[jbossws-issues] [JBoss JIRA] (JBWS-3974) Incorreclty bypass the SecurityManager and call AccessControl.checkPermission() directly

Jason Shepherd (JIRA) issues at jboss.org
Wed Jan 20 17:26:00 EST 2016 

    [ https://issues.jboss.org/browse/JBWS-3974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13151446#comment-13151446 ] 

Jason Shepherd commented on JBWS-3974:
--------------------------------------

[~jim.ma] If a user's code is performing a sensitive operation which they want to define a custom grant for they should use the securityManager.checkPermission(). Using a Security Manager allows for centralization of the access control policies. For more information, read chapter 9 of the Oracle Secure Coding guide: [http://www.oracle.com/technetwork/java/seccodeguide-139067.html]

> Incorreclty bypass the SecurityManager and call AccessControl.checkPermission() directly
> ----------------------------------------------------------------------------------------
>
>                 Key: JBWS-3974
>                 URL: https://issues.jboss.org/browse/JBWS-3974
>             Project: JBoss Web Services
>          Issue Type: Bug
>          Components: jbossws-integration
>         Environment: EAP 7.0.0.Beta1, jbossws-spi 3.1.1 (Couldn't find in affected version list)
>            Reporter: Jason Shepherd
>            Assignee: Jim Ma
>            Priority: Minor
>             Fix For: jbossws-cxf-5.2.0.Final
>
>
> Calls to AccessControl.checkPermission() should be done by the Security Manager so that policies can be centrally managed. See this guide as a reference:
> bq. Note that the method AccessController.checkPermission is normally invoked indirectly through invocations of specific SecurityManager methods that begin with the word check such as checkConnect or through the method SecurityManager.checkPermission. Normally, these checks only occur if a SecurityManager has been installed; code checked by the AccessController.checkPermission method first checks if the method System.getSecurityManager returns null.
>    [https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html|https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html]
> Also refer to fixed issue WFCORE-1266, as it is similar.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jbossws-issues mailing list