jetty.project icon indicating copy to clipboard operation
jetty.project copied to clipboard

Published 20 hours ago verified publisher icon jetty

SecurityUtils should not elminate calls to existing methods

Open stoty opened this issue 1 year ago • 11 comments
trafficstars

Jetty version(s) 12.1.x

Jetty Environment any

Java version/vendor (use: java -version) any

OS type/version any

Description The original description below is incorrect.

The doAs problem only happens if org.eclipse.jetty.util.security.useSecurityManager is explicitly set to false on JDK17.

The doPrivileged issue and the suggested solution is still valid.

Original Description:

When "org.eclipse.jetty.util.security.useSecurityManager" is set to false, or JDK21 or later is used, then SecurityUtils treats doAs() callAs() as NOOP.

This is wrong, as both methods also perform functions unrelated to the SecurityManager (i.e. setting the subject).

The doPrivileged elimiation also seems bad , I suspect that it will lead to leaks if the SecurityManager is enabled.

In fact, I think that SecurityUtils should not try to guess the SecurityManager setting at all, but just call existing APIs if the methods exist.

The JVM will figure out the rest, and neither Jetty, nor its users have to worry about handling all the JVM/securityManager setting combinations.

How to reproduce?

stoty avatar Sep 26 '24 07:09 stoty