cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From asold...@apache.org
Subject svn commit: r1515801 - in /cxf/trunk: core/src/main/java/org/apache/cxf/common/ core/src/main/java/org/apache/cxf/resource/ rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/context/ rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/spi/ rt/ws/ad...
Date Tue, 20 Aug 2013 12:46:53 GMT
Author: asoldano
Date: Tue Aug 20 12:46:52 2013
New Revision: 1515801

URL: http://svn.apache.org/r1515801
Log:
[CXF-5142] More on running with a security manager enabled; introducing CXF specific permission
for URI resolution, unmarshalling EPRs in privileged actions

Added:
    cxf/trunk/core/src/main/java/org/apache/cxf/common/CXFPermissions.java
    cxf/trunk/core/src/main/java/org/apache/cxf/resource/SecurityActions.java
Modified:
    cxf/trunk/core/src/main/java/org/apache/cxf/resource/URIResolver.java
    cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/context/WebServiceContextImpl.java
    cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/spi/ProviderImpl.java
    cxf/trunk/rt/ws/addr/src/main/java/org/apache/cxf/ws/addressing/soap/VersionTransformer.java

Added: cxf/trunk/core/src/main/java/org/apache/cxf/common/CXFPermissions.java
URL: http://svn.apache.org/viewvc/cxf/trunk/core/src/main/java/org/apache/cxf/common/CXFPermissions.java?rev=1515801&view=auto
==============================================================================
--- cxf/trunk/core/src/main/java/org/apache/cxf/common/CXFPermissions.java (added)
+++ cxf/trunk/core/src/main/java/org/apache/cxf/common/CXFPermissions.java Tue Aug 20 12:46:52
2013
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.common;
+
+public final class CXFPermissions {
+
+    public static final RuntimePermission RESOLVE_URI = new RuntimePermission("org.apache.cxf.permission",
+                                                                              "resolveUri");
+
+    private CXFPermissions() {
+
+    }
+
+}

Added: cxf/trunk/core/src/main/java/org/apache/cxf/resource/SecurityActions.java
URL: http://svn.apache.org/viewvc/cxf/trunk/core/src/main/java/org/apache/cxf/resource/SecurityActions.java?rev=1515801&view=auto
==============================================================================
--- cxf/trunk/core/src/main/java/org/apache/cxf/resource/SecurityActions.java (added)
+++ cxf/trunk/core/src/main/java/org/apache/cxf/resource/SecurityActions.java Tue Aug 20 12:46:52
2013
@@ -0,0 +1,44 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.resource;
+
+import java.io.File;
+import java.security.AccessController;
+import java.security.Permission;
+import java.security.PrivilegedAction;
+
+final class SecurityActions {
+
+    private SecurityActions() {
+    }
+
+    static boolean fileExists(final File file, Permission permission) {
+        SecurityManager sm = System.getSecurityManager();
+        if (sm == null) {
+            return file.exists();
+        } else {
+            sm.checkPermission(permission);
+            return AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
+                public Boolean run() {
+                    return file.exists();
+                }
+            });
+        }
+    }
+}

Modified: cxf/trunk/core/src/main/java/org/apache/cxf/resource/URIResolver.java
URL: http://svn.apache.org/viewvc/cxf/trunk/core/src/main/java/org/apache/cxf/resource/URIResolver.java?rev=1515801&r1=1515800&r2=1515801&view=diff
==============================================================================
--- cxf/trunk/core/src/main/java/org/apache/cxf/resource/URIResolver.java (original)
+++ cxf/trunk/core/src/main/java/org/apache/cxf/resource/URIResolver.java Tue Aug 20 12:46:52
2013
@@ -35,6 +35,7 @@ import java.util.Map;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import org.apache.cxf.common.CXFPermissions;
 import org.apache.cxf.common.classloader.ClassLoaderUtils;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.Base64Utility;
@@ -135,7 +136,7 @@ public class URIResolver {
             
             
             uriFile = new File(uriFile.getAbsolutePath());
-            if (!uriFile.exists()) {
+            if (!SecurityActions.fileExists(uriFile, CXFPermissions.RESOLVE_URI)) {
                 try {
                     URI urif = new URI(URLDecoder.decode(orig, "ASCII"));
                     if ("file".equals(urif.getScheme()) && urif.isAbsolute()) {
@@ -148,7 +149,7 @@ public class URIResolver {
                     //ignore
                 }
             }
-            if (!uriFile.exists()) {
+            if (!SecurityActions.fileExists(uriFile, CXFPermissions.RESOLVE_URI)) {
                 relative =  new URI(uriStr.replaceAll(" ", "%20"));
             } else {
                 relative = uriFile.getAbsoluteFile().toURI();

Modified: cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/context/WebServiceContextImpl.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/context/WebServiceContextImpl.java?rev=1515801&r1=1515800&r2=1515801&view=diff
==============================================================================
--- cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/context/WebServiceContextImpl.java
(original)
+++ cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/context/WebServiceContextImpl.java
Tue Aug 20 12:46:52 2013
@@ -33,6 +33,8 @@ import javax.xml.ws.wsaddressing.W3CEndp
 
 import org.w3c.dom.Element;
 
+import org.apache.cxf.common.classloader.ClassLoaderUtils;
+import org.apache.cxf.common.classloader.ClassLoaderUtils.ClassLoaderHolder;
 import org.apache.cxf.common.i18n.Message;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.endpoint.Endpoint;
@@ -110,12 +112,14 @@ public class WebServiceContextImpl imple
             }
         }
         
-        ClassLoader cl = Thread.currentThread().getContextClassLoader();
+        ClassLoaderHolder orig = null;
         try {
-            Thread.currentThread().setContextClassLoader(EndpointReferenceBuilder.class.getClassLoader());
+            orig = ClassLoaderUtils.setThreadContextClassloader(EndpointReferenceBuilder.class.getClassLoader());
             return builder.build();
         } finally {
-            Thread.currentThread().setContextClassLoader(cl);
+            if (orig != null) {
+                orig.reset();
+            }
         }
     }
 

Modified: cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/spi/ProviderImpl.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/spi/ProviderImpl.java?rev=1515801&r1=1515800&r2=1515801&view=diff
==============================================================================
--- cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/spi/ProviderImpl.java (original)
+++ cxf/trunk/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/spi/ProviderImpl.java Tue
Aug 20 12:46:52 2013
@@ -21,6 +21,9 @@ package org.apache.cxf.jaxws.spi;
 
 import java.lang.reflect.Method;
 import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.List;
 import java.util.Map;
 import java.util.logging.Logger;
@@ -238,7 +241,7 @@ public class ProviderImpl extends javax.
                                             + " when serviceName or portName is null");
         }
         try {
-            W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
+            final W3CDOMStreamWriter writer = new W3CDOMStreamWriter();
             writer.setPrefix(JAXWSAConstants.WSA_PREFIX, JAXWSAConstants.NS_WSA);
             writer.writeStartElement(JAXWSAConstants.WSA_PREFIX, JAXWSAConstants.WSA_ERF_NAME,
                                      JAXWSAConstants.NS_WSA);
@@ -355,8 +358,21 @@ public class ProviderImpl extends javax.
             writer.writeEndElement();
             writer.flush();
 
-            Unmarshaller unmarshaller = getJAXBContext().createUnmarshaller();
-            return (W3CEndpointReference)unmarshaller.unmarshal(writer.getDocument());
+            try {
+                return AccessController.doPrivileged(new PrivilegedExceptionAction<W3CEndpointReference>()
{
+                    public W3CEndpointReference run() throws Exception {
+                        Unmarshaller unmarshaller = getJAXBContext().createUnmarshaller();
+                        return (W3CEndpointReference)unmarshaller.unmarshal(writer.getDocument());
+                    }
+                });
+            } catch (PrivilegedActionException pae) {
+                Exception e = pae.getException();
+                if (e instanceof JAXBException) {
+                    throw (JAXBException)e;
+                } else {
+                    throw new SecurityException(e);
+                }
+            }
         } catch (Exception e) {
             throw new WebServiceException(new Message("ERROR_UNMARSHAL_ENDPOINTREFERENCE",
LOG).toString(),
                                           e);
@@ -371,19 +387,30 @@ public class ProviderImpl extends javax.
     }
 
     public EndpointReference readEndpointReference(Source eprInfoset) {
-        XMLStreamReader reader = null;
         try {
-            Unmarshaller unmarshaller = getJAXBContext().createUnmarshaller();
-            reader = StaxUtils.createXMLStreamReader(eprInfoset);
-            return (EndpointReference)unmarshaller.unmarshal(reader);
-        } catch (JAXBException e) {
-            throw new WebServiceException(new Message("ERROR_UNMARSHAL_ENDPOINTREFERENCE",
LOG).toString(),
-                                          e);
-        } finally {
-            try {
-                StaxUtils.close(reader);
-            } catch (XMLStreamException e) {
-                // Ignore
+            final XMLStreamReader reader = StaxUtils.createXMLStreamReader(eprInfoset);
+            return AccessController.doPrivileged(new PrivilegedExceptionAction<EndpointReference>()
{
+                public EndpointReference run() throws Exception {
+                    try {
+                        Unmarshaller unmarshaller = getJAXBContext().createUnmarshaller();
+                        return (EndpointReference)unmarshaller.unmarshal(reader);
+                    } finally {
+                        try {
+                            StaxUtils.close(reader);
+                        } catch (XMLStreamException e) {
+                            // Ignore
+                        }
+                    }
+                }
+            });
+        } catch (PrivilegedActionException pae) {
+            Exception e = pae.getException();
+            if (e instanceof JAXBException) {
+                throw new WebServiceException(new Message("ERROR_UNMARSHAL_ENDPOINTREFERENCE",
LOG)
+                                                  .toString(),
+                                              e);
+            } else {
+                throw new SecurityException(e);
             }
         }
     }

Modified: cxf/trunk/rt/ws/addr/src/main/java/org/apache/cxf/ws/addressing/soap/VersionTransformer.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/addr/src/main/java/org/apache/cxf/ws/addressing/soap/VersionTransformer.java?rev=1515801&r1=1515800&r2=1515801&view=diff
==============================================================================
--- cxf/trunk/rt/ws/addr/src/main/java/org/apache/cxf/ws/addressing/soap/VersionTransformer.java
(original)
+++ cxf/trunk/rt/ws/addr/src/main/java/org/apache/cxf/ws/addressing/soap/VersionTransformer.java
Tue Aug 20 12:46:52 2013
@@ -22,6 +22,7 @@ package org.apache.cxf.ws.addressing.soa
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 
 import javax.xml.bind.JAXBContext;
@@ -137,8 +138,10 @@ public class VersionTransformer extends 
     public <T> T decodeAsNative(String encodedAs, Class<T> clz, Element headerElement,
                                 Unmarshaller unmarshaller) throws JAXBException {
         T ret = null;
-        LOG.fine("decodeAsNative: encodedAs: " + encodedAs);
-        LOG.fine("                class: " + clz.getName());
+        if (LOG.isLoggable(Level.FINE)) {
+            LOG.fine("decodeAsNative: encodedAs: " + encodedAs);
+            LOG.fine("                class: " + clz.getName());
+        }
 
         if (NATIVE_VERSION.equals(encodedAs)) {
             ret = codec.decodeMAP(clz, headerElement, unmarshaller);



Mime
View raw message