So as I understand, com.fasterxml.jackson.databind is provided by elasticsearch and we cannot add it in our plugins as it'll lead to jarhell. Now my application is trying to parse JWT tokens but when I try to do so in doPrivileged block, I get greeted with:-
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_131]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_131]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_131]
at java.lang.Class.checkMemberAccess(Class.java:2348) ~[?:1.8.0_131]
at java.lang.Class.getDeclaredConstructors(Class.java:2019) ~[?:1.8.0_131]
at com.fasterxml.jackson.databind.util.ClassUtil.getConstructors(ClassUtil.java:966) ~[?:?]
at com.fasterxml.jackson.databind.introspect.AnnotatedClass.resolveCreators(AnnotatedClass.java:443) ~[?:?]
at com.fasterxml.jackson.databind.introspect.AnnotatedClass.getStaticMethods(AnnotatedClass.java:314) ~[?:?]
at com.fasterxml.jackson.databind.introspect.BasicBeanDescription.getFactoryMethods(BasicBeanDescription.java:486) ~[?:?]
at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory._addDeserializerFactoryMethods(BasicDeserializerFactory.java:669) ~[?:?]
at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory._constructDefaultValueInstantiator(BasicDeserializerFactory.java:320) ~[?:?]
at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.findValueInstantiator(BasicDeserializerFactory.java:253) ~[?:?]
at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.createMapDeserializer(BasicDeserializerFactory.java:1159) ~[?:?]
at com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer2(DeserializerCache.java:377) ~[?:?]
at com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer(DeserializerCache.java:349) ~[?:?]
at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCache2(DeserializerCache.java:264) ~[?:?]
at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCacheValueDeserializer(DeserializerCache.java:244) ~[?:?]
at com.fasterxml.jackson.databind.deser.DeserializerCache.findValueDeserializer(DeserializerCache.java:142) ~[?:?]
at com.fasterxml.jackson.databind.DeserializationContext.findRootValueDeserializer(DeserializationContext.java:476) ~[?:?]
at com.fasterxml.jackson.databind.ObjectMapper._findRootDeserializer(ObjectMapper.java:3899) ~[?:?]
at com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:3765) ~[?:?]
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2123) ~[?:?]
at com.fasterxml.jackson.core.JsonParser.readValueAs(JsonParser.java:1650) ~[jackson-core-2.8.6.jar:2.8.6]
at com.auth0.jwt.impl.JsonNodeClaim.asMap(JsonNodeClaim.java:109) ~[?:?]
at com.fico.elasticsearch.authenticate.accesscontrol.User.lambda$fetchRolesFromToken$0(User.java:23) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
Code :-
Map<String, Object> someMap = AccessController.doPrivileged((PrivilegedAction<Map<String, Object>>) () -> {
Map<String, Object> temp1 = ((Claim) token.getClaim("some_claim")).asMap();
return temp1 ;
});
Now I do have,
permission java.lang.RuntimePermission "accessDeclaredMembers";
In my plugin-security.policy and other code which relies on "accessDeclaredMembers" works fine but this one doesn't.
I suppose this is because the package is not loaded by my Classloader but the parent one. Any insight on this would be great.