Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1070218

Summary: AppPolicy.java and AuthenticationInfo.java should use Security Manager instead of Access Controller
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Ondrej Lukas <olukas>
Component: SecurityAssignee: Stefan Guilhen <sguilhen>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Slavicek <pslavice>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2.0, 6.3.0CC: bdawidow, kkhan, pskopek, sguilhen
Target Milestone: DR11   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1160715    
Bug Blocks:    

Description Ondrej Lukas 2014-02-26 12:25:20 UTC 
Classes org.jboss.security.AppPolicy and org.jboss.security.AuthenticationInfo contain security check through AccessController. It should be rather check through SecurityManager's method checkPermission. Using AccessController.checkPermission directly isn't good practices, because some custom Security Manager can be used and it can use some own type of security check (for example it can allow access for some permissions which are not defined in Policy File). I think using of AccessController instead of SecurityManager can cause unexpected behavior for customer.
Comment 1 Ondrej Lukas 2014-07-31 09:08:42 UTC 
Status updated. Issue still exists in EAP 6.3.0.ER10.
Comment 3 Jan Tymel 2014-11-27 11:05:50 UTC 
Verified in EAP 6.4.0.DR11