Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1558

WildFlyElytronProvider is not initialized with appropriate privileges

    Details

    • Steps to Reproduce:
      Hide
      cd testsuite/integration/multinode
      mvn install -Dtest=TransactionPropagationTestCase -Dsecurity.manager
      
      Show
      cd testsuite/integration/multinode mvn install -Dtest=TransactionPropagationTestCase -Dsecurity.manager

      Description

      Initialization of the Elytron provider from the authentication client configuration is not privileged, resulting in exception traces like this one:

      java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.security.SecurityPermission" "putProviderProperty.WildFlyElytron")" in code source "(vfs:/content/client-txt-propag-async.jar <no signer certificates>)" of "ModuleClassLoader for Module "deployment.client-txt-propag-async.jar" from Service Module Loader")
              at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
              at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
              at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1759)
              at org.wildfly.security.manager.WildFlySecurityManager.checkSecurityAccess(WildFlySecurityManager.java:581)
              at java.security.Provider.check(Provider.java:658)
              at java.security.Provider.putService(Provider.java:1120)
              at org.wildfly.security.WildFlyElytronProvider.putHttpAuthenticationMechanismImplementations(WildFlyElytronProvider.java:232)
              at org.wildfly.security.WildFlyElytronProvider.<init>(WildFlyElytronProvider.java:142)
              at org.wildfly.security.auth.client.AuthenticationConfiguration.lambda$static$0(AuthenticationConfiguration.java:169)
              at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:159)
              at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:147)
              at org.wildfly.security.sasl.util.SecurityProviderSaslClientFactory.createSaslClient(SecurityProviderSaslClientFactory.java:85)
              at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
              at org.wildfly.security.sasl.util.ProtocolSaslClientFactory.createSaslClient(ProtocolSaslClientFactory.java:50)
              at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
              at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
              at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
              at org.wildfly.security.sasl.util.PropertiesSaslClientFactory.createSaslClient(PropertiesSaslClientFactory.java:54)
              at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
              at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
              at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
              at org.wildfly.security.sasl.util.ProtocolSaslClientFactory.createSaslClient(ProtocolSaslClientFactory.java:50)
              at org.wildfly.security.sasl.util.FilterMechanismSaslClientFactory.createSaslClient(FilterMechanismSaslClientFactory.java:102)
              at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
              at org.wildfly.security.sasl.util.LocalPrincipalSaslClientFactory.createSaslClient(LocalPrincipalSaslClientFactory.java:76)
              at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.lambda$createSaslClient$0(PrivilegedSaslClientFactory.java:64)
              at java.security.AccessController.doPrivileged(Native Method)
              at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.createSaslClient(PrivilegedSaslClientFactory.java:64)
              at org.wildfly.security.auth.client.AuthenticationConfiguration.createSaslClient(AuthenticationConfiguration.java:1348)
              at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.createSaslClient(AuthenticationContextConfigurationClient.java:395)
              ...
      

      Note that the doPrivileged in this stack trace is deceptive in that it is simply re-establishing the caller permission by way of PrivilegedSaslClientFactory.

      The fix is probably to put the provider-creating lambda in AuthenticationConfiguration inside a privileged block.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  honza889 Jan Kalina
                  Reporter:
                  dmlloyd David Lloyd
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: