search

quarkusio / quarkus

Quarkus: Supersonic Subatomic Java.
https://quarkus.io
Apache License 2.0
13.77k stars 2.68k forks source link

Enhance Security Guide #42978

Open zakkak opened 2 months ago

zakkak commented 2 months ago

Description

As pointed out by @galderz in https://github.com/quarkusio/quarkus/issues/35906

The Security Guide needs to be updated to make it clear that:

  1. Quarkus does not support running with a SecurityManager.
  2. Acknowledge that Quarkus uses a custom classloader in all test, dev and production modes, and this classloader ignores the certificates inside jar files.

Implementation ideas

No response

quarkus-bot[bot] commented 2 months ago

/cc @sberyozkin (security)

sberyozkin commented 2 months ago

Hi @zakkak @galderz

Acknowledge that Quarkus uses a custom classloader in all test, dev and production modes, and this classloader ignores the certificates inside jar files.

Is it relevant for the native build only or do we want to say that in general, Quarkus does not validate signed jar's signatures because it does not check certificates ?

galderz commented 1 month ago

@sberyozkin It's a general issue since it has to do with the classloader Quarkus uses in the majority of its configurations. See https://github.com/quarkusio/quarkus/blob/main/independent-projects/bootstrap/runner/src/main/java/io/quarkus/bootstrap/runner/JarResource.java#L51