[jboss-jira] [JBoss JIRA] (WFLY-12530) doPrivileged is needed for JASPIC logout

Darran Lofthouse created WFLY-12530: --------------------------------------- Summary: doPrivileged is needed for JASPIC logout Key: WFLY-12530 URL: https://issues.jboss.org/browse/WFLY-12530 Project: WildFly Issue Type: Bug Components: Web (Undertow) Reporter: Darran Lofthouse Assignee: Darran Lofthouse Fix For: 18.0.0.Final A doPrivileged is required for the following error: - {noformat} Permission check failed (permission "("java.security.SecurityPermission" "getProperty.authconfigprovider.factory")" in code source "(vfs:/content/some_deployment.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "somedeployment.war" from Service Module Loader") at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294) at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191) at javax.security.auth.message.config.AuthConfigFactory.checkPermission(AuthConfigFactory.java:166) at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:201) at org.wildfly.extension.undertow.security.jaspi.JASPICSecurityContext.logout(JASPICSecurityContext.java:114) at io.undertow.servlet.spec.HttpServletRequestImpl.logout(HttpServletRequestImpl.java:505) {noformat} The deployment is invoking a standard servlet API however it's ProtectionDomain is being taken into account for the inner details of implementation. A deployment could require these permissions if interacting with the JASPI APIs directly however it should not require these permissions to interact with the Servlet APIs and the JASPI interaction becomes an implementation detail. -- This message was sent by Atlassian Jira (v7.13.5#713005)