hk2
  1. hk2
  2. HK2-119

HK2 needs to wrap all code that requires elevated privileges in AccessController.doPrivileged(...) blocks.

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 2.2.0
    • Fix Version/s: 2.2.0
    • Component/s: None
    • Labels:
      None

      Description

      When running HK2 in an environment with a security manager enabled, calls from application code (unprivileged) to HK2 APIs may fail the access control checks. HK2 needs to make sure that any code that is e.g. using reflection is properly wrapped in AccessController.doPrivileged(...) blocks. Currently we should focus on any code that requires following permissions:

      ( java.lang.RuntimePermission "accessDeclaredMembers" "")
      ( java.lang.RuntimePermission "getClassLoader" "")
      ( java.util.PropertyPermission "*" "")
      

      Essentially, any code that works with class loaders, uses reflection or accesses system properties needs to be executed as privileged. See also: JERSEY-1874

        Issue Links

          Activity

          Hide
          jwells added a comment -

          We do most of our testing of HK2 with the security manager ON. Therefor it is my belief that most of the places where a doPriv is necessary have been found. That being said, there could of course be paths in where another doPriv is necessary.

          I will try to reproduce the exact problem reported in JERSEY-1874 to see where the doPriv properly belongs. From first look it appears that AnnotationLiteral needs a doPriv somewhere...

          Show
          jwells added a comment - We do most of our testing of HK2 with the security manager ON. Therefor it is my belief that most of the places where a doPriv is necessary have been found. That being said, there could of course be paths in where another doPriv is necessary. I will try to reproduce the exact problem reported in JERSEY-1874 to see where the doPriv properly belongs. From first look it appears that AnnotationLiteral needs a doPriv somewhere...
          Hide
          jwells added a comment -

          Modified AnnotationLiteral to have the correct doPriv

          Show
          jwells added a comment - Modified AnnotationLiteral to have the correct doPriv

            People

            • Assignee:
              jwells
              Reporter:
              Marek Potociar
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: