Describe the bug
Loading of service provider implementations should be done on a privileged block. It will add the ability to the caller to invoke the API in a different protection domain and don't propagate the permissions check to the application source code.
That will allow the Application Servers to trust on the API code removing the need to add the required permissions by the users.
This can be reproducible with WildFly by deploying a simple servlet that sends an email when the security manager is enabled.
To Reproduce
Deploy a servlet that tries to send an email in WildFly with the security manager enabled:
$ wildfly/bin/standalone.sh -secmgr
@WebServlet(value = "/mail")
public class MailServlet extends HttpServlet {
@Resource(mappedName = "java:jboss/mail/Default")
private Session mailSession;
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
PrintWriter out = response.getWriter();
try {
MimeMessage m = new MimeMessage(mailSession);
Address from = new InternetAddress("from@mydomain.com");
Address[] to = new InternetAddress[]{new InternetAddress("to@mydomain.com")};
m.setFrom(from);
m.setRecipients(Message.RecipientType.TO, to);
m.setSubject("Test Mail");
m.setSentDate(new java.util.Date());
m.setContent("Mail sent from WildFly", "text/plain");
Transport.send(m);
out.println("Mail sent!");
} catch (jakarta.mail.MessagingException e) {
e.printStackTrace();
out.println("Error in Sending Mail: " + e);
}
}
}
Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/Users/yborgess/.m2/repository/org/eclipse/angus/angus-activation/1.0.0/angus-activation-1.0.0.jar" "read")" in code source "(vfs:/content/jakarta-mail-tester-1.0-SNAPSHOT.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.jakarta-mail-tester-1.0-SNAPSHOT.war" from Service Module Loader")
at org.wildfly.security.elytron-base@2.0.0.Final//org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:309)
at org.wildfly.security.elytron-base@2.0.0.Final//org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:201)
at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661)
at org.wildfly.security.elytron-base@2.0.0.Final//org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:374)
at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:237)
at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:177)
at java.base/java.util.jar.JarFile.<init>(JarFile.java:350)
at java.base/sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:103)
at java.base/sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:72)
at java.base/sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99)
at java.base/sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:125)
at java.base/sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:155)
at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.parse(ServiceLoader.java:1165)
at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.nextProviderClass(ServiceLoader.java:1206)
at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.hasNextService(ServiceLoader.java:1221)
at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator$1.run(ServiceLoader.java:1268)
at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator$1.run(ServiceLoader.java:1267)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/java.util.ServiceLoader$LazyClassPathLookupIterator.hasNext(ServiceLoader.java:1270)
at java.base/java.util.ServiceLoader$2.hasNext(ServiceLoader.java:1300)
at java.base/java.util.ServiceLoader$3.hasNext(ServiceLoader.java:1385)
at jakarta.activation.api@2.1.0//jakarta.activation.ServiceLoaderUtil.firstByServiceLoader(ServiceLoaderUtil.java:33)
... 60 more
Expected behavior
I wouldn't expect to have to add permissions to my application to load the Angus activation Jar file.
Describe the bug
Loading of service provider implementations should be done on a privileged block. It will add the ability to the caller to invoke the API in a different protection domain and don't propagate the permissions check to the application source code.
That will allow the Application Servers to trust on the API code removing the need to add the required permissions by the users.
This can be reproducible with WildFly by deploying a simple servlet that sends an email when the security manager is enabled.
To Reproduce
Deploy a servlet that tries to send an email in WildFly with the security manager enabled:
Expected behavior
I wouldn't expect to have to add permissions to my application to load the Angus activation Jar file.