Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8760

get method of ModuleClassLoaderLocator requires createClassLoader permission

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 11.0.0.Beta1
    • None
    • Security
    • None

    Description

      There is missing doPriviliged block in ModuleClassLoaderLocator. Fix of WFLY-7412 for ModuleClassLoaderLocator introduces new CombinedClassLoader innner class which extends SecureClassLoader. Initialization of this class needs to createClassLoader RuntimePermission.

      That means:

      • All deployment which uses API which internally uses ModuleClassLoaderLocator needs createClassLoader RuntimePermission (which is new in EAP 7.1, the same deployments in EAP 7.0 does not need this permission)
        • i.e. getMappingContext(String mappingType) in org.jboss.security.plugins.mapping.JBossMappingManager works internally with ModuleClassLoaderLocator.
      • setting createClassLoader RuntimePermission for deployment can be dangerous and it should probably use own permission

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-10878 get method of ModuleClassLoaderLocator requires createClassLoader permission

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Activity

            People

              rhn-engineering-lgao Lin Gao
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: