Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-2842

Java 2 Security issues with Mime4JWorkaround

XMLWordPrintable

      When attempting multipart requests with a Java 2 security manager in Open Liberty, I am seeing an exception like this:

      java.security.AccessControlException: Access denied ("java.io.FilePermission" "/Users/andymc/open-liberty/dev/com.ibm.ws.jaxrs.2.0_fat/build/libs/autoFVT/build/tmp/m4j648702897246668174.tmp" "write")java.base/java.security.AccessController.throwACE(AccessController.java:176)
      java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
      java.base/java.security.AccessController.checkPermission(AccessController.java:385)
      java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
      com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
      java.base/java.lang.SecurityManager.checkWrite(SecurityManager.java:752)
      java.base/java.io.File.createTempFile(File.java:2082)
      org.jboss.resteasy.plugins.providers.multipart.Mime4JWorkaround$CustomTempFileStorageProvider.createTempFile(Mime4JWorkaround.java:160)
      org.jboss.resteasy.plugins.providers.multipart.Mime4JWorkaround$CustomTempFileStorageProvider.createStorageOutputStream(Mime4JWorkaround.java:141)
      org.apache.james.mime4j.storage.ThresholdStorageProvider$ThresholdStorageOutputStream.write0(ThresholdStorageProvider.java:113)
      org.apache.james.mime4j.storage.StorageOutputStream.write(StorageOutputStream.java:119)
      org.apache.james.mime4j.util.ContentUtil.copy(ContentUtil.java:56)
      org.apache.james.mime4j.storage.AbstractStorageProvider.store(AbstractStorageProvider.java:57)
      org.apache.james.mime4j.storage.StorageBodyFactory.binaryBody(StorageBodyFactory.java:94)
      org.jboss.resteasy.plugins.providers.multipart.Mime4jWorkaroundBinaryEntityBuilder.body(Mime4jWorkaroundBinaryEntityBuilder.java:159)
      org.apache.james.mime4j.parser.MimeStreamParser.parse(MimeStreamParser.java:133)
      org.jboss.resteasy.plugins.providers.multipart.Mime4JWorkaround.parseMessage(Mime4JWorkaround.java:96)
      org.jboss.resteasy.plugins.providers.multipart.MultipartInputImpl.parse(MultipartInputImpl.java:104)
      org.jboss.resteasy.plugins.providers.multipart.MultipartReader.readFrom(MultipartReader.java:51)
      org.jboss.resteasy.plugins.providers.multipart.IBMMultipartProvider.readFrom(IBMMultipartProvider.java:100)
      org.jboss.resteasy.core.interception.jaxrs.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:101)
      org.jboss.resteasy.core.interception.jaxrs.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:80)
      org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:214)
      org.jboss.resteasy.specimpl.BuiltResponse.readEntity(BuiltResponse.java:88)
      org.jboss.resteasy.specimpl.AbstractBuiltResponse.readEntity(AbstractBuiltResponse.java:270)
      com.ibm.ws.jaxrs.fat.multipart.MultipartTestServlet.testMultipartResponse(MultipartTestServlet.java:69)
      

      and also this:

      ("java.io.FilePermission" "/Users/andymc/open-liberty/dev/com.ibm.ws.jaxrs.2.0_fat/build/libs/autoFVT/build/tmp/m4j5229037956131727442.tmp" "write")
      Stack: 
      java.security.AccessControlException: Access denied ("java.io.FilePermission" "/Users/andymc/dev/libertyGit/open-liberty/dev/com.ibm.ws.jaxrs.2.0_fat/build/libs/autoFVT/build/tmp/m4j5229037956131727442.tmp" "write")java.base/java.security.AccessController.throwACE(AccessController.java:176)
      java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
      java.base/java.security.AccessController.checkPermission(AccessController.java:385)
      java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
      com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
      java.base/java.lang.SecurityManager.checkWrite(SecurityManager.java:752)
      java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:225)
      java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:187)
      org.jboss.resteasy.plugins.providers.multipart.Mime4JWorkaround$CustomTempFileStorageProvider.createFileOutputStream(Mime4JWorkaround.java:179)
      org.jboss.resteasy.plugins.providers.multipart.Mime4JWorkaround$CustomTempFileStorageProvider.access$000(Mime4JWorkaround.java:109)
      org.jboss.resteasy.plugins.providers.multipart.Mime4JWorkaround$CustomTempFileStorageProvider$TempFileStorageOutputStream.<init>(Mime4JWorkaround.java:192)
      org.jboss.resteasy.plugins.providers.multipart.Mime4JWorkaround$CustomTempFileStorageProvider.createStorageOutputStream(Mime4JWorkaround.java:141)
      org.apache.james.mime4j.storage.ThresholdStorageProvider$ThresholdStorageOutputStream.write0(ThresholdStorageProvider.java:113)
      org.apache.james.mime4j.storage.StorageOutputStream.write(StorageOutputStream.java:119)
      org.apache.james.mime4j.util.ContentUtil.copy(ContentUtil.java:56)
      org.apache.james.mime4j.storage.AbstractStorageProvider.store(AbstractStorageProvider.java:57)
      org.apache.james.mime4j.storage.StorageBodyFactory.binaryBody(StorageBodyFactory.java:94)
      org.jboss.resteasy.plugins.providers.multipart.Mime4jWorkaroundBinaryEntityBuilder.body(Mime4jWorkaroundBinaryEntityBuilder.java:159)
      org.apache.james.mime4j.parser.MimeStreamParser.parse(MimeStreamParser.java:133)
      org.jboss.resteasy.plugins.providers.multipart.Mime4JWorkaround.parseMessage(Mime4JWorkaround.java:96)
      org.jboss.resteasy.plugins.providers.multipart.MultipartInputImpl.parse(MultipartInputImpl.java:104)
      org.jboss.resteasy.plugins.providers.multipart.MultipartReader.readFrom(MultipartReader.java:51)
      org.jboss.resteasy.plugins.providers.multipart.IBMMultipartProvider.readFrom(IBMMultipartProvider.java:100)
      org.jboss.resteasy.core.interception.jaxrs.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:101)
      org.jboss.resteasy.core.interception.jaxrs.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:80)
      org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:214)
      org.jboss.resteasy.specimpl.BuiltResponse.readEntity(BuiltResponse.java:88)
      org.jboss.resteasy.specimpl.AbstractBuiltResponse.readEntity(AbstractBuiltResponse.java:270)
      com.ibm.ws.jaxrs.fat.multipart.MultipartTestServlet.testMultipartResponse(MultipartTestServlet.java:69)
      

      I have an attempted fix at https://github.com/resteasy/Resteasy/pull/2682

            rsigal@redhat.com Ronald Sigal
            andymc12 Andy McCright (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: