fix(jans-core): inherit context classloader #8952 #8953

yurem · 2024-07-11T14:04:39Z

[X ] I confirm that there is no impact on the docs due to the code changes in this PR.

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>

dryrunsecurity · 2024-07-11T14:04:49Z

DryRun Security Summary

The pull request updates the configuration of the Quartz scheduler used in various components of the Jans application suite, primarily by adding the org.quartz.scheduler.threadsInheritContextClassLoaderOfInitializer=true property to ensure that the scheduler's threads inherit the context class loader of the initializer thread.

Expand for full summary

Summary:

The code changes in this pull request primarily focus on updating the configuration of the Quartz scheduler used in various components of the Jans application suite, such as the Jans Config API, Jans Auth Server, Jans FIDO2, Jans Link, Jans Lock, and Jans SCIM. The key change across these files is the addition of the org.quartz.scheduler.threadsInheritContextClassLoaderOfInitializer=true property.

This configuration setting ensures that the threads created by the Quartz scheduler will inherit the context class loader of the thread that initialized the scheduler. This can be an important consideration for applications that use custom class loaders or need to ensure that the scheduler's threads have access to the necessary resources and dependencies.

From an application security perspective, these changes do not appear to introduce any immediate security concerns. The Quartz scheduler is a widely used and well-established library, and the configuration updates are generally considered standard practice. However, it's important to review the broader context of the application and ensure that the Quartz scheduler is being used securely and that there are no other potential security implications.

Files Changed:

quartz.properties files in various Jans application components (e.g., Jans Config API, Jans Auth Server, Jans FIDO2, Jans Link, Jans Lock, Jans SCIM): These files contain the configuration settings for the Quartz scheduler used in the respective applications. The key change is the addition of the org.quartz.scheduler.threadsInheritContextClassLoaderOfInitializer=true property, which ensures that the scheduler's threads inherit the context class loader of the initializer thread.
AsynchronousInterceptor.java in the jans-core module: This change sets the context class loader to the class loader of the AsynchronousInterceptor class before executing the asynchronous method invocation and restores the original context class loader after the invocation is complete. This is a good practice to ensure that the correct class loader is used during asynchronous execution.

Overall, the changes in this pull request appear to be routine configuration updates and do not raise any immediate security concerns. However, it's important to review the broader context of the application and ensure that the Quartz scheduler is being used securely and that there are no other potential security implications.