[
https://issues.jboss.org/browse/JBWS-3974?page=com.atlassian.jira.plugin....
]
Jason Shepherd updated JBWS-3974:
---------------------------------
Environment: EAP 7.0.0.Beta1, jbossws-spi 3.1.1 (Couldn't find in affected version
list) (was: EAP 7.0.0.Beta1, jbossws-spi 3.3.1 (Couldn't find in affected version
list))
Incorreclty bypass the SecurityManager and call
AccessControl.checkPermission() directly
----------------------------------------------------------------------------------------
Key: JBWS-3974
URL:
https://issues.jboss.org/browse/JBWS-3974
Project: JBoss Web Services
Issue Type: Bug
Components: jbossws-integration
Environment: EAP 7.0.0.Beta1, jbossws-spi 3.1.1 (Couldn't find in affected
version list)
Reporter: Jason Shepherd
Priority: Minor
Calls to AccessControl.checkPermission() should be done by the Security Manager so that
policies can be centrally managed. See this guide as a reference:
bq. Note that the method AccessController.checkPermission is normally invoked indirectly
through invocations of specific SecurityManager methods that begin with the word check
such as checkConnect or through the method SecurityManager.checkPermission. Normally,
these checks only occur if a SecurityManager has been installed; code checked by the
AccessController.checkPermission method first checks if the method
System.getSecurityManager returns null.
[
https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivile...]
Also refer to fixed issue WFCORE-1266, as it is similar.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)