[JBoss JIRA] (CDI-727) CDI.current() should use privileged block

Tuesday, 26 June 2018

     [
https://issues.jboss.org/browse/CDI-727?page=com.atlassian.jira.plugin.sy...
]

Work on CDI-727 started by Antoine Sabot-Durand.
------------------------------------------------
...
 CDI.current() should use privileged block
 -----------------------------------------

                 Key: CDI-727
                 URL: https://issues.jboss.org/browse/CDI-727
             Project: CDI Specification Issues
          Issue Type: Bug
          Components: Javadoc and API
    Affects Versions: 2.0 .Final
            Reporter: Jan Kalina
            Assignee: Antoine Sabot-Durand
              Labels: security-manager
             Fix For: 2.0.SP1

 When deployment in container with security manager enabled try to use {{CDI.current()}}
call, {{CDI}} class directly access JAR of CDI provider, because of which security manager
requires from the deployment to have permission to read the JAR.
 *{{CDI.findAllProviders}} method should read the JAR in privileged block.*
 (as discussed in WFLY-10125)
 {code}
 java.security.AccessControlException: WFSM000001: Permission check failed (permission
"("java.io.FilePermission"
"/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-integ-rhel-secman/1cfa62fc/jboss-eap-7.2/modules/system/layers/base/org/jboss/as/weld/main/wildfly-weld-7.2.0.CD12-redhat-2.jar"
"read")" in code source "(vfs:/content/test.war/WEB-INF/classes <no
signer certificates>)" of "ModuleClassLoader for Module
"deployment.test.war" from Service Module Loader")
 	at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
 	at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
 	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
 	at
org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:360)
 	at sun.net.www.protocol.jar.JarFileFactory.getCachedJarFile(JarFileFactory.java:137)
 	at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:81)
 	at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
 	at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:152)
 	at java.net.URL.openStream(URL.java:1045)
 	at javax.enterprise.inject.spi.CDI.findAllProviders(CDI.java:109)
 	at javax.enterprise.inject.spi.CDI.current(CDI.java:53)
 	at
org.jboss.as.test.integration.ee.injection.support.jpa.beanManager.TestEntityListener.obtainFooViaCdiCurrent(TestEntityListener.java:97)
 {code} 

--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010