Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7447

Java 2 security issues

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 3.2.0
    • 3.0.15, 3.1.13, 3.2.0
    • JAX-RS
    • None
    • Unknown

    Description

      We discovered the following Java 2 security issues when a security manager was in use:

      ERROR: Caught exception attempting to call test method testCompletionStageRxInvokerSynchronousFunction on servlet web.jaxrstest.JAXRSExecutorTestServlet
      java.util.concurrent.ExecutionException: javax.ws.rs.ProcessingException: java.lang.RuntimeException: RuntimeException invoking http://localhost:8011/jaxrsapp/testapp/test/info: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve")
      at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:368)
      at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1926)
      at web.jaxrstest.JAXRSExecutorTestServlet.testCompletionStageRxInvokerSynchronousFunction(JAXRSExecutorTestServlet.java:151)
      at componenttest.app.FATServlet.doGet(FATServlet.java:63)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1255)
      at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:743)
      at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:440)
      at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1131)
      at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:76)
      at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:922)
      at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:279)
      at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:966)
      at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:358)
      at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:317)
      at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:475)
      at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:409)
      at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:289)
      at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:260)
      at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:165)
      at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:74)
      at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:503)
      at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:573)
      at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:928)
      at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1017)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
      at java.lang.Thread.run(Thread.java:785)
      Caused by: javax.ws.rs.ProcessingException: java.lang.RuntimeException: RuntimeException invoking http://localhost:8011/jaxrsapp/testapp/test/info: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve")
      at org.apache.cxf.jaxrs.client.AbstractClient.checkClientException(AbstractClient.java:632)
      at org.apache.cxf.jaxrs.client.AbstractClient.preProcessResult(AbstractClient.java:608)
      at org.apache.cxf.jaxrs.client.WebClient.doResponse(WebClient.java:1115)
      at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1052)
      at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:897)
      at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:866)
      at org.apache.cxf.jaxrs.client.WebClient.invoke(WebClient.java:431)
      at org.apache.cxf.jaxrs.client.SyncInvokerImpl.method(SyncInvokerImpl.java:135)
      at org.apache.cxf.jaxrs.client.CompletionStageRxInvokerImpl.lambda$method$4(CompletionStageRxInvokerImpl.java:165)
      at org.apache.cxf.jaxrs.client.CompletionStageRxInvokerImpl$$Lambda$6.000000009C382370.get(Unknown Source)
      at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1601)
      Caused by: java.lang.RuntimeException: RuntimeException invoking http://localhost:8011/jaxrsapp/testapp/test/info: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve")
      at java.lang.reflect.Constructor.newInstance(Constructor.java:437)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1390)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1379)
      at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
      at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:658)
      at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
      at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:309)
      at org.apache.cxf.jaxrs.client.AbstractClient.doRunInterceptorChain(AbstractClient.java:704)
      at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1051)
      Caused by: java.lang.RuntimeException: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve")
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1503)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489)
      at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3034)
      at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:500)
      at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:370)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1587)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1616)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1560)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1361)
      Caused by: java.security.AccessControlException: Access denied ("java.net.SocketPermission" "localhost" "resolve")
      at java.security.AccessController.throwACE(AccessController.java:157)
      at java.security.AccessController.checkPermissionHelper(AccessController.java:217)
      at java.security.AccessController.checkPermission(AccessController.java:349)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
      at java.lang.SecurityManager.checkConnect(SecurityManager.java:1061)
      at java.net.InetAddress.getAllByName0(InetAddress.java:1398)
      at java.net.InetAddress.getAllByName(InetAddress.java:1322)
      at java.net.InetAddress.getAllByName(InetAddress.java:1245)
      at java.net.InetAddress.getByName(InetAddress.java:1195)
      at sun.net.www.http.HttpClient.New(HttpClient.java:334)
      at sun.net.www.http.HttpClient.New(HttpClient.java:347)
      at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1215)
      at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1194)
      at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1045)
      at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:978)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1561)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1489)
      at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:491)

      and

      ERROR: Caught exception attempting to call test method testPatchOptions on servlet jaxrs21.fat.patch.PatchTestServlet
      java.lang.ExceptionInInitializerError
      at java.lang.J9VMInternals.ensureError(J9VMInternals.java:141)
      at java.lang.J9VMInternals.recordInitializationFailure(J9VMInternals.java:130)
      at org.apache.cxf.jaxrs.provider.ProviderFactory.initCache(ProviderFactory.java:168)
      at org.apache.cxf.jaxrs.provider.ProviderFactory.<init>(ProviderFactory.java:154)
      at org.apache.cxf.jaxrs.client.ClientProviderFactory.<init>(ClientProviderFactory.java:60)
      at org.apache.cxf.jaxrs.client.ClientProviderFactory.createInstance(ClientProviderFactory.java:67)
      at org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean.initClient(JAXRSClientFactoryBean.java:377)
      at org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean.createWebClient(JAXRSClientFactoryBean.java:224)
      at com.ibm.ws.jaxrs20.client.JAXRSClientImpl.target(JAXRSClientImpl.java:87)
      at org.apache.cxf.jaxrs.client.spec.ClientImpl.target(ClientImpl.java:130)
      at jaxrs21.fat.patch.PatchTestServlet.target(PatchTestServlet.java:80)
      at jaxrs21.fat.patch.PatchTestServlet.testPatchOptions(PatchTestServlet.java:36)
      at componenttest.app.FATServlet.doGet(FATServlet.java:63)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1255)
      at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:743)
      at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:440)
      at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1131)
      at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4924)
      at com.ibm.ws.webcontainer31.osgi.webapp.WebApp31.handleRequest(WebApp31.java:527)
      at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:314)
      at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:991)
      at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:279)
      at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:966)
      at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:358)
      at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:317)
      at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:475)
      at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:409)
      at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:289)
      at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:260)
      at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:165)
      at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:74)
      at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:503)
      at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:573)
      at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:928)
      at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1017)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
      at java.lang.Thread.run(Thread.java:785)
      Caused by: java.security.AccessControlException: Access denied ("java.util.PropertyPermission" "org.apache.cxf.jaxrs.max_provider_cache_size" "read")
      at java.security.AccessController.throwACE(AccessController.java:157)
      at java.security.AccessController.checkPermissionHelper(AccessController.java:217)
      at java.security.AccessController.checkPermission(AccessController.java:349)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
      at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1307)
      at java.lang.System.getProperty(System.java:443)
      at java.lang.System.getProperty(System.java:427)
      at java.lang.Integer.getInteger(Integer.java:1113)
      at java.lang.Integer.getInteger(Integer.java:1069)
      at org.apache.cxf.jaxrs.provider.ProviderCache.<clinit>(ProviderCache.java:35)

      The fix should be to place doPriv blocks in ProviderCache and URLConnectionHTTPConduit.

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #292

          Activity

            People

              Unassigned Unassigned
              andymc Andrew J McMurry
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: