<div dir="ltr">Hi,<div> This JEP(<a href="http://openjdk.java.net/jeps/176">http://openjdk.java.net/jeps/176</a>) proposes a new way of enforcing the security permissions. Does this mean that the SPI methods will be annotated with @<span style="color:rgb(0,0,0);font-family:'DejaVu Sans Mono','Bitstream Vera Sans Mono','Luxi Mono','Courier New',monospace;font-size:13px;line-height:18.6666660308838px"> CallerSensitive</span></div><div><span style="color:rgb(0,0,0);font-family:'DejaVu Sans Mono','Bitstream Vera Sans Mono','Luxi Mono','Courier New',monospace;font-size:13px;line-height:18.6666660308838px"><br></span></div>How does one update the issues list with these types of queries assuming it is valid ? I am still learning the ropes.<div><br><div>Thanks,</div><div>Mohan</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 2, 2014 at 12:44 PM, Jozef Hartinger (JIRA) <span dir="ltr"><<a href="mailto:issues@jboss.org" target="_blank">issues@jboss.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
[ <a href="https://issues.jboss.org/browse/CDI-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13007947#comment-13007947" target="_blank">https://issues.jboss.org/browse/CDI-486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13007947#comment-13007947</a> ]<br>
<br>
Jozef Hartinger commented on CDI-486:<br>
-------------------------------------<br>
<br>
We should probably introduce a new permission and make it a requirement for calling BeanManagerMethod methods such as createInjectionTarget(), createProducer(), etc.<br>
<span class=""><br>
> Define security constraints for using CDI SPI<br>
</span>> ---------------------------------------------<br>
<div class="HOEnZb"><div class="h5">><br>
> Key: CDI-486<br>
> URL: <a href="https://issues.jboss.org/browse/CDI-486" target="_blank">https://issues.jboss.org/browse/CDI-486</a><br>
> Project: CDI Specification Issues<br>
> Issue Type: Feature Request<br>
> Affects Versions: 1.2.Final<br>
> Reporter: Jozef Hartinger<br>
> Fix For: 2.0 (discussion)<br>
><br>
><br>
> Currently, the specification does not require any security checks to be performed when CDI SPI is used. It is not clear how this should be implemented.<br>
> Note that since a CDI implementation is required to support bypassing platform securiy checks (e.g. when invoking aprivate observer method), total absence of security checks on CDI SPI level could result in privilege escalation. Here's an example:<br>
> Suppose the application server bundles a sensitive method:<br>
> {code:JAVA}<br>
> public class ApplicationServer {<br>
> static boolean explode() {<br>
> // ...<br>
> }<br>
> }<br>
> {code}<br>
> The method is package-private and thus cannot be by an application. If the application would be to invoke this method using reflection, it would need to first obtain the Method handle for the explode method. Obtaining a Method handle requires the "accessDeclaredMembers" runtime permission which the application does not have. It can however use the CDI SPI:<br>
> {code:JAVA}<br>
> Method method = null;<br>
> for (AnnotatedMethod<?> annotatedMethod : manager.createAnnotatedType(ApplicationServer.class).getMethods()) {<br>
> if (annotatedMethod.getJavaMember().equals("explode")) {<br>
> method = annotatedMethod.getJavaMember();<br>
> break;<br>
> }<br>
> }<br>
> {code}<br>
> Now the application has the Method handle without having the "accessDeclaredMembers" permission.<br>
> The application still cannot invoke the method as it needs to bypass security checks on access to the method first. This cannot be done without the "suppressAccessChecks" runtime permission.<br>
> Again, remember that CDI implementations are supposed to be capable of invoking inaccessible methods and this capability is exposed through the SPI. Therefore, the application call:<br>
> {code:JAVA}<br>
> Producer<?> producer = manager.getProducerFactory(annotatedMethod, null).createProducer(null);<br>
> {code}<br>
> Now, calling producer.produce() will cause the sensitive method to be invoked even though the application was not granted "accessDeclaredMembers" neither "suppressAccessChecks" permission.<br>
<br>
<br>
<br>
--<br>
This message was sent by Atlassian JIRA<br>
(v6.3.1#6329)<br>
_______________________________________________<br>
cdi-dev mailing list<br>
<a href="mailto:cdi-dev@lists.jboss.org">cdi-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/cdi-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/cdi-dev</a><br>
<br>
Note that for all code provided on this list, the provider licenses the code under the Apache License, Version 2 (<a href="http://www.apache.org/licenses/LICENSE-2.0.html" target="_blank">http://www.apache.org/licenses/LICENSE-2.0.html</a>). For all other ideas provided on this list, the provider waives all patent and other intellectual property rights inherent in such information.<br>
</div></div></blockquote></div><br></div>