[ https://issues.redhat.com/browse/ELY-2049?page=com.atlassian.jira.plugin.... ] Boris Unckel updated ELY-2049: ------------------------------ Description: The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions. Examples: [Undertow|https://issues.redhat.com/browse/UNDERTOW-1815] [WildFly 1|https://issues.redhat.com/browse/WFLY-14072] [WildFly 1a, including Stacktrace|https://issues.redhat.com/browse/WFLY-14039] [java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...] line 2048 The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs. Current code: {code:java} public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) { ProtectionDomain deniedDomain = null; if (domains != null) for (ProtectionDomain domain : domains) { if (! domain.implies(permission)) { final CodeSource codeSource = domain.getCodeSource(); final ClassLoader classLoader = domain.getClassLoader(); final Principal[] principals = domain.getPrincipals(); if (principals == null || principals.length == 0) { access.accessCheckFailed(permission, codeSource, classLoader); } else { access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals)); } if (deniedDomain == null && ! LOG_ONLY) { deniedDomain = domain; } } } return deniedDomain; } {code} was: The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions. Examples: [Undertow|https://issues.redhat.com/browse/UNDERTOW-1815] [java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...] line 2048 The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs. Current code: {code:java} public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) { ProtectionDomain deniedDomain = null; if (domains != null) for (ProtectionDomain domain : domains) { if (! domain.implies(permission)) { final CodeSource codeSource = domain.getCodeSource(); final ClassLoader classLoader = domain.getClassLoader(); final Principal[] principals = domain.getPrincipals(); if (principals == null || principals.length == 0) { access.accessCheckFailed(permission, codeSource, classLoader); } else { access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals)); } if (deniedDomain == null && ! LOG_ONLY) { deniedDomain = domain; } } } return deniedDomain; } {code} -- This message was sent by Atlassian Jira (v7.13.8#713008)