[1004] Wrap service loader calls in privileged actions if the securit… #1005
Conversation
|
I forgot to mention, if this seems acceptable I can port the changes over to whichever branches desired. |
|
@jamezp do note that |
|
There is quite a lot of code duplication in the world of suppliers. JEP 411 deprecates the SecurityManager in JDK 17, but for JDK 17, it means a warning is issued. Jakarta REST 3.1 is supposed to be working with JDK 11-17 which still has the SecurityManager functional. But I'm surprised noone complained about this untill now (2.0 was released with EE 7) @jamezp You seem to use the words may/might, is this a real issue or the could-potentially-happen one? |
Yes, I thought about that before sending this. However, there still is no clear path for a replacement that I'm aware of. I know that some installations require the security manager to be enabled. The real purpose of this is so RESTEasy no longer has to use a fork of the spec :) |
Yes. AFAIK there is no replacement for the security manager at this point. I have a feeling it won't be removed anytime soon :)
Sorry, yes this is a real issue. I've not tried in other application servers, but I can say in WildFly if you run with a security manager then there are failures. There is a fix in a fork which WildFly and JBoss EAP use. However it would be nice to let the fork die and use the spec itself :) |
|
I'd rather vote for removal of security manager instead of correcting it. |
|
@jamezp What is the use case for running WildFly under a security manager? The JDK team seems to simply by JEP 411 that this is no longer needed/used in server-side Java. |
|
I know that we (IBM) have customers who require Java 2 security for their app servers - even in Java/Jakarta EE. Personally, I've never been a fan of Java 2 security, but we do have some users who need it. I believe most of our Java 2 security customers are governmental users or are contractors for governments that require it. Those requirements might start to be lifted now that Java 17 is deprecating the security manager, but in general (and until we get a little closer to prereq'ing Java 17), I'm in favor of adding doPrivs where necessary. |
@spericas I can't say I know the requirements specifically for WildFly, but I know we (Red Hat) have JBoss EAP customers that are required to run the container with the security manager enabled. I agree with @andymc12 that I don't like it, but I don't really have a choice but to support it :) |
| + " to " + targetTypeURL; | ||
| } else { | ||
| errorMessage = AccessController.doPrivileged((PrivilegedAction<String>) () -> { | ||
| ClassLoader loader = pClass.getClassLoader(); |
There was a problem hiding this comment.
Maybe we should refactor into private method instead of duplicating code.
There was a problem hiding this comment.
Should be done if I've understood correctly :)
|
@jamezp @andymc12 Just reviewed JEP 411. Looks to me that it would be OK to fix this for 3.1. We should probably review this for 4.0 as clearly a lot of this functionality is going away. I still think that the "security" provided by the Java Security Manager is a lot less useful in practice than on paper. |
Done. |
| if (System.getSecurityManager() == null) { | ||
| return action.run(); | ||
| } | ||
| return AccessController.doPrivileged(action); |
There was a problem hiding this comment.
I understand putting the getClassLoader calls into a doPriv block, but I don't understand the ServiceLoader calls. Does that need to be in a doPriv? The javadoc doesn't mention that it throws a SecurityException.
There was a problem hiding this comment.
The ServiceLoader.load() is actually safe, but it captures the AccessContrelContext is captured and during iteration a security exception could be thrown on Constructor.newInstance().
From the JavaDocs:
Service loaders always execute in the security context of the caller. Trusted system code should typically invoke the methods in this class, and the methods of the iterators which they return, from within a privileged security context.
| if (System.getSecurityManager() == null) { | ||
| return action.run(); | ||
| } | ||
| return AccessController.doPrivileged(action); |
There was a problem hiding this comment.
Same comment as above. Can we avoid the doPriv on the ServiceLoader.load(...) calls?
Note that |
…y manager is enabled. Also ensure the LinkageError for the ClientBuilder is thrown if a security manager is enabled. Resolves jakartaee#1004 Signed-off-by: James R. Perkins <jperkins@redhat.com>
Good point. Updated! |
|
Merging as it has been approved 25 days ago. |
…y manager is enabled. Also ensure the LinkageError for the ClientBuilder is thrown if a security manager is enabled. (jakartaee#1005) Resolves jakartaee#1004 Signed-off-by: James R. Perkins <jperkins@redhat.com>
…y manager is enabled. Also ensure the LinkageError for the ClientBuilder is thrown if a security manager is enabled. (jakartaee#1005) Resolves jakartaee#1004 Signed-off-by: James R. Perkins <jperkins@redhat.com>
…y manager is enabled. Also ensure the LinkageError for the ClientBuilder is thrown if a security manager is enabled.
Resolves #1004
Signed-off-by: James R. Perkins jperkins@redhat.com