Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Loading of service provider implementations needs to be done under doPriviledge #94

Closed
yersan opened this issue Oct 4, 2022 · 0 comments · Fixed by #95
Closed

Loading of service provider implementations needs to be done under doPriviledge #94

yersan opened this issue Oct 4, 2022 · 0 comments · Fixed by #95

Comments

@yersan
Copy link
Contributor

yersan commented Oct 4, 2022

Describe the bug
Loading of service provider implementations should be done on a privileged block. It will add the ability to the caller to invoke the API in a different protection domain and don't propagate the permissions check to the application source code.

That will allow the Application Servers to trust on the API code removing the need to add the required permissions by the users.
This can be reproducible with WildFly by deploying a simple servlet that sends an email when the security manager is enabled.

To Reproduce
Deploy a servlet that tries to send an email in WildFly with the security manager enabled:

$ wildfly/bin/standalone.sh -secmgr

@WebServlet(value = "/mail")
public class MailServlet extends HttpServlet {
    @Resource(mappedName = "java:jboss/mail/Default")
    private Session mailSession;

    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
        PrintWriter out = response.getWriter();
        try {
            MimeMessage m = new MimeMessage(mailSession);
            Address from = new InternetAddress("from@mydomain.com");
            Address[] to = new InternetAddress[]{new InternetAddress("to@mydomain.com")};
            m.setFrom(from);
            m.setRecipients(Message.RecipientType.TO, to);
            m.setSubject("Test Mail");
            m.setSentDate(new java.util.Date());
            m.setContent("Mail sent from WildFly", "text/plain");
            Transport.send(m);
            out.println("Mail sent!");
        } catch (jakarta.mail.MessagingException e) {
            e.printStackTrace();
            out.println("Error in Sending Mail: " + e);
        }
    }
}


Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/Users/yborgess/.m2/repository/org/eclipse/angus/angus-activation/1.0.0/angus-activation-1.0.0.jar" "read")" in code source "(vfs:/content/jakarta-mail-tester-1.0-SNAPSHOT.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.jakarta-mail-tester-1.0-SNAPSHOT.war" from Service Module Loader")
	at org.wildfly.security.elytron-base@2.0.0.Final//org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:309)
	at org.wildfly.security.elytron-base@2.0.0.Final//org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:201)
	at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661)
	at org.wildfly.security.elytron-base@2.0.0.Final//org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:374)
	at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:237)
	at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:177)
	at java.base/java.util.jar.JarFile.<init>(JarFile.java:350)
	at java.base/sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:103)
	at java.base/sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:72)
	at java.base/sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99)
	at java.base/sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:125)
	at java.base/sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:155)
	at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.parse(ServiceLoader.java:1165)
	at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.nextProviderClass(ServiceLoader.java:1206)
	at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.hasNextService(ServiceLoader.java:1221)
	at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator$1.run(ServiceLoader.java:1268)
	at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator$1.run(ServiceLoader.java:1267)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.hasNext(ServiceLoader.java:1270)
	at java.base/java.util.ServiceLoader$2.hasNext(ServiceLoader.java:1300)
	at java.base/java.util.ServiceLoader$3.hasNext(ServiceLoader.java:1385)
	at jakarta.activation.api@2.1.0//jakarta.activation.ServiceLoaderUtil.firstByServiceLoader(ServiceLoaderUtil.java:33)
	... 60 more

Expected behavior
I wouldn't expect to have to add permissions to my application to load the Angus activation Jar file.
@yersan yersan mentioned this issue Oct 4, 2022
Merged
@lukasj lukasj closed this as completed in #95 Oct 5, 2022
zeebe-bors-camunda bot added a commit to camunda/camunda that referenced this issue Nov 21, 2023
@zeebe-bors-camunda @renovate
merge: #15315
79e13f6 
15315: deps(maven): Update dependency jakarta.activation:jakarta.activation-api to v2.1.2 (main) r=github-actions[bot] a=renovate[bot]

[![Mend Renovate logo banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [jakarta.activation:jakarta.activation-api](https://togithub.com/jakartaee/jaf-api) | `2.1.0` -> `2.1.2` | [![age](https://developer.mend.io/api/mc/badges/age/maven/jakarta.activation:jakarta.activation-api/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/jakarta.activation:jakarta.activation-api/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/jakarta.activation:jakarta.activation-api/2.1.0/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/jakarta.activation:jakarta.activation-api/2.1.0/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>jakartaee/jaf-api (jakarta.activation:jakarta.activation-api)</summary>

### [`v2.1.2`](https://togithub.com/jakartaee/jaf-api/releases/tag/2.1.2): Jakarta Activation 2.1.2 Final Release

[Compare Source](https://togithub.com/jakartaee/jaf-api/compare/2.1.1...2.1.2)

The 2.1.2 release is a bug fix release of 2.1.x (Jakarta EE 10).

Following changes are included:

-   fix wrong class file version for package-info
-   add missing javadoc description for MimeTypeEntry getters

**Full Changelog**: jakartaee/jaf-api@2.1.1...2.1.2

### [`v2.1.1`](https://togithub.com/jakartaee/jaf-api/releases/tag/2.1.1): Jakarta Activation 2.1.1 Final Release

[Compare Source](https://togithub.com/jakartaee/jaf-api/compare/2.1.0...2.1.1)

The 2.1.1 release is a bug fix release of 2.1.0.

Following changes are included:

-   [jakartaee/jaf-api#93 - Use OSGi service loader mediator
-   [jakartaee/jaf-api#94 - Loading of service provider implementations needs to be done under doPrivileged
-   [jakartaee/jaf-api#100 - Avoid requiring accessDeclaredMembers permissions

#### New Contributors

-   [`@&#8203;yersan](https://togithub.com/yersan)` made their first contribution in [jakartaee/jaf-api#95

**Full Changelog**: jakartaee/jaf-api@2.1.0...2.1.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/camunda/zeebe).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41OS44IiwidXBkYXRlZEluVmVyIjoiMzcuNTkuOCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->


Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
zeebe-bors-camunda bot added a commit to camunda/camunda that referenced this issue Nov 21, 2023
@zeebe-bors-camunda @renovate
merge: #15315
ecbd012 
15315: deps(maven): Update dependency jakarta.activation:jakarta.activation-api to v2.1.2 (main) r=npepinpe a=renovate[bot]

[![Mend Renovate logo banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [jakarta.activation:jakarta.activation-api](https://togithub.com/jakartaee/jaf-api) | `2.1.0` -> `2.1.2` | [![age](https://developer.mend.io/api/mc/badges/age/maven/jakarta.activation:jakarta.activation-api/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/jakarta.activation:jakarta.activation-api/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/jakarta.activation:jakarta.activation-api/2.1.0/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/jakarta.activation:jakarta.activation-api/2.1.0/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>jakartaee/jaf-api (jakarta.activation:jakarta.activation-api)</summary>

### [`v2.1.2`](https://togithub.com/jakartaee/jaf-api/releases/tag/2.1.2): Jakarta Activation 2.1.2 Final Release

[Compare Source](https://togithub.com/jakartaee/jaf-api/compare/2.1.1...2.1.2)

The 2.1.2 release is a bug fix release of 2.1.x (Jakarta EE 10).

Following changes are included:

-   fix wrong class file version for package-info
-   add missing javadoc description for MimeTypeEntry getters

**Full Changelog**: jakartaee/jaf-api@2.1.1...2.1.2

### [`v2.1.1`](https://togithub.com/jakartaee/jaf-api/releases/tag/2.1.1): Jakarta Activation 2.1.1 Final Release

[Compare Source](https://togithub.com/jakartaee/jaf-api/compare/2.1.0...2.1.1)

The 2.1.1 release is a bug fix release of 2.1.0.

Following changes are included:

-   [jakartaee/jaf-api#93 - Use OSGi service loader mediator
-   [jakartaee/jaf-api#94 - Loading of service provider implementations needs to be done under doPrivileged
-   [jakartaee/jaf-api#100 - Avoid requiring accessDeclaredMembers permissions

#### New Contributors

-   [`@&#8203;yersan](https://togithub.com/yersan)` made their first contribution in [jakartaee/jaf-api#95

**Full Changelog**: jakartaee/jaf-api@2.1.0...2.1.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/camunda/zeebe).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41OS44IiwidXBkYXRlZEluVmVyIjoiMzcuNTkuOCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->


Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
zeebe-bors-camunda bot added a commit to camunda/camunda that referenced this issue Nov 21, 2023
@zeebe-bors-camunda @renovate
merge: #15315
ff68ef1 
15315: deps(maven): Update dependency jakarta.activation:jakarta.activation-api to v2.1.2 (main) r=npepinpe a=renovate[bot]

[![Mend Renovate logo banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [jakarta.activation:jakarta.activation-api](https://togithub.com/jakartaee/jaf-api) | `2.1.0` -> `2.1.2` | [![age](https://developer.mend.io/api/mc/badges/age/maven/jakarta.activation:jakarta.activation-api/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/jakarta.activation:jakarta.activation-api/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/jakarta.activation:jakarta.activation-api/2.1.0/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/jakarta.activation:jakarta.activation-api/2.1.0/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>jakartaee/jaf-api (jakarta.activation:jakarta.activation-api)</summary>

### [`v2.1.2`](https://togithub.com/jakartaee/jaf-api/releases/tag/2.1.2): Jakarta Activation 2.1.2 Final Release

[Compare Source](https://togithub.com/jakartaee/jaf-api/compare/2.1.1...2.1.2)

The 2.1.2 release is a bug fix release of 2.1.x (Jakarta EE 10).

Following changes are included:

-   fix wrong class file version for package-info
-   add missing javadoc description for MimeTypeEntry getters

**Full Changelog**: jakartaee/jaf-api@2.1.1...2.1.2

### [`v2.1.1`](https://togithub.com/jakartaee/jaf-api/releases/tag/2.1.1): Jakarta Activation 2.1.1 Final Release

[Compare Source](https://togithub.com/jakartaee/jaf-api/compare/2.1.0...2.1.1)

The 2.1.1 release is a bug fix release of 2.1.0.

Following changes are included:

-   [jakartaee/jaf-api#93 - Use OSGi service loader mediator
-   [jakartaee/jaf-api#94 - Loading of service provider implementations needs to be done under doPrivileged
-   [jakartaee/jaf-api#100 - Avoid requiring accessDeclaredMembers permissions

#### New Contributors

-   [`@&#8203;yersan](https://togithub.com/yersan)` made their first contribution in [jakartaee/jaf-api#95

**Full Changelog**: jakartaee/jaf-api@2.1.0...2.1.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/camunda/zeebe).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41OS44IiwidXBkYXRlZEluVmVyIjoiMzcuNTkuOCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->


Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
zeebe-bors-camunda bot added a commit to camunda/camunda that referenced this issue Nov 21, 2023
@zeebe-bors-camunda @renovate
merge: #15315
5be1d12 
15315: deps(maven): Update dependency jakarta.activation:jakarta.activation-api to v2.1.2 (main) r=npepinpe a=renovate[bot]

[![Mend Renovate logo banner](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [jakarta.activation:jakarta.activation-api](https://togithub.com/jakartaee/jaf-api) | `2.1.0` -> `2.1.2` | [![age](https://developer.mend.io/api/mc/badges/age/maven/jakarta.activation:jakarta.activation-api/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/jakarta.activation:jakarta.activation-api/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/jakarta.activation:jakarta.activation-api/2.1.0/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/jakarta.activation:jakarta.activation-api/2.1.0/2.1.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>jakartaee/jaf-api (jakarta.activation:jakarta.activation-api)</summary>

### [`v2.1.2`](https://togithub.com/jakartaee/jaf-api/releases/tag/2.1.2): Jakarta Activation 2.1.2 Final Release

[Compare Source](https://togithub.com/jakartaee/jaf-api/compare/2.1.1...2.1.2)

The 2.1.2 release is a bug fix release of 2.1.x (Jakarta EE 10).

Following changes are included:

-   fix wrong class file version for package-info
-   add missing javadoc description for MimeTypeEntry getters

**Full Changelog**: jakartaee/jaf-api@2.1.1...2.1.2

### [`v2.1.1`](https://togithub.com/jakartaee/jaf-api/releases/tag/2.1.1): Jakarta Activation 2.1.1 Final Release

[Compare Source](https://togithub.com/jakartaee/jaf-api/compare/2.1.0...2.1.1)

The 2.1.1 release is a bug fix release of 2.1.0.

Following changes are included:

-   [jakartaee/jaf-api#93 - Use OSGi service loader mediator
-   [jakartaee/jaf-api#94 - Loading of service provider implementations needs to be done under doPrivileged
-   [jakartaee/jaf-api#100 - Avoid requiring accessDeclaredMembers permissions

#### New Contributors

-   [`@&#8203;yersan](https://togithub.com/yersan)` made their first contribution in [jakartaee/jaf-api#95

**Full Changelog**: jakartaee/jaf-api@2.1.0...2.1.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/camunda/zeebe).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41OS44IiwidXBkYXRlZEluVmVyIjoiMzcuNTkuOCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->


Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add the ability to the API consumers to load the API implementations … yersan/jaf
1 participant
@yersan