You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by em...@apache.org on 2019/11/04 02:14:09 UTC

[cxf] branch master updated: [CXF-8140]:setAccessible(true) before reflection method java.security… (#592)

This is an automated email from the ASF dual-hosted git repository.

ema pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new 8df29be  [CXF-8140]:setAccessible(true) before reflection method java.security… (#592)
8df29be is described below

commit 8df29be4ed1ed337f6cbd953b5523019ed92acec
Author: jimma <em...@apache.org>
AuthorDate: Mon Nov 4 10:13:59 2019 +0800

    [CXF-8140]:setAccessible(true) before reflection method java.security… (#592)
    
    * [CXF-8140]:setAccessible(true) before reflection method java.security.acl.Group#members invocation
    
    * [CXF-8140]:Add test and log the AccessDenied exception
---
 .../security/DefaultSecurityContext.java           |  9 ++-
 .../security/DefaultSecurityContextTest.java       | 14 ++++
 .../interceptor/security/test/GroupWrapper.java    | 82 ++++++++++++++++++++++
 3 files changed, 104 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/apache/cxf/interceptor/security/DefaultSecurityContext.java b/core/src/main/java/org/apache/cxf/interceptor/security/DefaultSecurityContext.java
index 9d25b71..aa1a6da 100644
--- a/core/src/main/java/org/apache/cxf/interceptor/security/DefaultSecurityContext.java
+++ b/core/src/main/java/org/apache/cxf/interceptor/security/DefaultSecurityContext.java
@@ -24,9 +24,12 @@ import java.security.Principal;
 import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 import javax.security.auth.Subject;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.security.GroupPrincipal;
 import org.apache.cxf.common.util.ReflectionUtil;
 import org.apache.cxf.security.LoginSecurityContext;
@@ -37,7 +40,7 @@ import org.apache.cxf.security.LoginSecurityContext;
  * Groups the principal is a member of
  */
 public class DefaultSecurityContext implements LoginSecurityContext {
-    
+    private static final Logger LOG = LogUtils.getL7dLogger(DefaultSecurityContext.class);
     private static Class<?> javaGroup; 
     private static Class<?> karafGroup;
     
@@ -127,10 +130,14 @@ public class DefaultSecurityContext implements LoginSecurityContext {
         Enumeration<? extends Principal> members;
         try {
             Method m = ReflectionUtil.getMethod(principal.getClass(), "members");
+            m.setAccessible(true);
             @SuppressWarnings("unchecked")
             Enumeration<? extends Principal> ms = (Enumeration<? extends Principal>)m.invoke(principal);
             members = ms;
         } catch (Exception e) {
+            if (LOG.isLoggable(Level.FINE)) {
+                LOG.fine("Unable to invoke memebers in " + principal.getName() + ":" + e.getMessage());
+            }
             return false;
         }
         
diff --git a/core/src/test/java/org/apache/cxf/interceptor/security/DefaultSecurityContextTest.java b/core/src/test/java/org/apache/cxf/interceptor/security/DefaultSecurityContextTest.java
index 3a80cfc..f4faf7d 100644
--- a/core/src/test/java/org/apache/cxf/interceptor/security/DefaultSecurityContextTest.java
+++ b/core/src/test/java/org/apache/cxf/interceptor/security/DefaultSecurityContextTest.java
@@ -27,6 +27,7 @@ import javax.security.auth.Subject;
 import org.apache.cxf.common.security.GroupPrincipal;
 import org.apache.cxf.common.security.SimpleGroup;
 import org.apache.cxf.common.security.SimplePrincipal;
+import org.apache.cxf.interceptor.security.test.GroupWrapper;
 import org.apache.cxf.security.LoginSecurityContext;
 
 import org.junit.Test;
@@ -117,5 +118,18 @@ public class DefaultSecurityContextTest {
         assertFalse(context.isUserInRole("family"));
         assertFalse(context.isUserInRole("Barry"));
     }
+    
+    @Test
+    public void testPrivateStaticGroup() {
+        Subject s = new Subject();
+        Principal p = new SimplePrincipal("Barry");
+        s.getPrincipals().add(p);
+        //create a friend group and add Barry to this group
+        GroupWrapper test = new GroupWrapper("friend", "Barry");
+        s.getPrincipals().add(test.getGroup());
+        LoginSecurityContext context = new DefaultSecurityContext(p, s);
+        assertTrue(context.isUserInRole("Barry"));
+    }
+    
 
 }
\ No newline at end of file
diff --git a/core/src/test/java/org/apache/cxf/interceptor/security/test/GroupWrapper.java b/core/src/test/java/org/apache/cxf/interceptor/security/test/GroupWrapper.java
new file mode 100644
index 0000000..445e298
--- /dev/null
+++ b/core/src/test/java/org/apache/cxf/interceptor/security/test/GroupWrapper.java
@@ -0,0 +1,82 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.interceptor.security.test;
+
+import java.security.Principal;
+import java.security.acl.Group;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.cxf.common.security.SimplePrincipal;
+
+public class GroupWrapper {
+
+    private Principal group;
+
+    public GroupWrapper(String groupName, String userName) {
+        SimpleGroup simpeG = new SimpleGroup(groupName);
+        simpeG.addMember(new SimplePrincipal(userName));
+        group = simpeG;
+
+    }
+
+    public Principal getGroup() {
+        return this.group;
+    }
+
+
+
+    private static class SimpleGroup implements Group {
+        private String name;
+        private final Set<Principal> principals;
+
+        SimpleGroup(String name) {
+            this.name = name;
+            this.principals = new HashSet<>();
+        }
+
+        @Override
+        public String getName() {
+            return this.name;
+        }
+
+        @Override
+        public boolean addMember(Principal principal) {
+            return this.principals.add(principal);
+        }
+
+        @Override
+        public boolean removeMember(Principal principal) {
+            return this.principals.remove(principal);
+        }
+
+        @Override
+        public Enumeration<? extends Principal> members() {
+            return Collections.enumeration(this.principals);
+        }
+
+        @Override
+        public boolean isMember(Principal principal) {
+            return this.principals.contains(principal);
+        }
+    }
+
+}