You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Daniel Kulp (JIRA)" <ji...@apache.org> on 2009/03/12 21:24:50 UTC
[jira] Resolved: (CXF-2087) CXFServlet / URIResolver tries to load
file "" (empty file name)
[ https://issues.apache.org/jira/browse/CXF-2087?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp resolved CXF-2087.
------------------------------
Resolution: Fixed
Fix Version/s: 2.1.5
2.0.11
Assignee: Daniel Kulp
If the baseURI is null or empty, several of the things in there can be skipped.
> CXFServlet / URIResolver tries to load file "" (empty file name)
> ----------------------------------------------------------------
>
> Key: CXF-2087
> URL: https://issues.apache.org/jira/browse/CXF-2087
> Project: CXF
> Issue Type: Bug
> Affects Versions: 2.1.4
> Environment: Redhat 5.2; Java 1.6.0u12; Tomcat 6.0.18; CXF 2.1.4 - java security enabled
> Reporter: Greg Vanore
> Assignee: Daniel Kulp
> Priority: Minor
> Fix For: 2.0.11, 2.1.5
>
>
> When I enable Java security, I get the following stack trace after allowing permission to 'cxf.xml' and '/WEB-INF/cxf-servlet.xml':
> java.security.AccessControlException: access denied (java.io.FilePermission read)
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
> java.security.AccessController.checkPermission(AccessController.java:546)
> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> java.lang.SecurityManager.checkRead(SecurityManager.java:871)
> java.io.File.exists(File.java:731)
> org.apache.cxf.resource.URIResolver.tryFileSystem(URIResolver.java:158)
> org.apache.cxf.resource.URIResolver.<init>(URIResolver.java:84)
> org.apache.cxf.resource.URIResolver.<init>(URIResolver.java:72)
> org.apache.cxf.resource.URIResolver.<init>(URIResolver.java:68)
> org.apache.cxf.transport.servlet.CXFServlet.loadAdditionalConfig(CXFServlet.java:148)
> org.apache.cxf.transport.servlet.CXFServlet.updateContext(CXFServlet.java:134)
> org.apache.cxf.transport.servlet.CXFServlet.loadSpringBus(CXFServlet.java:101)
> org.apache.cxf.transport.servlet.CXFServlet.loadBus(CXFServlet.java:70)
> org.apache.cxf.transport.servlet.AbstractCXFServlet.init(AbstractCXFServlet.java:79)
> Looking through the code, I see that CXFServlet uses the URIResolver constructor that calls this("", path). (lines 67-69).
> Later in the tryFileSystem method, URIResolver null-checks the baseUriStr (line 154) and then attempts to analyze it. The first File.exists() call triggers the FilePermission exception.
> I believe that this can be fixed if the URIResolver constructor calls this(null, path) instead of this("", path). Granting read permission to "" *DOES* solve the issue as a workaround, but it's less than ideal - security policies are often scrutinized and something like that may raise flags.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.