[JBoss JIRA] (CDI-731) Default methods in Annotated hierarchy should use privileged blocs
by Antoine Sabot-Durand (JIRA)
[ https://issues.jboss.org/browse/CDI-731?page=com.atlassian.jira.plugin.sy... ]
Antoine Sabot-Durand closed CDI-731.
------------------------------------
Resolution: Explained
> Default methods in Annotated hierarchy should use privileged blocs
> ------------------------------------------------------------------
>
> Key: CDI-731
> URL: https://issues.jboss.org/browse/CDI-731
> Project: CDI Specification Issues
> Issue Type: Bug
> Components: Javadoc and API
> Affects Versions: 2.0 .Final
> Reporter: Antoine Sabot-Durand
> Assignee: Antoine Sabot-Durand
> Fix For: 2.0.SP1
>
>
> To deal with repearting annotatiosn (see CDI-471), CDI 2.0 introduced default method {{getAnnotations}}, in the following interfaces:
> * {{AnnotatedConstructor}}
> * {{AnnotatedField}}
> * {{AnnotatedMethod}}
> * {{AnnotatedParameter}}
> * {{AnnotatedType}}
> These methods make use of reflection and thus should use privileged blocs when used with a security manager
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 5 months
[JBoss JIRA] (CDI-727) CDI.current() should use privileged block
by Martin Kouba (JIRA)
[ https://issues.jboss.org/browse/CDI-727?page=com.atlassian.jira.plugin.sy... ]
Martin Kouba commented on CDI-727:
----------------------------------
[~honza889] Ok, thanks. I suppose the problematic method is {{java.util.ServiceLoader.parse(Class<?>, URL)}} where {{java.net.URL.openStream()}} is used.
> CDI.current() should use privileged block
> -----------------------------------------
>
> Key: CDI-727
> URL: https://issues.jboss.org/browse/CDI-727
> Project: CDI Specification Issues
> Issue Type: Bug
> Components: Javadoc and API
> Affects Versions: 2.0 .Final
> Reporter: Jan Kalina
> Assignee: Antoine Sabot-Durand
> Labels: security-manager
> Fix For: 2.0.SP1
>
>
> When deployment in container with security manager enabled try to use {{CDI.current()}} call, {{CDI}} class directly access JAR of CDI provider, because of which security manager requires from the deployment to have permission to read the JAR.
> *{{CDI.findAllProviders}} method should read the JAR in privileged block.*
> (as discussed in WFLY-10125)
> {code}
> java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-integ-rhel-secman/1cfa62fc/jboss-eap-7.2/modules/system/layers/base/org/jboss/as/weld/main/wildfly-weld-7.2.0.CD12-redhat-2.jar" "read")" in code source "(vfs:/content/test.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.test.war" from Service Module Loader")
> at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
> at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
> at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
> at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:360)
> at sun.net.www.protocol.jar.JarFileFactory.getCachedJarFile(JarFileFactory.java:137)
> at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:81)
> at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
> at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:152)
> at java.net.URL.openStream(URL.java:1045)
> at javax.enterprise.inject.spi.CDI.findAllProviders(CDI.java:109)
> at javax.enterprise.inject.spi.CDI.current(CDI.java:53)
> at org.jboss.as.test.integration.ee.injection.support.jpa.beanManager.TestEntityListener.obtainFooViaCdiCurrent(TestEntityListener.java:97)
> {code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 5 months
[JBoss JIRA] (CDI-731) Default methods in Annotated hierarchy should use privileged blocs
by Antoine Sabot-Durand (JIRA)
[ https://issues.jboss.org/browse/CDI-731?page=com.atlassian.jira.plugin.sy... ]
Antoine Sabot-Durand commented on CDI-731:
------------------------------------------
Ok. got it. I close the ticket
> Default methods in Annotated hierarchy should use privileged blocs
> ------------------------------------------------------------------
>
> Key: CDI-731
> URL: https://issues.jboss.org/browse/CDI-731
> Project: CDI Specification Issues
> Issue Type: Bug
> Components: Javadoc and API
> Affects Versions: 2.0 .Final
> Reporter: Antoine Sabot-Durand
> Assignee: Antoine Sabot-Durand
> Fix For: 2.0.SP1
>
>
> To deal with repearting annotatiosn (see CDI-471), CDI 2.0 introduced default method {{getAnnotations}}, in the following interfaces:
> * {{AnnotatedConstructor}}
> * {{AnnotatedField}}
> * {{AnnotatedMethod}}
> * {{AnnotatedParameter}}
> * {{AnnotatedType}}
> These methods make use of reflection and thus should use privileged blocs when used with a security manager
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 5 months
[JBoss JIRA] (CDI-727) CDI.current() should use privileged block
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/CDI-727?page=com.atlassian.jira.plugin.sy... ]
Jan Kalina commented on CDI-727:
--------------------------------
[~mkouba] Confirmed:
problem affects latest master of CDI (9f5eaa/2.1-SNAPSHOT) and patch in https://github.com/cdi-spec/cdi/pull/391 (508a47) resolves it successfully.
For testing it is need to revert WFLY-10125 workaround, to enable given CDI and to run {{EntityListenerBeanManagerInjectionTestCase}} with {{-Dsecurity.manager}}.
> CDI.current() should use privileged block
> -----------------------------------------
>
> Key: CDI-727
> URL: https://issues.jboss.org/browse/CDI-727
> Project: CDI Specification Issues
> Issue Type: Bug
> Components: Javadoc and API
> Affects Versions: 2.0 .Final
> Reporter: Jan Kalina
> Assignee: Antoine Sabot-Durand
> Labels: security-manager
> Fix For: 2.0.SP1
>
>
> When deployment in container with security manager enabled try to use {{CDI.current()}} call, {{CDI}} class directly access JAR of CDI provider, because of which security manager requires from the deployment to have permission to read the JAR.
> *{{CDI.findAllProviders}} method should read the JAR in privileged block.*
> (as discussed in WFLY-10125)
> {code}
> java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-integ-rhel-secman/1cfa62fc/jboss-eap-7.2/modules/system/layers/base/org/jboss/as/weld/main/wildfly-weld-7.2.0.CD12-redhat-2.jar" "read")" in code source "(vfs:/content/test.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.test.war" from Service Module Loader")
> at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
> at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
> at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
> at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:360)
> at sun.net.www.protocol.jar.JarFileFactory.getCachedJarFile(JarFileFactory.java:137)
> at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:81)
> at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
> at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:152)
> at java.net.URL.openStream(URL.java:1045)
> at javax.enterprise.inject.spi.CDI.findAllProviders(CDI.java:109)
> at javax.enterprise.inject.spi.CDI.current(CDI.java:53)
> at org.jboss.as.test.integration.ee.injection.support.jpa.beanManager.TestEntityListener.obtainFooViaCdiCurrent(TestEntityListener.java:97)
> {code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 5 months
[JBoss JIRA] (CDI-731) Default methods in Annotated hierarchy should use privileged blocs
by Martin Kouba (JIRA)
[ https://issues.jboss.org/browse/CDI-731?page=com.atlassian.jira.plugin.sy... ]
Martin Kouba commented on CDI-731:
----------------------------------
The problem is that our tests use mock implementations of these interfaces. So for example to test the {{AnnotatedMethod}} default method we do call {{java.lang.Class.getMethod()}} which is a subject to access control: https://github.com/antoinesd/cdi-spec/blob/master/api/src/test/java/org/j...
That's why we see "access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")" in the stack.
> Default methods in Annotated hierarchy should use privileged blocs
> ------------------------------------------------------------------
>
> Key: CDI-731
> URL: https://issues.jboss.org/browse/CDI-731
> Project: CDI Specification Issues
> Issue Type: Bug
> Components: Javadoc and API
> Affects Versions: 2.0 .Final
> Reporter: Antoine Sabot-Durand
> Assignee: Antoine Sabot-Durand
> Fix For: 2.0.SP1
>
>
> To deal with repearting annotatiosn (see CDI-471), CDI 2.0 introduced default method {{getAnnotations}}, in the following interfaces:
> * {{AnnotatedConstructor}}
> * {{AnnotatedField}}
> * {{AnnotatedMethod}}
> * {{AnnotatedParameter}}
> * {{AnnotatedType}}
> These methods make use of reflection and thus should use privileged blocs when used with a security manager
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 5 months
CDI 2.1
by arjan tijms
Hi there,
Just wondering, is there any time planned for when to officially start the
CDI 2.1 effort?
Kind regards,
Arjan
6 years, 5 months
[JBoss JIRA] (CDI-731) Default methods in Annotated hierarchy should use privileged blocs
by Antoine Sabot-Durand (JIRA)
[ https://issues.jboss.org/browse/CDI-731?page=com.atlassian.jira.plugin.sy... ]
Antoine Sabot-Durand edited comment on CDI-731 at 6/27/18 8:55 AM:
-------------------------------------------------------------------
When I launch tests in https://github.com/antoinesd/cdi-spec/tree/master/api/src/test/java/org/j... with security manager I have ACE stack traces on the tests related to the interfaces above. They look like:
{code:console}
java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at javax.enterprise.inject.spi.AnnotatedMethod.getAnnotations(AnnotatedMethod.java:49)
at org.jboss.cdi.api.test.annotated.AbstractAnnotatedTest.shouldFindAnnotationsOnAnnotated(AbstractAnnotatedTest.java:36)
... Removed 34 stack frames
{code}
was (Author: antoinesabot-durand):
When I launch test in https://github.com/antoinesd/cdi-spec/tree/master/api/src/test/java/org/j... with security manager I have ACE stack traces on the tests related to the interface above. They're like:
{code:console}
java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at javax.enterprise.inject.spi.AnnotatedMethod.getAnnotations(AnnotatedMethod.java:49)
at org.jboss.cdi.api.test.annotated.AbstractAnnotatedTest.shouldFindAnnotationsOnAnnotated(AbstractAnnotatedTest.java:36)
... Removed 34 stack frames
{code}
> Default methods in Annotated hierarchy should use privileged blocs
> ------------------------------------------------------------------
>
> Key: CDI-731
> URL: https://issues.jboss.org/browse/CDI-731
> Project: CDI Specification Issues
> Issue Type: Bug
> Components: Javadoc and API
> Affects Versions: 2.0 .Final
> Reporter: Antoine Sabot-Durand
> Assignee: Antoine Sabot-Durand
> Fix For: 2.0.SP1
>
>
> To deal with repearting annotatiosn (see CDI-471), CDI 2.0 introduced default method {{getAnnotations}}, in the following interfaces:
> * {{AnnotatedConstructor}}
> * {{AnnotatedField}}
> * {{AnnotatedMethod}}
> * {{AnnotatedParameter}}
> * {{AnnotatedType}}
> These methods make use of reflection and thus should use privileged blocs when used with a security manager
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 5 months
[JBoss JIRA] (CDI-731) Default methods in Annotated hierarchy should use privileged blocs
by Antoine Sabot-Durand (JIRA)
[ https://issues.jboss.org/browse/CDI-731?page=com.atlassian.jira.plugin.sy... ]
Antoine Sabot-Durand commented on CDI-731:
------------------------------------------
When I launch test in https://github.com/antoinesd/cdi-spec/tree/master/api/src/test/java/org/j... with security manager I have ACE stack traces on the tests related to the interface above. They're like:
{code:console}
java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at javax.enterprise.inject.spi.AnnotatedMethod.getAnnotations(AnnotatedMethod.java:49)
at org.jboss.cdi.api.test.annotated.AbstractAnnotatedTest.shouldFindAnnotationsOnAnnotated(AbstractAnnotatedTest.java:36)
... Removed 34 stack frames
{code}
> Default methods in Annotated hierarchy should use privileged blocs
> ------------------------------------------------------------------
>
> Key: CDI-731
> URL: https://issues.jboss.org/browse/CDI-731
> Project: CDI Specification Issues
> Issue Type: Bug
> Components: Javadoc and API
> Affects Versions: 2.0 .Final
> Reporter: Antoine Sabot-Durand
> Assignee: Antoine Sabot-Durand
> Fix For: 2.0.SP1
>
>
> To deal with repearting annotatiosn (see CDI-471), CDI 2.0 introduced default method {{getAnnotations}}, in the following interfaces:
> * {{AnnotatedConstructor}}
> * {{AnnotatedField}}
> * {{AnnotatedMethod}}
> * {{AnnotatedParameter}}
> * {{AnnotatedType}}
> These methods make use of reflection and thus should use privileged blocs when used with a security manager
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 5 months
[JBoss JIRA] (CDI-731) Default methods in Annotated hierarchy should use privileged blocs
by Martin Kouba (JIRA)
[ https://issues.jboss.org/browse/CDI-731?page=com.atlassian.jira.plugin.sy... ]
Martin Kouba commented on CDI-731:
----------------------------------
I don't think {{java.lang.reflect.AnnotatedElement.getAnnotationsByType()}} throws {{SecurityException}}.
> Default methods in Annotated hierarchy should use privileged blocs
> ------------------------------------------------------------------
>
> Key: CDI-731
> URL: https://issues.jboss.org/browse/CDI-731
> Project: CDI Specification Issues
> Issue Type: Bug
> Components: Javadoc and API
> Affects Versions: 2.0 .Final
> Reporter: Antoine Sabot-Durand
> Assignee: Antoine Sabot-Durand
> Fix For: 2.0.SP1
>
>
> To deal with repearting annotatiosn (see CDI-471), CDI 2.0 introduced default method {{getAnnotations}}, in the following interfaces:
> * {{AnnotatedConstructor}}
> * {{AnnotatedField}}
> * {{AnnotatedMethod}}
> * {{AnnotatedParameter}}
> * {{AnnotatedType}}
> These methods make use of reflection and thus should use privileged blocs when used with a security manager
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 5 months
[JBoss JIRA] (CDI-731) Default methods in Annotated hierarchy should use privileged blocs
by Martin Kouba (JIRA)
[ https://issues.jboss.org/browse/CDI-731?page=com.atlassian.jira.plugin.sy... ]
Martin Kouba edited comment on CDI-731 at 6/27/18 7:08 AM:
-----------------------------------------------------------
I don't think that {{java.lang.reflect.AnnotatedElement.getAnnotationsByType()}} (used in those default methods) throws {{SecurityException}}.
was (Author: mkouba):
I don't think {{java.lang.reflect.AnnotatedElement.getAnnotationsByType()}} throws {{SecurityException}}.
> Default methods in Annotated hierarchy should use privileged blocs
> ------------------------------------------------------------------
>
> Key: CDI-731
> URL: https://issues.jboss.org/browse/CDI-731
> Project: CDI Specification Issues
> Issue Type: Bug
> Components: Javadoc and API
> Affects Versions: 2.0 .Final
> Reporter: Antoine Sabot-Durand
> Assignee: Antoine Sabot-Durand
> Fix For: 2.0.SP1
>
>
> To deal with repearting annotatiosn (see CDI-471), CDI 2.0 introduced default method {{getAnnotations}}, in the following interfaces:
> * {{AnnotatedConstructor}}
> * {{AnnotatedField}}
> * {{AnnotatedMethod}}
> * {{AnnotatedParameter}}
> * {{AnnotatedType}}
> These methods make use of reflection and thus should use privileged blocs when used with a security manager
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
6 years, 5 months