Uploaded image for project: 'Arquillian'
  1. Arquillian
  2. ARQ-2204

wildfly security manager jboss modules permissions setup

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • 1.4.0.Final
    • core
    • None
    • Hide

      Running Env
      Fedora 28
      Apache Maven 3.3.9
      Java version: 11.0.2, vendor: Oracle Corporation
      Resteasy: 4.1.0-SNAPSHOT
      wfly: wildfly-17.0.0.Beta1-SNAPSHOT

      Steps to setup the run env.

      • Use branch: https://github.com/rsearls/Resteasy/tree/xRESTEASY-2179-tests-failing-security-manager
      • Build resteasy ( mvn clean install -DskipTests ) because zip,
        Resteasy/jboss-modules/target/resteasy-jboss-modules-4.1.0-SNAPSHOT.zip is needed for wfly.
      • In you wfly build, cd in to wildfly-17.0.0.Beta1-SNAPSHOT/modules/system/layers/base and
        unzip Resteasy/jboss-modules/target/resteasy-jboss-modules-4.1.0-SNAPSHOT.zip
        Allow the zip to overwrite all existing files.
      • Go back to the Resteasy project root directory. Pick one of the tests listed below and run
        with this command.
        mvn verify -fn -Dcheckstyle.skip \
        -DfailIfNoTests=false \
        -Dsecurity.manager \
        -Dtest=org.jboss.resteasy.test.asynch.AsyncPostProcessingTest \
        -Dserver.home=/home/rsearls/j1/wildfly/dist/target/wildfly-17.0.0.Beta1-SNAPSHOT
      • Removing ( -Dsecurity.manager \ ) will run the test without the security manager.
        The test will run successfully in this case.

      – Debugging test.

      • From the Resteasy project root directory unzip file xJira-sm-debug-flag.zip. This file
        allows you to attach your debugger on port 8787.
      • Set a breadpoint in org.jboss.resteasy.test.asynch.AsyncPostProcessingTest
        line 78 client = (ResteasyClient)ClientBuilder.newClient();
      • Execute the command
        mvn verify -fn -Dcheckstyle.skip \
        -DfailIfNoTests=false \
        -Dsecurity.manager \
        -Dtest=org.jboss.resteasy.test.asynch.AsyncPostProcessingTest \
        -Dserver.home=/home/rsearls/j1/wildfly/dist/target/wildfly-17.0.0.Beta1-SNAPSHOT
      • Once you hit the breakpoint in AsyncPostProcessingTest set these breakpoints.
      • javax.ws.rs.client.ClientBuilder
        line 96 FactoryFinder.find(JAXRS_DEFAULT_CLIENT_BUILDER_PROPERTY,
        JAXRS_DEFAULT_CLIENT_BUILDER, ClientBuilder.class);
      • java.util.ServiceLoader
        line 1205 pending = parse(configs.nextElement());
      • org.wildfly.security.manager.WildFlySecurityManager
        line 290 stack = getProtectionDomainStack(context);
      • Continue running the test.

      – partical list of failing tests
      org.jboss.resteasy.test.asynch.AsyncPostProcessingTest
      org.jboss.resteasy.test.asynch.AsynchBasicTest
      org.jboss.resteasy.test.asynch.JaxrsAsyncServletTest
      org.jboss.resteasy.test.cdi.basic.EJBTest
      org.jboss.resteasy.test.cdi.extensions.ScopeExtensionTest
      org.jboss.resteasy.test.cdi.injection.ReverseInjectionTest
      org.jboss.resteasy.test.client.AbortMessageTest
      org.jboss.resteasy.test.client.ClientBuilderTest
      org.jboss.resteasy.test.client.ClientCacheTest
      org.jboss.resteasy.test.core.interceptors.CorsFiltersTest
      org.jboss.resteasy.test.core.spi.ResourceClassProcessorNotAppliedTest
      org.jboss.resteasy.test.core.spi.ResourceClassProcessorPriorityTest
      org.jboss.resteasy.test.exception.ClosedResponseHandlingTest
      org.jboss.resteasy.test.interceptor.ClientRequestFilterRegistrationTest
      org.jboss.resteasy.test.providers.jackson2.PreferJacksonOverJsonBClientTest
      org.jboss.resteasy.test.response.AnotherPublisherResponseNoStreamTest
      org.jboss.resteasy.test.validation.ValidationComplexTest

      Show
      Running Env Fedora 28 Apache Maven 3.3.9 Java version: 11.0.2, vendor: Oracle Corporation Resteasy: 4.1.0-SNAPSHOT wfly: wildfly-17.0.0.Beta1-SNAPSHOT Steps to setup the run env. Use branch: https://github.com/rsearls/Resteasy/tree/xRESTEASY-2179-tests-failing-security-manager Build resteasy ( mvn clean install -DskipTests ) because zip, Resteasy/jboss-modules/target/resteasy-jboss-modules-4.1.0-SNAPSHOT.zip is needed for wfly. In you wfly build, cd in to wildfly-17.0.0.Beta1-SNAPSHOT/modules/system/layers/base and unzip Resteasy/jboss-modules/target/resteasy-jboss-modules-4.1.0-SNAPSHOT.zip Allow the zip to overwrite all existing files. Go back to the Resteasy project root directory. Pick one of the tests listed below and run with this command. mvn verify -fn -Dcheckstyle.skip \ -DfailIfNoTests=false \ -Dsecurity.manager \ -Dtest=org.jboss.resteasy.test.asynch.AsyncPostProcessingTest \ -Dserver.home=/home/rsearls/j1/wildfly/dist/target/wildfly-17.0.0.Beta1-SNAPSHOT Removing ( -Dsecurity.manager \ ) will run the test without the security manager. The test will run successfully in this case. – Debugging test. From the Resteasy project root directory unzip file xJira-sm-debug-flag.zip. This file allows you to attach your debugger on port 8787. Set a breadpoint in org.jboss.resteasy.test.asynch.AsyncPostProcessingTest line 78 client = (ResteasyClient)ClientBuilder.newClient(); Execute the command mvn verify -fn -Dcheckstyle.skip \ -DfailIfNoTests=false \ -Dsecurity.manager \ -Dtest=org.jboss.resteasy.test.asynch.AsyncPostProcessingTest \ -Dserver.home=/home/rsearls/j1/wildfly/dist/target/wildfly-17.0.0.Beta1-SNAPSHOT Once you hit the breakpoint in AsyncPostProcessingTest set these breakpoints. javax.ws.rs.client.ClientBuilder line 96 FactoryFinder.find(JAXRS_DEFAULT_CLIENT_BUILDER_PROPERTY, JAXRS_DEFAULT_CLIENT_BUILDER, ClientBuilder.class); java.util.ServiceLoader line 1205 pending = parse(configs.nextElement()); org.wildfly.security.manager.WildFlySecurityManager line 290 stack = getProtectionDomainStack(context); Continue running the test. When you stop at line 1205 in ServiceLoader check the value of configs. It will be jar: file:/home/rsearls/j1/wildfly/dist/target/wildfly-17.0.0.Beta1-SNAPSHOT/modules/system/layers/base/org/jboss/resteasy/resteasy-jaxrs/main/resteasy-client-4.1.0-SNAPSHOT.jar!/META-INF/services/javax.ws.rs.client.ClientBuilder When you stop at line 290 in WildFlySecurityManager and step next. You will see stack is an array of size 10. These are the active ProtectionDomains. resteasy-client-4.1.0-SNAPSHOT.jar is not in this list, hence the test fails. – partical list of failing tests org.jboss.resteasy.test.asynch.AsyncPostProcessingTest org.jboss.resteasy.test.asynch.AsynchBasicTest org.jboss.resteasy.test.asynch.JaxrsAsyncServletTest org.jboss.resteasy.test.cdi.basic.EJBTest org.jboss.resteasy.test.cdi.extensions.ScopeExtensionTest org.jboss.resteasy.test.cdi.injection.ReverseInjectionTest org.jboss.resteasy.test.client.AbortMessageTest org.jboss.resteasy.test.client.ClientBuilderTest org.jboss.resteasy.test.client.ClientCacheTest org.jboss.resteasy.test.core.interceptors.CorsFiltersTest org.jboss.resteasy.test.core.spi.ResourceClassProcessorNotAppliedTest org.jboss.resteasy.test.core.spi.ResourceClassProcessorPriorityTest org.jboss.resteasy.test.exception.ClosedResponseHandlingTest org.jboss.resteasy.test.interceptor.ClientRequestFilterRegistrationTest org.jboss.resteasy.test.providers.jackson2.PreferJacksonOverJsonBClientTest org.jboss.resteasy.test.response.AnotherPublisherResponseNoStreamTest org.jboss.resteasy.test.validation.ValidationComplexTest

      Arquillian is not registering all the security permissions required to run resteasy tests on wildfly with
      the sercurity manager enabled.

      There are 24+ Resteasy testsuite tests failing when run with the security manager.
      These tests are running in the container (i.e. using the @RunWith(Arquillian.class) annotation.
      The @RunAsClient is not being used.)

      The exception thrown is,

      Caused by: java.lang.ClassNotFoundException: org.glassfish.jersey.client.JerseyClientBuilder from
      [Module "javax.ws.rs.api" version 1.0.2.Final from local module loader @4b3ed2f0
      (finder: local module finder @4fad9bb2
      (roots: /home/rsearls/j1/wildfly/dist/target/wildfly-17.0.0.Beta1-SNAPSHOT/modules,/home/rsearls/j1/wildfly/dist/target/wildfly-17.0.0.Beta1-SNAPSHOT/modules/system/layers/base,/home/rsearls/j1/wildfly/dist/target/wildfly-17.0.0.Beta1-SNAPSHOT/modules/system/add-ons/spring))]
      at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255)
      at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410)
      at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
      at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
      at java.base/java.lang.Class.forName0(Native Method)
      at java.base/java.lang.Class.forName(Class.java:315)
      at javax.ws.rs.api@1.0.2.Final//javax.ws.rs.client.FactoryFinder.newInstance(FactoryFinder.java:119)
      at javax.ws.rs.api@1.0.2.Final//javax.ws.rs.client.FactoryFinder.find(FactoryFinder.java:226)
      at javax.ws.rs.api@1.0.2.Final//javax.ws.rs.client.ClientBuilder.newBuilder(ClientBuilder.java:96)

      This is due to a missing ProtectionDomain with ("<all permissions>" "<all actions>") for
      /home/rsearls/j1/wildfly/dist/target/wildfly-17.0.0.Beta1-SNAPSHOT/modules/system/layers/base/org/jboss/resteasy/resteasy-jaxrs/main/resteasy-client-4.1.0-SNAPSHOT.jar

      When wildfly starts up (with or without the security manager) it registers a ProtectionDomain with ("<all permissions>"
      "<all actions>" for each jar in the wildfly-17.0.0.Beta1-SNAPSHOT/modules/system. These ProtectionDomains are active when the Resteasy container runs. When Arquillian runs only 10 ProtectionDomains are defined (see attachment List-10-ProtectionDomains.txt). This appears to be the cause of the problem.

      A full stacktrace is provided in the attachments.

        1. List-10-ProtectionDomains.txt
          30 kB
          r searls
        2. xFull-stacktrace.txt
          19 kB
          r searls

              aslak@redhat.com Aslak Knutsen
              rsearls r searls
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: