[RESTEASY-1638] Permission check failed when creating instance of res…

…teasy client Issue: https://issues.jboss.org/browse/RESTEASY-1638
resteasy · Nov 7, 2017 · 38dcb6a · 38dcb6a
1 parent c64d208
commit 38dcb6a
Show file tree

Hide file tree

Showing 25 changed files with 343 additions and 112 deletions.
diff --git a/...xb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/AbstractJAXBContextFinder.java b/...xb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/AbstractJAXBContextFinder.java
@@ -59,7 +59,7 @@ public boolean equals(Object o)
                   break;
                }
             }
-            if (found == false) return false;
+            if (!found) return false;
          }
          return true;
       }
@@ -99,14 +99,14 @@ public static String getPackageName(Class<?> type)
       return packageName;
    }
 
-   public static Class<?> findDefaultObjectFactoryClass(Class<?> type) throws PrivilegedActionException
+   public static Class<?> findDefaultObjectFactoryClass(Class<?> type)
    {
       XmlType typeAnnotation = type.getAnnotation(XmlType.class);
       if (typeAnnotation == null) return null;
       if (!typeAnnotation.factoryClass().equals(XmlType.DEFAULT.class)) return null;
-      StringBuilder b = new StringBuilder(getPackageName(type));
+      final StringBuilder b = new StringBuilder(getPackageName(type));
       b.append(OBJECT_FACTORY_NAME);
-      Class<?> factoryClass = null;
+      Class<?> factoryClass;
       try
       {
          if (System.getSecurityManager() == null)
@@ -115,25 +115,17 @@ public static Class<?> findDefaultObjectFactoryClass(Class<?> type) throws Privi
          }
          else
          {
-            final String  smB = b.toString();
             factoryClass = AccessController.doPrivileged(new PrivilegedExceptionAction<Class<?>>()
             {
                @Override
-               public Class<?> run() throws Exception
+               public Class<?> run() throws ClassNotFoundException
                {
-                  return Thread.currentThread().getContextClassLoader().loadClass(smB);
+                  return Thread.currentThread().getContextClassLoader().loadClass(b.toString());
                }
             });
          }
       }
-      catch (PrivilegedActionException pae) {
-         if (pae.getException() instanceof ClassNotFoundException) {
-            return null;
-         } else {
-            throw pae;
-         }
-      }
-      catch (ClassNotFoundException e)
+      catch (PrivilegedActionException | ClassNotFoundException e)
       {
          return null;
       }
@@ -173,15 +165,10 @@ public JAXBContext createContext(Annotation[] parameterAnnotations, Class... cla
 				if (type == null)
 					continue;
 				classes1.add(type);
-               try {
-                  Class<?> factory = findDefaultObjectFactoryClass(type);
-                  if (factory != null)
-                     classes1.add(factory);
-               } catch (PrivilegedActionException pae)
-               {
-                  throw new JAXBException(pae);
-               }
-			}
+               Class<?> factory = findDefaultObjectFactoryClass(type);
+               if (factory != null)
+                  classes1.add(factory);
+            }
 		}
 		Class<?>[] classArray = classes1.toArray(new Class[classes1.size()]);
 		return createContextObject(parameterAnnotations, classArray);

diff --git a/...ders/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/JAXBContextWrapper.java b/...ders/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/JAXBContextWrapper.java
@@ -23,6 +23,7 @@
 import java.io.InputStream;
 import java.lang.reflect.Constructor;
 import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 import java.util.Collections;
@@ -69,13 +70,10 @@ public class JAXBContextWrapper extends JAXBContext
 
          mapperConstructor = mapper[0].getConstructors()[0];
       }
-      catch (ClassNotFoundException e)
+      catch (ClassNotFoundException | PrivilegedActionException e)
       {
 
       }
-      catch (PrivilegedActionException pae) {
-
-      }
 
    }
 
@@ -105,8 +103,7 @@ public JAXBContextWrapper(JAXBContext wrappedContext, JAXBConfig config) throws
     * @param config
     * @throws JAXBException
     */
-   public JAXBContextWrapper(final Class<?>[] classes, final Map<String, Object> properties, JAXBConfig config)
-           throws JAXBException
+   public JAXBContextWrapper(final Class<?>[] classes, final Map<String, Object> properties, JAXBConfig config) throws JAXBException
    {
       processConfig(config);
       try
@@ -122,7 +119,7 @@ public JAXBContextWrapper(final Class<?>[] classes, final Map<String, Object> pr
                @Override
                public JAXBContext run() throws JAXBException
                {
-                  return JAXBContext.newInstance(classes, properties);
+                     return JAXBContext.newInstance(classes, properties);
                }
             });
          }
@@ -140,10 +137,31 @@ public JAXBContext run() throws JAXBException
     * @param config
     * @throws JAXBException
     */
-   public JAXBContextWrapper(String contextPath, JAXBConfig config) throws JAXBException
+   public JAXBContextWrapper(final String contextPath, JAXBConfig config) throws JAXBException
    {
       processConfig(config);
-      wrappedContext = JAXBContext.newInstance(contextPath);
+      try
+      {
+         if (System.getSecurityManager() == null)
+         {
+            wrappedContext = JAXBContext.newInstance(contextPath);
+         }
+         else
+         {
+            wrappedContext = AccessController.doPrivileged(new PrivilegedExceptionAction<JAXBContext>()
+            {
+               @Override
+               public JAXBContext run() throws JAXBException
+               {
+                  return JAXBContext.newInstance(contextPath);
+               }
+            });
+         }
+      }
+      catch (PrivilegedActionException paex)
+      {
+         throw new JAXBException(paex.getMessage());
+      }
    }
 
    /**

diff --git a/...ers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/JAXBXmlTypeProvider.java b/...ers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/JAXBXmlTypeProvider.java
@@ -94,8 +94,7 @@ public Object readFrom(Class<Object> type, Type genericType, Annotation[] annota
          JAXBContextFinder finder = resolver.getContext(type);
          if (finder == null)
          {
-            if (true) throw new JAXBUnmarshalException(Messages.MESSAGES.couldNotFindJAXBContextFinder(mediaType));
-            else throw new JAXBMarshalException(Messages.MESSAGES.couldNotFindJAXBContextFinder(mediaType));
+            throw new JAXBUnmarshalException(Messages.MESSAGES.couldNotFindJAXBContextFinder(mediaType));
          }
          JAXBContext jaxb = finder.findCacheXmlTypeContext(mediaType, annotations, type);
          Unmarshaller unmarshaller = jaxb.createUnmarshaller();
@@ -176,26 +175,17 @@ public static Object findObjectFactory(Class<?> type)
          Class<?> factoryClass = AbstractJAXBContextFinder.findDefaultObjectFactoryClass(type);
          if (factoryClass != null && factoryClass.isAnnotationPresent(XmlRegistry.class))
          {
-            Object factory = factoryClass.newInstance();
-            return factory;
+            return factoryClass.newInstance();
          }
          else
          {
             throw new JAXBMarshalException(Messages.MESSAGES.validXmlRegistryCouldNotBeLocated());
          }
       }
-      catch (InstantiationException e)
+      catch (InstantiationException | IllegalAccessException e)
       {
          throw new JAXBMarshalException(e);
       }
-      catch (IllegalAccessException e)
-      {
-         throw new JAXBMarshalException(e);
-      }
-      catch (PrivilegedActionException pae)
-      {
-         throw new JAXBMarshalException(pae);
-      }
 
    }
 
@@ -212,7 +202,7 @@ public static JAXBElement<?> wrapInJAXBElement(Object t, Class<?> type)
       try
       {
          final Object factory = findObjectFactory(type);
-         Method[] method = new Method[0];
+         Method[] method;
          if (System.getSecurityManager() == null)
          {
             method = factory.getClass().getDeclaredMethods();
@@ -229,34 +219,24 @@ public Method[] run() throws Exception
             });
          }
 
-         for (int i = 0; i < method.length; i++)
+         for (Method current : method)
          {
-            Method current = method[i];
             if (current.getParameterTypes().length == 1 && current.getParameterTypes()[0].equals(type)
                     && current.getName().startsWith("create"))
             {
-               Object result = current.invoke(factory, new Object[]
-                       {t});
+               Object result = current.invoke(factory, t);
                return JAXBElement.class.cast(result);
             }
          }
          throw new JAXBMarshalException(Messages.MESSAGES.createMethodNotFound(type));
       }
-      catch (IllegalArgumentException e)
-      {
-         throw new JAXBMarshalException(e);
-      }
-      catch (IllegalAccessException e)
+      catch (IllegalArgumentException | IllegalAccessException | PrivilegedActionException e)
       {
          throw new JAXBMarshalException(e);
       }
       catch (InvocationTargetException e)
       {
          throw new JAXBMarshalException(e.getCause());
       }
-      catch (PrivilegedActionException pae)
-      {
-         throw new JAXBMarshalException(pae);
-      }
    }
 }
diff --git a/resteasy-client/src/main/java/org/jboss/resteasy/client/jaxrs/ClientHttpEngineBuilder43.java b/resteasy-client/src/main/java/org/jboss/resteasy/client/jaxrs/ClientHttpEngineBuilder43.java
@@ -1,6 +1,8 @@
 package org.jboss.resteasy.client.jaxrs;
 
 import java.io.IOException;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.List;
@@ -165,15 +167,35 @@ protected void prepareSocket(SSLSocket socket) throws IOException
         }
     }
 
-   protected ClientHttpEngine createEngine(HttpClientConnectionManager cm, RequestConfig.Builder rcBuilder,
-         HttpHost defaultProxy, int responseBufferSize, HostnameVerifier verifier, SSLContext theContext)
+   protected ClientHttpEngine createEngine(final HttpClientConnectionManager cm, final RequestConfig.Builder rcBuilder,
+         final HttpHost defaultProxy, final int responseBufferSize, final HostnameVerifier verifier, final SSLContext theContext)
    {
-      HttpClient httpClient = HttpClientBuilder.create()
-            .setConnectionManager(cm)
-            .setDefaultRequestConfig(rcBuilder.build())
-            .setProxy(defaultProxy)
-            .disableContentCompression().build();
-      ApacheHttpClient43Engine engine = (ApacheHttpClient43Engine) ApacheHttpClient4EngineFactory.create(httpClient,
+       final HttpClient httpClient;
+       if (System.getSecurityManager() == null)
+       {
+           httpClient = HttpClientBuilder.create()
+                 .setConnectionManager(cm)
+                 .setDefaultRequestConfig(rcBuilder.build())
+                 .setProxy(defaultProxy)
+                 .disableContentCompression().build();
+       }
+       else
+       {
+           httpClient = AccessController.doPrivileged(new PrivilegedAction<HttpClient>()
+           {
+               @Override
+               public HttpClient run()
+               {
+                   return HttpClientBuilder.create()
+                           .setConnectionManager(cm)
+                           .setDefaultRequestConfig(rcBuilder.build())
+                           .setProxy(defaultProxy)
+                           .disableContentCompression().build();
+               }
+           });
+       }
+
+       ApacheHttpClient43Engine engine = (ApacheHttpClient43Engine) ApacheHttpClient4EngineFactory.create(httpClient,
             true);
       engine.setResponseBufferSize(responseBufferSize);
       engine.setHostnameVerifier(verifier);

diff --git a/resteasy-client/src/main/java/org/jboss/resteasy/client/jaxrs/ProxyBuilder.java b/resteasy-client/src/main/java/org/jboss/resteasy/client/jaxrs/ProxyBuilder.java
@@ -14,6 +14,8 @@
 
 import java.lang.reflect.Method;
 import java.lang.reflect.Proxy;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Set;
@@ -24,7 +26,7 @@ public class ProxyBuilder<T>
 
 	private final Class<T> iface;
 	private final ResteasyWebTarget webTarget;
-	private ClassLoader loader = Thread.currentThread().getContextClassLoader();
+	private ClassLoader loader;
 	private MediaType serverConsumes;
 	private MediaType serverProduces;
 
@@ -93,6 +95,21 @@ private static <T> ClientInvoker createClientInvoker(Class<T> clazz, Method meth
 
    private ProxyBuilder(Class<T> iface, ResteasyWebTarget webTarget)
    {
+      if (System.getSecurityManager() == null)
+      {
+          this.loader = Thread.currentThread().getContextClassLoader();
+      }
+      else
+      {
+          this.loader = AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
+          {
+              @Override
+              public ClassLoader run()
+              {
+                  return Thread.currentThread().getContextClassLoader();
+              }
+          });
+      }
       this.iface = iface;
       this.webTarget = webTarget;
    }

diff --git a/resteasy-client/src/main/java/org/jboss/resteasy/client/jaxrs/ResteasyClient.java b/resteasy-client/src/main/java/org/jboss/resteasy/client/jaxrs/ResteasyClient.java
@@ -3,9 +3,6 @@
 import org.jboss.resteasy.client.jaxrs.i18n.Messages;
 import org.jboss.resteasy.client.jaxrs.internal.ClientConfiguration;
 import org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget;
-import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine;
-import org.jboss.resteasy.spi.NotImplementedYetException;
-import org.jboss.resteasy.spi.ResteasyProviderFactory;
 
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
@@ -17,9 +14,10 @@
 import javax.ws.rs.core.UriBuilder;
 
 import java.net.URI;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Map;
 import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@@ -73,7 +71,22 @@ public void close()
          httpEngine.close();
          if (cleanupExecutor)
          {
-            asyncInvocationExecutor.shutdown();
+            if (System.getSecurityManager() == null)
+            {
+               asyncInvocationExecutor.shutdown();
+            }
+            else
+            {
+               AccessController.doPrivileged(new PrivilegedAction<Void>()
+               {
+                  @Override
+                  public Void run()
+                  {
+                     asyncInvocationExecutor.shutdown();
+                     return null;
+                  }
+               });
+            }
          }
       }
       catch (Exception e)