Skip to content

[apache5-client] Fail fast when SecurityManager lacks TCP_KEEPIDLE/TCP_KEEPINTERVAL/TCP_KEEPCOUNT permissions.#6992

Merged
joviegas merged 9 commits into
masterfrom
joviegas/handle_apache_for_security_manager
May 29, 2026
Merged

[apache5-client] Fail fast when SecurityManager lacks TCP_KEEPIDLE/TCP_KEEPINTERVAL/TCP_KEEPCOUNT permissions.#6992
joviegas merged 9 commits into
masterfrom
joviegas/handle_apache_for_security_manager

Conversation

@joviegas
Copy link
Copy Markdown
Contributor

@joviegas joviegas commented May 26, 2026

Motivation and Context

  • Apache HC5 5.6 defaults SocketConfig.Builder to tcpKeepIdle=5, tcpKeepInterval=5, tcpKeepCount=3 with httpcomponents-core#550 (Enable five-second TCP keep-alive by default apache/httpcomponents-core#550)
  • This requires jdk.net.NetworkPermission for setOption.TCP_KEEPIDLE, setOption.TCP_KEEPINTERVAL, and setOption.TCP_KEEPCOUNT. When a SecurityManager is active without these permissions granted, customers get an AccessControlException at request time with no indication of which permissions are missing.
  • This change throws an IllegalStateException at client construction time listing the exact permissions required, so customers know what to fix before sending any requests.

Modifications

  • Added checkTcpKeepAlivePermissions() in Apache5HttpClient.DefaultBuilder.buildWithDefaults() that checks the three required jkdk.net.NetworkPermission entries when a SecurityManager is active.
  • Throws IllegalStateException listing the missing permissions at client construction time instead of AccessControlException at first request.
  • Uses ClassLoaderHelper.loadClass() to reflectively load jdk.net.NetworkPermission since the class is in an optional JDK module.

Testing

  • Added Junit tests

Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

License

  • I confirm that this pull request can be released under the Apache 2 license

@joviegas
Fail fast at Apache5HttpClient construction when SecurityManager is a…
90fc833 
…ctive and jdk.net.NetworkPermission setOption.TCP_KEEPIDLE, setOption.TCP_KEEPINTERVAL, setOption.TCP_KEEPCOUNT are not granted
@joviegas joviegas requested a review from a team as a code owner May 26, 2026 21:02
@joviegas joviegas changed the title [[apache5-client] Fail fast when SecurityManager lacks TCP_KEEPIDLE/TCP_KEEPINTERVAL/TCP_KEEPCOUNT permissions. [apache5-client] Fail fast when SecurityManager lacks TCP_KEEPIDLE/TCP_KEEPINTERVAL/TCP_KEEPCOUNT permissions. May 26, 2026
joviegas
joviegas commented May 27, 2026
View reviewed changes
Comment thread ...ents/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/Apache5HttpClient.java
}

try {
Class<?> permClass = ClassLoaderHelper.loadClass("jdk.net.NetworkPermission", Apache5HttpClient.class);
Copy link
Copy Markdown
Contributor Author

@joviegas joviegas May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that NetworkPermission is marked for forRemoval in Java 25 thus loading it from ClassLoaderHelper to prevent ClassNotFoundException for future Java versions.
https://docs.oracle.com/en/java/javase/26/docs/api/jdk.net/jdk/net/NetworkPermission.html

@joviegas joviegas force-pushed the joviegas/handle_apache_for_security_manager branch from b696460 to 697b152 Compare May 27, 2026 14:41
@dagnir
Copy link
Copy Markdown
Contributor

dagnir commented May 27, 2026

Not a blocker, but can we add a test that uses a security manager with expected permissions enabled + makes an API call so we can catch any instances where more permissions have to be granted, for example in a new Apache 5.x minor version.

@joviegas
Copy link
Copy Markdown
Contributor Author

joviegas commented May 27, 2026

Not a blocker, but can we add a test that uses a security manager with expected permissions enabled + makes an API call so we can catch any instances where more permissions have to be granted, for example in a new Apache 5.x minor version.

Good call out.
Added SdkHttpClientSecurityManagerTestSuite which does SecurityManager test for both Apache4 and Apache5. The only difference in the permission between these two clients are for TCP_KEEPIDLE/TCP_KEEPINTERVAL/TCP_KEEPCOUNT .

@joviegas joviegas added the api-surface-area-approved-by-team Indicate API surface area introduced by this PR has been approved by team label May 27, 2026
RanVaknin
RanVaknin approved these changes May 28, 2026
View reviewed changes
Comment thread ...ents/apache5-client/src/main/java/software/amazon/awssdk/http/apache5/Apache5HttpClient.java Outdated
try {
Class<?> permClass = ClassLoaderHelper.loadClass("jdk.net.NetworkPermission", Apache5HttpClient.class);
for (String permName : REQUIRED_TCP_SOCKET_OPTION_PERMISSIONS) {
java.security.Permission perm =
Copy link
Copy Markdown
Collaborator

@RanVaknin RanVaknin May 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: do we need the fully qualified import right here in the body of class? Can we use a top level import instead?

Copy link
Copy Markdown
Contributor Author

@joviegas joviegas May 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@joviegas joviegas enabled auto-merge May 28, 2026 17:02
@joviegas joviegas added this pull request to the merge queue May 28, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to Branch Protection failures May 28, 2026
You're not authorized to push to this branch. Visit "About protected branches" for more information.
@joviegas joviegas enabled auto-merge May 28, 2026 19:51
@joviegas joviegas disabled auto-merge May 29, 2026 15:38
@joviegas joviegas added this pull request to the merge queue May 29, 2026
Merged via the queue into master with commit e00b85e May 29, 2026
12 of 13 checks passed
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 29, 2026

This pull request has been closed and the conversation has been locked. Comments on closed PRs are hard for our team to see. If you need more assistance, please open a new issue that references this one.

@github-actions github-actions Bot locked as resolved and limited conversation to collaborators May 29, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@dagnir dagnir dagnir approved these changes

@RanVaknin RanVaknin RanVaknin approved these changes

Assignees

No one assigned

Labels

api-surface-area-approved-by-team Indicate API surface area introduced by this PR has been approved by team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joviegas @dagnir @RanVaknin