SecurityUtils should not elminate calls to existing methods #12318
Comments
stoty
changed the title
|
Please take a look, @gregw . |
This wholesale removal of |
|
This is a simple correctness issue. These methods are called from a few places, but there is a reason for each call, and at least the callAs() and doPrivileged() calls are NOT for using the removed SecurityManager functionality. callAs() is NOT scheduled to be removed, and this new method was specifically added to Java to avoid the SecurityManager dependecy of doAs() , so not calling it simply breaks any code depending on the java security framework for handling users, including Kerberos/SPENGO support in Jetty. Gating callAs() behind some arbitray parameter is a glaringly obvious copy-paste bug. doPrivileged() is used in one place to avoid a resources leak in the code. doPriviliged() is a but more subtle bug, because in this case Jetty was never using it for SecurityManager related functionality, but for avoiding leaks via Classloaders when forking Threads. Frankly, I did not dig into the Java EE context stuff, but I would expect that there are cases where the getSecurityManager() elimination also breaks uses cases that currently work, especially since most of those Java EE releases were written with the assumption of SecurityManager funtionalty, and may still be used by code that really does use SecurityManager functionality. |
|
Specifically, for JDK 17 the code won't find the new callAs() method, because it was added in 18, and then won't even try the new API if the jetty property is set to false, even though the doAs()/callAs() functionaly is only marginally related to SecurityManager. The only saving grace in that case is that for JDK21 and earlier Jetty defaults to using the old API, so this won't break on JDK17, unless someone explicitly sets the property to the wrong value. |
This leak is JDK version specific. If you were running JDK 11, yes, this bug is very important to address. In the OpenJDK 17 codebase, the Our current codebase, in Jetty 12, uses reflection against deprecated |
The two methods you referenced,
I find it entertaining that all of the doAs methods were added in JDK18 and immediately deprecated for removal. We should probably have a Jetty And deprecate the |
This has already been done in 12.1.x (and it was a good change) |
|
However, Subject.doAs() is so old, that I gave up trying to figure when it was added. |
|
Regarding doPriviliged() Now that we are talking about it, I remember how it broke SPNEGO support in Avatica when Jetty added it. Coincidently, this is another good example of how eliminating the doPrivileged() call for JDK22 and later causes (another) incompatible change in Jetty. before the hack, Jetty did not change Subject. |
|
Because you referred 12.0 behaviour, I want to stress that this problem only exists in 12.1.x and the problematic code was added qute recently in: What I propose is basically reverting to the 12.0 behaviour. |
Jetty version(s)
12.1.x
Jetty Environment
any
Java version/vendor
(use: java -version)any
OS type/version
any
Description
When "org.eclipse.jetty.util.security.useSecurityManager" is set to false, or JDK21 or later is used, then SecurityUtils treats doAs() callAs() as NOOP.
This is wrong, as both methods also perform functions unrelated to the SecurityManager (i.e. setting the subject).
The doPrivileged elimiation also seems bad , I suspect that it will lead to leaks if the SecurityManager is enabled.
In fact, I think that SecurityUtils should not try to guess the SecurityManager setting at all, but just call existing APIs if the methods exist.
The JVM will figure out the rest, and neither Jetty, nor its users have to worry about handling all the JVM/securityManager setting combinations.
How to reproduce?
The text was updated successfully, but these errors were encountered: