From e584b1540676d43aa9bf991075007a273a8e87d3 Mon Sep 17 00:00:00 2001
From: Ryan Liang <jiallian@amazon.com>
Date: Mon, 24 Jul 2023 15:33:37 -0700
Subject: [PATCH] Fix the getClassLoader runtime exception

Signed-off-by: Ryan Liang <jiallian@amazon.com>
---
 .../http/OnBehalfOfAuthenticator.java         | 23 +++++++++++++++----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java
index dd1639c981..faf1097197 100644
--- a/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java
+++ b/src/main/java/org/opensearch/security/http/OnBehalfOfAuthenticator.java
@@ -58,12 +58,25 @@ public OnBehalfOfAuthenticator(Settings settings) {
     }
 
     private JwtParser initParser(final String signingKey) {
-        JwtParser _jwtParser = keyUtil.keyAlgorithmCheck(signingKey, log);
-        if (_jwtParser != null) {
-            return _jwtParser;
-        } else {
-            throw new RuntimeException("Unable to find on behalf of authenticator signing key");
+        final SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            sm.checkPermission(new SpecialPermission());
         }
+
+        JwtParser _jwtParser = AccessController.doPrivileged(new PrivilegedAction<JwtParser>() {
+            @Override
+            public JwtParser run() {
+                JwtParser parser = keyUtil.keyAlgorithmCheck(signingKey, log);
+                if (parser != null) {
+                    return parser;
+                } else {
+                    throw new RuntimeException("Unable to find on behalf of authenticator signing key");
+                }
+            }
+        });
+
+        return _jwtParser;
     }
 
     private List<String> extractSecurityRolesFromClaims(Claims claims) {