You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2018/01/24 15:03:00 UTC
[jira] [Closed] (CXF-7537) Java 2 security failures - doPrivs
needed to run with Java 2 security mgr
[ https://issues.apache.org/jira/browse/CXF-7537?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed CXF-7537.
------------------------------------
> Java 2 security failures - doPrivs needed to run with Java 2 security mgr
> -------------------------------------------------------------------------
>
> Key: CXF-7537
> URL: https://issues.apache.org/jira/browse/CXF-7537
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 3.1.11, 3.2.0
> Reporter: Andy McCright
> Priority: Major
>
> While doing some Java 2 security testing, I found the following stacks that should be wrapped in doPriv blocks:
> Caused by: java.security.AccessControlException: Access denied ("java.util.PropertyPermission" "org.apache.cxf.io.CachedOutputStream.MaxSize" "read")
> at java.security.AccessController.throwACE(AccessController.java:157)
> at java.security.AccessController.checkPermissionHelper(AccessController.java:217)
> at java.security.AccessController.checkPermission(AccessController.java:349)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
> at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1307)
> at java.lang.System.getProperty(System.java:443)
> at org.apache.cxf.io.CachedOutputStream.setDefaultMaxSize(CachedOutputStream.java:572)
> at org.apache.cxf.io.CachedOutputStream.<clinit>(CachedOutputStream.java:70)
> java.security.AccessControlException: Access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
> at java.security.AccessController.throwACE(AccessController.java:157)
> at java.security.AccessController.checkPermissionHelper(AccessController.java:217)
> at java.security.AccessController.checkPermission(AccessController.java:349)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
> at java.lang.Class.checkMemberAccess(Class.java:200)
> at java.lang.Class.getDeclaredMethods(Class.java:992)
> at org.apache.cxf.jaxrs.utils.ResourceUtils.findPreDestroyMethod(ResourceUtils.java:186)
> at org.apache.cxf.jaxrs.utils.ResourceUtils.findPreDestroyMethod(ResourceUtils.java:179)
> at org.apache.cxf.jaxrs.lifecycle.PerRequestResourceProvider.<init>(PerRequestResourceProvider.java:63)
> Caused by: java.lang.RuntimeException: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "127.0.0.1:8010" "connect,resolve")
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1503)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489)
> at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3034)
> at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:500)
> at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:370)
> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1586)
> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1615)
> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1559)
> at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1356)
> ... 47 more
> More may be exposed after resolving these...
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)