JAXWS SPI Provider should call ServiceLoader's load method within a privileged block ------------------------------------------------------------------------------------ Key: JBEE-162 URL: https://issues.jboss.org/browse/JBEE-162 Project: JBoss JavaEE Spec APIs Issue Type: Bug Components: jboss-jaxws-api Reporter: Ivo Studensky Assignee: Ivo Studensky The JAXWS SPI {{Provider}} uses {{ServiceLoader}} to look for user specified provider implementations. When invoking {{load}} method on the {{ServiceLoader}}, read permission on the relevant jar is required. stacktrace: {noformat} Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/studensky/work/git/jboss-eap-myfork5/dist/target/wildfly-10.0.0.Final-SNAPSHOT/modules/system/layers/base/org/jboss/ws/cxf/jbossws-cxf-factories/main/jbossws-cxf-factories-5.1.2.Final.jar" "read")" in code source "(vfs:/content/ws-serviceref-example.jar <no signer certificates>)" of "null") at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273) at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:377) at java.util.zip.ZipFile.<init>(ZipFile.java:210) at java.util.zip.ZipFile.<init>(ZipFile.java:149) at java.util.jar.JarFile.<init>(JarFile.java:166) at java.util.jar.JarFile.<init>(JarFile.java:103) at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:93) at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:69) at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99) at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122) at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150) at java.net.URL.openStream(URL.java:1045) at java.util.ServiceLoader.parse(ServiceLoader.java:304) at java.util.ServiceLoader.access$200(ServiceLoader.java:185) at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357) at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323) at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396) at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395) at java.security.AccessController.doPrivileged(Native Method) at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398) at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474) at javax.xml.ws.spi.Provider$1.run(Provider.java:154) at javax.xml.ws.spi.Provider$1.run(Provider.java:152) at java.security.AccessController.doPrivileged(Native Method) at javax.xml.ws.spi.Provider.getProviderUsingServiceLoader(Provider.java:152) at javax.xml.ws.spi.Provider.provider(Provider.java:108) ... 102 more {noformat} Note: {{java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398)}} calls {{doPrivileged}} block with an {{AccessControlContext}} cached from the {{load}} method invocation.