Details
-
Bug
-
Resolution: Done
-
Critical
-
7.1.0.DR17
-
None
Description
There is missing doPriviliged block in ModuleClassLoaderLocator. Fix of JBEAP-6559 for ModuleClassLoaderLocator introduces new CombinedClassLoader innner class which extends SecureClassLoader. Initialization of this class needs to createClassLoader RuntimePermission.
That means:
- All deployment which uses API which internally uses ModuleClassLoaderLocator needs createClassLoader RuntimePermission (which is new in EAP 7.1, the same deployments in EAP 7.0 does not need this permission)
- i.e. getMappingContext(String mappingType) in org.jboss.security.plugins.mapping.JBossMappingManager works internally with ModuleClassLoaderLocator.
- setting createClassLoader RuntimePermission for deployment can be dangerous and it should probably use own permission
Attachments
Issue Links
- is cloned by
-
WFLY-8760 get method of ModuleClassLoaderLocator requires createClassLoader permission
- Closed