Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 1.1.0.Beta37
Affects Version/s: None
Component/s: None
Labels:
None

Steps to Reproduce:
Hide

start the server with security manager bin/standalone.sh -secmgr

reconfigure it to use Elytron Domain with FileSystemSecurityRealm

bin/jboss-cli.sh -c <<EOT /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=application-http-authentication) /subsystem=elytron/filesystem-realm=ApplicationFsRealm:add(path=application-users,relative-to=jboss.server.config.dir) /subsystem=elytron/security-domain=ApplicationDomain:list-add(name=realms, index=0, value={realm=ApplicationFsRealm, role-decoder=groups-to-roles}) /subsystem=elytron/security-domain=ApplicationDomain:write-attribute(name=default-realm, value=ApplicationFsRealm) /subsystem=elytron/filesystem-realm=ApplicationFsRealm/identity=guest:add() /subsystem=elytron/filesystem-realm=ApplicationFsRealm/identity=guest:set-password(clear={password="guest"}) /subsystem=elytron/filesystem-realm=ApplicationFsRealm/identity=guest:add-attribute(name=groups, value=["guest"]) reload EOT

deploy attached test application

open URL http://localhost:8080/elytron-authenticate/ in brower

Expected result similar to:

SecurityIdentity=org.wildfly.security.auth.server.SecurityIdentity@45671668

Current Result

java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/path/to/server/standalone/configuration/application-users/g/u/guest.xml" "read")" in code source "(vfs:/content/elytron-authenticate.war/ <no signer certificates>)" of "org.apache.jasper.servlet.JasperLoader@71c47b5a")
Show
start the server with security manager bin/standalone.sh -secmgr reconfigure it to use Elytron Domain with FileSystemSecurityRealm bin/jboss-cli.sh -c <<EOT /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=application-http-authentication) /subsystem=elytron/filesystem-realm=ApplicationFsRealm:add(path=application-users,relative-to=jboss.server.config.dir) /subsystem=elytron/security-domain=ApplicationDomain:list-add(name=realms, index=0, value={realm=ApplicationFsRealm, role-decoder=groups-to-roles}) /subsystem=elytron/security-domain=ApplicationDomain:write-attribute(name= default -realm, value=ApplicationFsRealm) /subsystem=elytron/filesystem-realm=ApplicationFsRealm/identity=guest:add() /subsystem=elytron/filesystem-realm=ApplicationFsRealm/identity=guest:set-password(clear={password= "guest" }) /subsystem=elytron/filesystem-realm=ApplicationFsRealm/identity=guest:add-attribute(name=groups, value=[ "guest" ]) reload EOT deploy attached test application open URL http://localhost:8080/elytron-authenticate/ in brower Expected result similar to: SecurityIdentity=org.wildfly.security.auth.server.SecurityIdentity@45671668 Current Result java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/path/to/server/standalone/configuration/application-users/g/u/guest.xml" "read")" in code source "(vfs:/content/elytron-authenticate.war/ <no signer certificates>)" of "org.apache.jasper.servlet.JasperLoader@71c47b5a")
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/763

Description

Calling Elytron SecurityDomain.authenticate() method results in AccessControlException (missing FilePermission) when Elytron FileSystemSecurityRealm is used for the domain and server runs with security manager enabled.

This file permission check must not be propagated to the calling user. The only permissions required for him/her should be the ElytronPermission ones.

Attachments

Issue Links

clones

JBEAP-10116 Missing privileged section in Elytron FileSystemRealm

Verified

Activity

People

Assignee:: Jan Kalina (Inactive)

Reporter:: Josef Cacek (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2017/04/04 4:54 AM

Updated:: 2017/04/18 5:43 AM

Resolved:: 2017/04/18 5:18 AM