You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Andy McCright (JIRA)" <ji...@apache.org> on 2017/10/23 18:47:00 UTC
[jira] [Created] (CXF-7537) Java 2 security failures - doPrivs
needed to run with Java 2 security mgr
Andy McCright created CXF-7537:
----------------------------------
Summary: Java 2 security failures - doPrivs needed to run with Java 2 security mgr
Key: CXF-7537
URL: https://issues.apache.org/jira/browse/CXF-7537
Project: CXF
Issue Type: Bug
Components: JAX-RS
Affects Versions: 3.2.0, 3.1.11
Reporter: Andy McCright
While doing some Java 2 security testing, I found the following stacks that should be wrapped in doPriv blocks:
Caused by: java.security.AccessControlException: Access denied ("java.util.PropertyPermission" "org.apache.cxf.io.CachedOutputStream.MaxSize" "read")
at java.security.AccessController.throwACE(AccessController.java:157)
at java.security.AccessController.checkPermissionHelper(AccessController.java:217)
at java.security.AccessController.checkPermission(AccessController.java:349)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1307)
at java.lang.System.getProperty(System.java:443)
at org.apache.cxf.io.CachedOutputStream.setDefaultMaxSize(CachedOutputStream.java:572)
at org.apache.cxf.io.CachedOutputStream.<clinit>(CachedOutputStream.java:70)
java.security.AccessControlException: Access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
at java.security.AccessController.throwACE(AccessController.java:157)
at java.security.AccessController.checkPermissionHelper(AccessController.java:217)
at java.security.AccessController.checkPermission(AccessController.java:349)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
at java.lang.Class.checkMemberAccess(Class.java:200)
at java.lang.Class.getDeclaredMethods(Class.java:992)
at org.apache.cxf.jaxrs.utils.ResourceUtils.findPreDestroyMethod(ResourceUtils.java:186)
at org.apache.cxf.jaxrs.utils.ResourceUtils.findPreDestroyMethod(ResourceUtils.java:179)
at org.apache.cxf.jaxrs.lifecycle.PerRequestResourceProvider.<init>(PerRequestResourceProvider.java:63)
Caused by: java.lang.RuntimeException: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "127.0.0.1:8010" "connect,resolve")
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1503)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489)
at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3034)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:500)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:370)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1586)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1615)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1559)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1356)
... 47 more
More may be exposed after resolving these...
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)