Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java 2 security issue in org.apache.cxf.transport.https.HttpsURLConnectionFactory #4211

Closed
andymc12 opened this issue Jul 9, 2018 · 0 comments
Closed

Java 2 security issue in org.apache.cxf.transport.https.HttpsURLConnectionFactory #4211

andymc12 opened this issue Jul 9, 2018 · 0 comments
Assignees
@andymc12
Labels
in:JAX-RS release bug This bug is present in a released version of Open Liberty release-18.0.0.3 team:Wendigo West

Comments

@andymc12
Copy link
Contributor

andymc12 commented Jul 9, 2018

When using Java 2 security and HTTPS in outbound JAX-RS client requests, it is possible to see a failure like this:

ERROR: Caught exception attempting to call test method testPatchOptions on servlet jaxrs21.fat.patch.PatchTestServlet
javax.ws.rs.ProcessingException: java.io.IOException: Error while initializing secure socket
at org.apache.cxf.jaxrs.client.AbstractClient.checkClientException(AbstractClient.java:643)
at org.apache.cxf.jaxrs.client.AbstractClient.preProcessResult(AbstractClient.java:619)
at org.apache.cxf.jaxrs.client.WebClient.doResponse(WebClient.java:1114)
at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1051)
at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:897)
at org.apache.cxf.jaxrs.client.WebClient.doInvoke(WebClient.java:866)
at org.apache.cxf.jaxrs.client.WebClient.invoke(WebClient.java:431)
at org.apache.cxf.jaxrs.client.SyncInvokerImpl.method(SyncInvokerImpl.java:135)
at org.apache.cxf.jaxrs.client.SyncInvokerImpl.method(SyncInvokerImpl.java:130)
at org.apache.cxf.jaxrs.client.SyncInvokerImpl.options(SyncInvokerImpl.java:70)
at org.apache.cxf.jaxrs.client.spec.InvocationBuilderImpl.options(InvocationBuilderImpl.java:142)
at jaxrs21.fat.patch.PatchTestServlet.testPatchOptions(PatchTestServlet.java:53)
at componenttest.app.FATServlet.doGet(FATServlet.java:67)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:686)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1255)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:743)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:440)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1208)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4954)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.handleRequest(DynamicVirtualHost.java:314)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:996)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:279)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:1011)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:414)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:373)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:532)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:466)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:331)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:302)
at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:165)
at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:74)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:501)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:571)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:926)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1015)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.lang.Thread.run(Thread.java:785)
Caused by: java.io.IOException: Error while initializing secure socket
at org.apache.cxf.transport.https.HttpsURLConnectionFactory.createConnection(HttpsURLConnectionFactory.java:104)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit.createConnection(URLConnectionHTTPConduit.java:125)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit.setupConnection(URLConnectionHTTPConduit.java:131)
at org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:505)
at org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:47)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.jaxrs.client.AbstractClient.doRunInterceptorChain(AbstractClient.java:714)
at org.apache.cxf.jaxrs.client.WebClient.doChainedInvocation(WebClient.java:1050)
Caused by: java.security.AccessControlException: Access denied ("java.lang.RuntimePermission" "setFactory")
at java.security.AccessController.throwACE(AccessController.java:157)
at java.security.AccessController.checkPermissionHelper(AccessController.java:217)
at java.security.AccessController.checkPermission(AccessController.java:349)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
at java.lang.SecurityManager.checkSetFactory(SecurityManager.java:1784)
at javax.net.ssl.HttpsURLConnection.setSSLSocketFactory(HttpsURLConnection.java:11)
at org.apache.cxf.transport.https.HttpsURLConnectionFactory.decorateWithTLS(HttpsURLConnectionFactory.java:171)
at org.apache.cxf.transport.https.HttpsURLConnectionFactory.createConnection(HttpsURLConnectionFactory.java:99)
@andymc12 andymc12 added in:JAX-RS team:Wendigo West release bug This bug is present in a released version of Open Liberty labels Jul 9, 2018
@andymc12 andymc12 self-assigned this Jul 9, 2018
@andymc12 andymc12 mentioned this issue Jul 9, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andymc12 andymc12

Labels
in:JAX-RS release bug This bug is present in a released version of Open Liberty release-18.0.0.3 team:Wendigo West
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andymc12 @LibbyBot