Uploaded image for project: 'HttpComponents HttpCore'
  1. HttpComponents HttpCore
  2. HTTPCORE-517

Allow SecurityManager to stop socket connections

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments


    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.4.10, 5.0-beta3
    • Component/s: HttpCore NIO
    • Labels:


      Utilising a java security manager you're able to block certain socket connections from taking place. This can be useful to block outgoing connections for all components.

      public void checkConnect(String host, int port) {
          if(port != -1) {
              for (String bannedPerm : bannedSocketPerms) {
                  if (host.equalsIgnoreCase(bannedPerm)) {
                      throw new new SecurityException();

      Unfortunately when doing this, the apache reactor shuts down. The call site is in the DefaultConnectingIOReactor

      final boolean connected = socketChannel.connect(request.getRemoteAddress());

      this line is wrapped in a try/catch that catches an IOException. This means the SecurityException is propagated out, and is never offered to be caught (even with the ExceptionHandler that you can set. 

      It would be an improvement to be able to throw these types of exceptions and have the reactor continue on. It's very understandable for the SecurityException to be a transient error and as such shouldn't shut down the entire reactor by default.

      Either that, or one should be able to define a handleRuntimeException (as seen in the BaseIOREactor) in such a way that it would get the option to handle the exceptions that are thrown as part of the processEvents call in the AbstractIOReactor




            • Assignee:
              ggregory Gary D. Gregory
              pathompson Paul Thompson


              • Created:

                Issue deployment