Author: asoldano Date: 2014-02-03 12:00:22 -0500 (Mon, 03 Feb 2014) New Revision: 18303 Modified: common/trunk/src/main/java/org/jboss/ws/common/deployment/EndpointAddressDeploymentAspect.java common/trunk/src/main/java/org/jboss/ws/common/management/AbstractServerConfig.java common/trunk/src/main/java/org/jboss/ws/common/utils/AbstractWSDLFilePublisher.java Log: [JBWS-3756] Add permission checks to sensitive public static methods Modified: common/trunk/src/main/java/org/jboss/ws/common/deployment/EndpointAddressDeploymentAspect.java =================================================================== --- common/trunk/src/main/java/org/jboss/ws/common/deployment/EndpointAddressDeploymentAspect.java 2014-02-03 16:59:47 UTC (rev 18302) +++ common/trunk/src/main/java/org/jboss/ws/common/deployment/EndpointAddressDeploymentAspect.java 2014-02-03 17:00:22 UTC (rev 18303) @@ -25,6 +25,7 @@ import static org.jboss.ws.common.integration.WSHelper.isJaxwsEjbEndpoint; import static org.jboss.ws.common.integration.WSHelper.isJaxwsJseEndpoint; +import java.security.AccessController; import java.util.HashMap; import java.util.LinkedList; import java.util.List; @@ -64,7 +65,7 @@ throw Messages.MESSAGES.cannotObtainContextRoot(dep.getSimpleName()); PortValue port = new PortValue((Integer)service.getProperty("port"), null); - ServerConfig serverConfig = AbstractServerConfig.getServerIntegrationServerConfig(); + ServerConfig serverConfig = getServerConfig(); port.setServerConfig(serverConfig); String host = serverConfig.getWebServiceHost(); Map<String, Endpoint> endpointsMap = new HashMap<String, Endpoint>(); @@ -108,6 +109,12 @@ } } + private static ServerConfig getServerConfig() { + if(System.getSecurityManager() == null) { + return AbstractServerConfig.getServerIntegrationServerConfig(); + } + return AccessController.doPrivileged(AbstractServerConfig.GET_SERVER_INTEGRATION_SERVER_CONFIG); + } protected boolean isConfidentialTransportGuarantee(final Deployment dep, final Endpoint ep) { Modified: common/trunk/src/main/java/org/jboss/ws/common/management/AbstractServerConfig.java =================================================================== --- common/trunk/src/main/java/org/jboss/ws/common/management/AbstractServerConfig.java 2014-02-03 16:59:47 UTC (rev 18302) +++ common/trunk/src/main/java/org/jboss/ws/common/management/AbstractServerConfig.java 2014-02-03 17:00:22 UTC (rev 18303) @@ -26,6 +26,9 @@ import java.net.InetAddress; import java.net.UnknownHostException; +import java.security.AccessController; +import java.security.Permission; +import java.security.PrivilegedAction; import javax.management.MBeanServer; @@ -51,13 +54,15 @@ * permanentely disabled. The isModifiable() method can be overwridden to enable / disable * the attribute update. * + * @author alessio.soldano(a)jboss.com * @author Thomas.Diesler(a)jboss.org * @author darran.lofthouse(a)jboss.com - * @author alessio.soldano(a)jboss.com * @since 08-May-2006 */ public abstract class AbstractServerConfig implements AbstractServerConfigMBean, ServerConfig { + private static final RuntimePermission LOOKUP_SERVER_INTEGRATION_SERVER_CONFIG = new RuntimePermission("org.jboss.ws.LOOKUP_SERVER_INTEGRATION_SERVER_CONFIG"); + // The MBeanServer private volatile MBeanServer mbeanServer; @@ -290,9 +295,19 @@ if (!ClassLoaderProvider.isSet()) { return null; } + checkPermission(LOOKUP_SERVER_INTEGRATION_SERVER_CONFIG); return serverConfig; } + public static final PrivilegedAction<ServerConfig> GET_SERVER_INTEGRATION_SERVER_CONFIG = new PrivilegedAction<ServerConfig>() + { + @Override + public ServerConfig run() + { + return getServerIntegrationServerConfig(); + } + }; + public String getImplementationTitle() { return stackConfig.getImplementationTitle(); @@ -342,7 +357,16 @@ { return endpointConfigStore.getConfig(name); } - + + private static void checkPermission(final Permission permission) + { + SecurityManager securityManager = System.getSecurityManager(); + if (securityManager != null) + { + AccessController.checkPermission(permission); + } + } + public interface UpdateCallbackHandler { public void onBeforeUpdate(); } Modified: common/trunk/src/main/java/org/jboss/ws/common/utils/AbstractWSDLFilePublisher.java =================================================================== --- common/trunk/src/main/java/org/jboss/ws/common/utils/AbstractWSDLFilePublisher.java 2014-02-03 16:59:47 UTC (rev 18302) +++ common/trunk/src/main/java/org/jboss/ws/common/utils/AbstractWSDLFilePublisher.java 2014-02-03 17:00:22 UTC (rev 18303) @@ -32,6 +32,7 @@ import java.io.IOException; import java.io.InputStream; import java.net.URL; +import java.security.AccessController; import java.util.Iterator; import java.util.List; @@ -77,7 +78,7 @@ serverConfig = dep.getAttachment(ServerConfig.class); if (serverConfig == null) { - serverConfig = AbstractServerConfig.getServerIntegrationServerConfig(); + serverConfig = getServerConfig(); } if (isJseDeployment(dep) || isWarArchive(dep)) @@ -90,6 +91,13 @@ } } + private static ServerConfig getServerConfig() { + if(System.getSecurityManager() == null) { + return AbstractServerConfig.getServerIntegrationServerConfig(); + } + return AccessController.doPrivileged(AbstractServerConfig.GET_SERVER_INTEGRATION_SERVER_CONFIG); + } + private static synchronized DocumentBuilder getDocumentBuilder() { if (builder == null) @@ -130,6 +138,7 @@ @SuppressWarnings("unchecked") protected void publishWsdlImports(URL parentURL, Definition parentDefinition, List<String> published, String expLocation) throws Exception { + @SuppressWarnings("rawtypes") Iterator it = parentDefinition.getImports().values().iterator(); while (it.hasNext()) {