]
Antoine Sabot-Durand updated CDI-486:
-------------------------------------
Fix Version/s: 2.1 (Discussion)
(was: 2.0 .Final)
Define security constraints for using CDI SPI
---------------------------------------------
Key: CDI-486
URL:
https://issues.jboss.org/browse/CDI-486
Project: CDI Specification Issues
Issue Type: Feature Request
Affects Versions: 1.2.Final
Reporter: Jozef Hartinger
Priority: Critical
Fix For: 2.1 (Discussion)
Currently, the specification does not require any security checks to be performed when
CDI SPI is used. It is not clear how this should be implemented.
Note that since a CDI implementation is required to support bypassing platform securiy
checks (e.g. when invoking aprivate observer method), total absence of security checks on
CDI SPI level could result in privilege escalation. Here's an example:
Suppose the application server bundles a sensitive method:
{code:JAVA}
public class ApplicationServer {
static boolean explode() {
// ...
}
}
{code}
The method is package-private and thus cannot be by an application. If the application
would be to invoke this method using reflection, it would need to first obtain the Method
handle for the explode method. Obtaining a Method handle requires the
"accessDeclaredMembers" runtime permission which the application does not have.
It can however use the CDI SPI:
{code:JAVA}
Method method = null;
for (AnnotatedMethod<?> annotatedMethod :
manager.createAnnotatedType(ApplicationServer.class).getMethods()) {
if (annotatedMethod.getJavaMember().equals("explode")) {
method = annotatedMethod.getJavaMember();
break;
}
}
{code}
Now the application has the Method handle without having the
"accessDeclaredMembers" permission.
The application still cannot invoke the method as it needs to bypass security checks on
access to the method first. This cannot be done without the
"suppressAccessChecks" runtime permission.
Again, remember that CDI implementations are supposed to be capable of invoking
inaccessible methods and this capability is exposed through the SPI. Therefore, the
application call:
{code:JAVA}
Producer<?> producer = manager.getProducerFactory(annotatedMethod,
null).createProducer(null);
{code}
Now, calling producer.produce() will cause the sensitive method to be invoked even though
the application was not granted "accessDeclaredMembers" neither
"suppressAccessChecks" permission.