You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Andy McCright (JIRA)" <ji...@apache.org> on 2017/07/17 20:07:00 UTC
[jira] [Created] (CXF-7447) Java 2 security issues
Andy McCright created CXF-7447:
----------------------------------
Summary: Java 2 security issues
Key: CXF-7447
URL: https://issues.apache.org/jira/browse/CXF-7447
Project: CXF
Issue Type: Bug
Components: JAX-RS
Affects Versions: 3.2.0
Reporter: Andy McCright
We discovered the following Java 2 security issues when a security manager was in use:
ERROR: Caught exception attempting to call test method testCompletionStageRxInvokerSynchronousFunction on servlet web.jaxrstest.JAXRSExecutorTestServlet
java.util.concurrent.ExecutionException: javax.ws.rs.ProcessingException: java.lang.RuntimeException: RuntimeException invoking http://localhost:8011/jaxrsapp/testapp/test/info: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve")
at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:368)
at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1926)
at web.jaxrstest.JAXRSExecutorTestServlet.testCompletionStageRxInvokerSynchronousFunction(JAXRSExecutorTestServlet.java:151)
at componenttest.app.FATServlet.doGet(FATServlet.java:63)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1255)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:743)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:440)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1131)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:76)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:922)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:279)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:966)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:358)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:317)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:475)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:409)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:289)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:260)
at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:165)
at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:74)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:503)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:573)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:928)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1017)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.lang.Thread.run(Thread.java:785)
Caused by: javax.ws.rs.ProcessingException: java.lang.RuntimeException: RuntimeException invoking http://localhost:8011/jaxrsapp/testapp/test/info: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve")
at org.apache.cxf.jaxrs.client.AbstractClient.checkClientException(AbstractClient.java:632)
at org.apache.cxf.jaxrs.client.AbstractClient.preProcessResult(AbstractClient.java:608)
at org.apache.cxf.jaxrs.client.WebClient.doResponse(WebClient.java:1115)
at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1052)
at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:897)
at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:866)
at org.apache.cxf.jaxrs.client.WebClient.invoke(WebClient.java:431)
at org.apache.cxf.jaxrs.client.SyncInvokerImpl.method(SyncInvokerImpl.java:135)
at org.apache.cxf.jaxrs.client.CompletionStageRxInvokerImpl.lambda$method$4(CompletionStageRxInvokerImpl.java:165)
at org.apache.cxf.jaxrs.client.CompletionStageRxInvokerImpl$$Lambda$6.000000009C382370.get(Unknown Source)
at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1601)
Caused by: java.lang.RuntimeException: RuntimeException invoking http://localhost:8011/jaxrsapp/testapp/test/info: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve")
at java.lang.reflect.Constructor.newInstance(Constructor.java:437)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1390)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1379)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:658)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:309)
at org.apache.cxf.jaxrs.client.AbstractClient.doRunInterceptorChain(AbstractClient.java:704)
at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1051)
Caused by: java.lang.RuntimeException: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve")
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1503)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489)
at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3034)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:500)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:370)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1587)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1616)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1560)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1361)
Caused by: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve")
at java.security.AccessController.throwACE(AccessController.java:157)
at java.security.AccessController.checkPermissionHelper(AccessController.java:217)
at java.security.AccessController.checkPermission(AccessController.java:349)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1061)
at java.net.InetAddress.getAllByName0(InetAddress.java:1398)
at java.net.InetAddress.getAllByName(InetAddress.java:1322)
at java.net.InetAddress.getAllByName(InetAddress.java:1245)
at java.net.InetAddress.getByName(InetAddress.java:1195)
at sun.net.www.http.HttpClient.New(HttpClient.java:334)
at sun.net.www.http.HttpClient.New(HttpClient.java:347)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1215)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1194)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1045)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:978)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1561)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)
and
ERROR: Caught exception attempting to call test method testPatchOptions on servlet jaxrs21.fat.patch.PatchTestServlet
java.lang.ExceptionInInitializerError
at java.lang.J9VMInternals.ensureError(J9VMInternals.java:141)
at java.lang.J9VMInternals.recordInitializationFailure(J9VMInternals.java:130)
at org.apache.cxf.jaxrs.provider.ProviderFactory.initCache(ProviderFactory.java:168)
at org.apache.cxf.jaxrs.provider.ProviderFactory.<init>(ProviderFactory.java:154)
at org.apache.cxf.jaxrs.client.ClientProviderFactory.<init>(ClientProviderFactory.java:60)
at org.apache.cxf.jaxrs.client.ClientProviderFactory.createInstance(ClientProviderFactory.java:67)
at org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean.initClient(JAXRSClientFactoryBean.java:377)
at org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean.createWebClient(JAXRSClientFactoryBean.java:224)
at com.ibm.ws.jaxrs20.client.JAXRSClientImpl.target(JAXRSClientImpl.java:87)
at org.apache.cxf.jaxrs.client.spec.ClientImpl.target(ClientImpl.java:130)
at jaxrs21.fat.patch.PatchTestServlet.target(PatchTestServlet.java:80)
at jaxrs21.fat.patch.PatchTestServlet.testPatchOptions(PatchTestServlet.java:36)
at componenttest.app.FATServlet.doGet(FATServlet.java:63)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1255)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:743)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:440)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1131)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4924)
at com.ibm.ws.webcontainer31.osgi.webapp.WebApp31.handleRequest(WebApp31.java:527)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:314)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:991)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:279)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:966)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:358)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:317)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:475)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:409)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:289)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:260)
at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:165)
at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:74)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:503)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:573)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:928)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1017)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.lang.Thread.run(Thread.java:785)
Caused by: java.security.AccessControlException: Access denied ("java.util.PropertyPermission" "org.apache.cxf.jaxrs.max_provider_cache_size" "read")
at java.security.AccessController.throwACE(AccessController.java:157)
at java.security.AccessController.checkPermissionHelper(AccessController.java:217)
at java.security.AccessController.checkPermission(AccessController.java:349)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1307)
at java.lang.System.getProperty(System.java:443)
at java.lang.System.getProperty(System.java:427)
at java.lang.Integer.getInteger(Integer.java:1113)
at java.lang.Integer.getInteger(Integer.java:1069)
at org.apache.cxf.jaxrs.provider.ProviderCache.<clinit>(ProviderCache.java:35)
The fix should be to place doPriv blocks in ProviderCache and URLConnectionHTTPConduit.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)