Uploaded image for project: 'JBoss Web Services'
  1. JBoss Web Services
  2. JBWS-3974

Incorreclty bypass the SecurityManager and call AccessControl.checkPermission() directly

XMLWordPrintable

      Calls to AccessControl.checkPermission() should be done by the Security Manager so that policies can be centrally managed. See this guide as a reference:

      Note that the method AccessController.checkPermission is normally invoked indirectly through invocations of specific SecurityManager methods that begin with the word check such as checkConnect or through the method SecurityManager.checkPermission. Normally, these checks only occur if a SecurityManager has been installed; code checked by the AccessController.checkPermission method first checks if the method System.getSecurityManager returns null.

      https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html

      Also refer to fixed issue WFCORE-1266, as it is similar.

            [JBWS-3974] Incorreclty bypass the SecurityManager and call AccessControl.checkPermission() directly

            Jason Shepherd added a comment -

            rhn-engineering-ema If a user's code is performing a sensitive operation which they want to define a custom grant for they should use the securityManager.checkPermission(). Using a Security Manager allows for centralization of the access control policies. For more information, read chapter 9 of the Oracle Secure Coding guide: http://www.oracle.com/technetwork/java/seccodeguide-139067.html

            Jason Shepherd added a comment - rhn-engineering-ema If a user's code is performing a sensitive operation which they want to define a custom grant for they should use the securityManager.checkPermission(). Using a Security Manager allows for centralization of the access control policies. For more information, read chapter 9 of the Oracle Secure Coding guide: http://www.oracle.com/technetwork/java/seccodeguide-139067.html

            Jim Ma added a comment -

            Another change : https://github.com/jbossws/jbossws-common/commit/638224b5adff1fab08095a896d788a04725a0b13

            Jim Ma added a comment - Another change : https://github.com/jbossws/jbossws-common/commit/638224b5adff1fab08095a896d788a04725a0b13

            Jim Ma added a comment -

            rhn-support-jshepher Should user's code also use securityManager.checkPermission() instead of AcessController.checkPermission() ?

            Jim Ma added a comment - rhn-support-jshepher Should user's code also use securityManager.checkPermission() instead of AcessController.checkPermission() ?

              rhn-engineering-ema Jim Ma
              rhn-support-jshepher Jason Shepherd
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: