Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id E407D200CD4 for ; Sat, 29 Jul 2017 08:50:07 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id E278616B562; Sat, 29 Jul 2017 06:50:07 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D823816B53B for ; Sat, 29 Jul 2017 08:50:06 +0200 (CEST) Received: (qmail 5010 invoked by uid 500); 29 Jul 2017 06:50:06 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 4999 invoked by uid 99); 29 Jul 2017 06:50:05 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 29 Jul 2017 06:50:05 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 754A6C00A6 for ; Sat, 29 Jul 2017 06:50:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100 X-Spam-Level: X-Spam-Status: No, score=-100 tagged_above=-999 required=6.31 tests=[LOTS_OF_MONEY=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100, WEIRD_PORT=0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id qgvXNwKnfvEm for ; Sat, 29 Jul 2017 06:50:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id C7E705F5C4 for ; Sat, 29 Jul 2017 06:50:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id DF480E0D28 for ; Sat, 29 Jul 2017 06:50:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 1333E2464D for ; Sat, 29 Jul 2017 06:50:00 +0000 (UTC) Date: Sat, 29 Jul 2017 06:50:00 +0000 (UTC) From: "Dennis Kieselhorst (JIRA)" To: issues@cxf.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (CXF-7447) Java 2 security issues MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Sat, 29 Jul 2017 06:50:08 -0000 [ https://issues.apache.org/jira/browse/CXF-7447?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dennis Kieselhorst updated CXF-7447: ------------------------------------ Fix Version/s: 3.2.0 > Java 2 security issues > ----------------------- > > Key: CXF-7447 > URL: https://issues.apache.org/jira/browse/CXF-7447 > Project: CXF > Issue Type: Bug > Components: JAX-RS > Affects Versions: 3.2.0 > Reporter: Andy McCright > Fix For: 3.2.0 > > > We discovered the following Java 2 security issues when a security manager was in use: > ERROR: Caught exception attempting to call test method testCompletionStageRxInvokerSynchronousFunction on servlet web.jaxrstest.JAXRSExecutorTestServlet > java.util.concurrent.ExecutionException: javax.ws.rs.ProcessingException: java.lang.RuntimeException: RuntimeException invoking http://localhost:8011/jaxrsapp/testapp/test/info: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve") > at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:368) > at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1926) > at web.jaxrstest.JAXRSExecutorTestServlet.testCompletionStageRxInvokerSynchronousFunction(JAXRSExecutorTestServlet.java:151) > at componenttest.app.FATServlet.doGet(FATServlet.java:63) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1255) > at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:743) > at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:440) > at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1131) > at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:76) > at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:922) > at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:279) > at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:966) > at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:358) > at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:317) > at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:475) > at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:409) > at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:289) > at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:260) > at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:165) > at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:74) > at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:503) > at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:573) > at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:928) > at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1017) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > at java.lang.Thread.run(Thread.java:785) > Caused by: javax.ws.rs.ProcessingException: java.lang.RuntimeException: RuntimeException invoking http://localhost:8011/jaxrsapp/testapp/test/info: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve") > at org.apache.cxf.jaxrs.client.AbstractClient.checkClientException(AbstractClient.java:632) > at org.apache.cxf.jaxrs.client.AbstractClient.preProcessResult(AbstractClient.java:608) > at org.apache.cxf.jaxrs.client.WebClient.doResponse(WebClient.java:1115) > at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1052) > at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:897) > at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:866) > at org.apache.cxf.jaxrs.client.WebClient.invoke(WebClient.java:431) > at org.apache.cxf.jaxrs.client.SyncInvokerImpl.method(SyncInvokerImpl.java:135) > at org.apache.cxf.jaxrs.client.CompletionStageRxInvokerImpl.lambda$method$4(CompletionStageRxInvokerImpl.java:165) > at org.apache.cxf.jaxrs.client.CompletionStageRxInvokerImpl$$Lambda$6.000000009C382370.get(Unknown Source) > at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1601) > Caused by: java.lang.RuntimeException: RuntimeException invoking http://localhost:8011/jaxrsapp/testapp/test/info: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve") > at java.lang.reflect.Constructor.newInstance(Constructor.java:437) > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1390) > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1379) > at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:658) > at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:309) > at org.apache.cxf.jaxrs.client.AbstractClient.doRunInterceptorChain(AbstractClient.java:704) > at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1051) > Caused by: java.lang.RuntimeException: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve") > at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1503) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489) > at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3034) > at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:500) > at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:370) > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1587) > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1616) > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1560) > at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1361) > Caused by: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve") > at java.security.AccessController.throwACE(AccessController.java:157) > at java.security.AccessController.checkPermissionHelper(AccessController.java:217) > at java.security.AccessController.checkPermission(AccessController.java:349) > at java.lang.SecurityManager.checkPermission(SecurityManager.java:562) > at java.lang.SecurityManager.checkConnect(SecurityManager.java:1061) > at java.net.InetAddress.getAllByName0(InetAddress.java:1398) > at java.net.InetAddress.getAllByName(InetAddress.java:1322) > at java.net.InetAddress.getAllByName(InetAddress.java:1245) > at java.net.InetAddress.getByName(InetAddress.java:1195) > at sun.net.www.http.HttpClient.New(HttpClient.java:334) > at sun.net.www.http.HttpClient.New(HttpClient.java:347) > at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1215) > at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1194) > at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1045) > at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:978) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1561) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489) > at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491) > and > ERROR: Caught exception attempting to call test method testPatchOptions on servlet jaxrs21.fat.patch.PatchTestServlet > java.lang.ExceptionInInitializerError > at java.lang.J9VMInternals.ensureError(J9VMInternals.java:141) > at java.lang.J9VMInternals.recordInitializationFailure(J9VMInternals.java:130) > at org.apache.cxf.jaxrs.provider.ProviderFactory.initCache(ProviderFactory.java:168) > at org.apache.cxf.jaxrs.provider.ProviderFactory.(ProviderFactory.java:154) > at org.apache.cxf.jaxrs.client.ClientProviderFactory.(ClientProviderFactory.java:60) > at org.apache.cxf.jaxrs.client.ClientProviderFactory.createInstance(ClientProviderFactory.java:67) > at org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean.initClient(JAXRSClientFactoryBean.java:377) > at org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean.createWebClient(JAXRSClientFactoryBean.java:224) > at com.ibm.ws.jaxrs20.client.JAXRSClientImpl.target(JAXRSClientImpl.java:87) > at org.apache.cxf.jaxrs.client.spec.ClientImpl.target(ClientImpl.java:130) > at jaxrs21.fat.patch.PatchTestServlet.target(PatchTestServlet.java:80) > at jaxrs21.fat.patch.PatchTestServlet.testPatchOptions(PatchTestServlet.java:36) > at componenttest.app.FATServlet.doGet(FATServlet.java:63) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1255) > at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:743) > at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:440) > at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1131) > at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4924) > at com.ibm.ws.webcontainer31.osgi.webapp.WebApp31.handleRequest(WebApp31.java:527) > at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:314) > at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:991) > at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:279) > at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:966) > at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:358) > at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:317) > at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:475) > at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:409) > at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:289) > at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:260) > at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:165) > at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:74) > at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:503) > at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:573) > at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:928) > at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1017) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) > at java.lang.Thread.run(Thread.java:785) > Caused by: java.security.AccessControlException: Access denied ("java.util.PropertyPermission" "org.apache.cxf.jaxrs.max_provider_cache_size" "read") > at java.security.AccessController.throwACE(AccessController.java:157) > at java.security.AccessController.checkPermissionHelper(AccessController.java:217) > at java.security.AccessController.checkPermission(AccessController.java:349) > at java.lang.SecurityManager.checkPermission(SecurityManager.java:562) > at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1307) > at java.lang.System.getProperty(System.java:443) > at java.lang.System.getProperty(System.java:427) > at java.lang.Integer.getInteger(Integer.java:1113) > at java.lang.Integer.getInteger(Integer.java:1069) > at org.apache.cxf.jaxrs.provider.ProviderCache.(ProviderCache.java:35) > The fix should be to place doPriv blocks in ProviderCache and URLConnectionHTTPConduit. -- This message was sent by Atlassian JIRA (v6.4.14#64029)