 6:30 PM > > *To:* [email protected] <[email protected]> > > *Subject:* [EXTERNAL] [PR] [CXF-9227] Fix SecurityManager permission > > regressions introduced in 4… [cxf] > > > > > > ffang opened a new pull request, #3256: > > URL: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_cxf_pull_3256&d=DwIDaQ&c=BSDicqBQBDjDI9RkVyTcHQ&r=6DfnpHA4c8_1RRukaC5NgaPkggwObJL3tohfoe-PGLI&m=h8ZbGPzK1UOTjEy4pwxKK-JicNP2s-z_1UMrr48Ysav9etdughRM0Lm5Xu_3_DFO&s=Ybso3ajxEZB6JYMIF7uHjOfsogpZiKju23goOBWmndQ&e= > > > > ….1.7 > > > > ## Summary > > > > Fixes three SecurityManager permission regressions introduced in CXF > > 4.1.7 > > that break deployments running under a tight SecurityManager policy > > (reported > > by the WildFly team during their 4.1.6 → 4.1.7 upgrade CI checks). > > > > ## Root Cause > > > > **Issue 1 — `NetPermission("getProxySelector")`** (introduced by #3154) > > > > `ProxyFactory.getSystemProxy()` calls `ProxySelector.getDefault()` > > without > > `doPrivileged`, forcing all callers including user deployments to hold > > this > > permission. > > > > **Issues 2 & 3 — `RuntimePermission("org.apache.cxf.permission")` and > > `SocketPermission`** (introduced by #3157) > > > > Setting `ACCESS_EXTERNAL_SCHEMA=""` on `SchemaFactory` routes all schema > > resolution through `SchemaLSResourceResolver` → `ExtendedURIResolver` → > > `URIResolver.tryFileSystem()` — a code path never previously reached in > > this > > context under a SecurityManager. This exposed two pre-existing gaps: > > - `SecurityActions.fileExists()` called `sm.checkPermission()` > > **outside** > > `doPrivileged`, walking the full call stack into user deployment code. > > - `URIResolver.createInputStream()` called `url.openConnection()` > > without > > `doPrivileged`, requiring callers to hold `SocketPermission`. > > > > ## Fix > > > > | File | Change | > > |------|--------| > > | `ProxyFactory.java` | Wrap `ProxySelector.getDefault()` in > > `doPrivileged` | > > | `SecurityActions.java` | Move `sm.checkPermission()` inside the > > `doPrivileged` block so the stack walk stops at the CXF privilege boundary > > (confused-deputy guard preserved) | > > | `URIResolver.java` | Wrap `url.openConnection()` in `doPrivileged` | > > > > > > > > -- > > This is an automated message from the Apache Git Service. > > To respond to the message, please log on to GitHub and use the > > URL above to go to the specific comment. > > > > To unsubscribe, e-mail: [email protected] > > > > For queries about this service, please contact Infrastructure at: > > [email protected] > > > > Unless otherwise stated above: > > > > IBM Italia S.p.A. > > Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI) > > Cap. Soc. euro 247.656.998.20 > > C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 > > Società con unico azionista > > Società soggetta all'attività di direzione e coordinamento di > > International Business Machines Corporation > > Unless otherwise stated above: IBM Italia S.p.A. Sede Legale: Circonvallazione Idroscalo - 20054 Segrate (MI) Cap. Soc. euro 247.656.998.20 C. F. e Reg. Imprese MI 01442240030 - Partita IVA 10914660153 Società con unico azionista Società soggetta all'attività di direzione e coordinamento di International Business Machines Corporation
