[jira] [Created] (CXF-7537) Java 2 security failures - doPrivs needed to run with Java 2 security mgr

Mon, 23 Oct 2017 11:47:26 -0700 

Andy McCright created CXF-7537:
----------------------------------

             Summary: Java 2 security failures - doPrivs needed to run with 
Java 2 security mgr
                 Key: CXF-7537
                 URL: https://issues.apache.org/jira/browse/CXF-7537
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS
    Affects Versions: 3.2.0, 3.1.11
            Reporter: Andy McCright


While doing some Java 2 security testing, I found the following stacks that 
should be wrapped in doPriv blocks:

Caused by: java.security.AccessControlException: Access denied 
("java.util.PropertyPermission" "org.apache.cxf.io.CachedOutputStream.MaxSize" 
"read")
        at java.security.AccessController.throwACE(AccessController.java:157)
        at 
java.security.AccessController.checkPermissionHelper(AccessController.java:217)
        at 
java.security.AccessController.checkPermission(AccessController.java:349)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
        at 
java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1307)
        at java.lang.System.getProperty(System.java:443)
        at 
org.apache.cxf.io.CachedOutputStream.setDefaultMaxSize(CachedOutputStream.java:572)
        at 
org.apache.cxf.io.CachedOutputStream.<clinit>(CachedOutputStream.java:70)

java.security.AccessControlException: Access denied 
("java.lang.RuntimePermission" "accessDeclaredMembers")
        at java.security.AccessController.throwACE(AccessController.java:157)
        at 
java.security.AccessController.checkPermissionHelper(AccessController.java:217)
        at 
java.security.AccessController.checkPermission(AccessController.java:349)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
        at java.lang.Class.checkMemberAccess(Class.java:200)
        at java.lang.Class.getDeclaredMethods(Class.java:992)
        at 
org.apache.cxf.jaxrs.utils.ResourceUtils.findPreDestroyMethod(ResourceUtils.java:186)
        at 
org.apache.cxf.jaxrs.utils.ResourceUtils.findPreDestroyMethod(ResourceUtils.java:179)
        at 
org.apache.cxf.jaxrs.lifecycle.PerRequestResourceProvider.<init>(PerRequestResourceProvider.java:63)

Caused by: java.lang.RuntimeException: java.security.AccessControlException: 
Access denied ("java.net.SocketPermission" "127.0.0.1:8010" "connect,resolve")
        at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1503)
        at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489)
        at 
sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3034)
        at 
java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:500)
        at 
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:370)
        at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1586)
        at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1615)
        at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1559)
        at 
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1356)
        ... 47 more

More may be exposed after resolving these...



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to