[jboss-jira] [JBoss JIRA] (WFLY-7581) Drop the use of the org.jboss.invocation.PrivilegedWithCombinerInterceptor to be compatible with JBoss Invocation 1.5.0

[Farah Juma (JIRA)]

     [ https://issues.jboss.org/browse/WFLY-7581?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Farah Juma updated WFLY-7581:
-----------------------------
    Summary: Drop the use of the org.jboss.invocation.PrivilegedWithCombinerInterceptor to be compatible with JBoss Invocation 1.5.0  (was: Drop the use of the org.jboss.invocation.PrivilegedWithCombinerInterceptor)


> Drop the use of the org.jboss.invocation.PrivilegedWithCombinerInterceptor to be compatible with JBoss Invocation 1.5.0
> -----------------------------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-7581
>                 URL: https://issues.jboss.org/browse/WFLY-7581
>             Project: WildFly
>          Issue Type: Task
>          Components: EE
>            Reporter: Farah Juma
>            Assignee: Farah Juma
>
> Due to the security implications of PrivilegedInterceptor and PrivilegedWithCombinerInterceptor, these two interceptors were changed to be no-operation a while back. These interceptors have been removed in jboss-invocation 1.5.0.Beta2. PrivilegedWithCombinerInterceptor is still currently being used in WildFly but we should be able to drop the use of this interceptor.
> Relevant HipChat discussion with David:
> {code}
> [3:18 PM] Farah Juma: So far, with the latest jboss-invocation SNAPSHOT, I'm running into many WildFly testsuite failures related to the org.jboss.invocation.PrivilegedWithCombinerInterceptor class not being found
> [3:18 PM] Farah Juma: This class was removed in jboss-invocation 1.5.0.Beta2
> [3:26 PM] Farah Juma: Just wondering what should now be used instead of the PrivilegedWithCombinerInterceptor
> [3:26 PM] David M. Lloyd: hmm that class was actually used?
> [3:27 PM] David M. Lloyd: the class was basically a giant security hole
> [3:28 PM] Farah Juma: it's used in these four classes: DefaultComponentConfigurator, ManagedBeanAnnotationProcessor, EJBComponentDescription, and AbstractIntegrationProcessorJAXWS
> [3:29 PM] David M. Lloyd: I think it's got to be safe to just remove it
> [3:29 PM] David M. Lloyd: because [a] we're not using picketbox anymore, and [b] it was a no-op without a security manager present anyway
> [3:31 PM] Farah Juma: ok, thanks, I'll remove the references to it
> [3:36 PM] David M. Lloyd: to be clear, those doPrivileged interceptors were not specifically to support PB: they were to ensure that applications run with only their own privileges
> [3:37 PM] David M. Lloyd: the combiner part was necessary to propagate Subject, which might still be necessary
> [3:37 PM] David M. Lloyd: but since the privileged part was not, just dropping the interceptors works just fine to propagate Subject (because there's nothing stopping said propagation)
> [3:38 PM] David M. Lloyd: because of the security implications of those two interceptors, they were changed to be no-operation a while ago, so it should be no loss
> {code}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)