Details
-
Bug
-
Resolution: Duplicate
-
Major
-
None
Description
Initialization of the Elytron provider from the authentication client configuration is not privileged, resulting in exception traces like this one:
java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.security.SecurityPermission" "putProviderProperty.WildFlyElytron")" in code source "(vfs:/content/client-txt-propag-async.jar <no signer certificates>)" of "ModuleClassLoader for Module "deployment.client-txt-propag-async.jar" from Service Module Loader")
at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1759)
at org.wildfly.security.manager.WildFlySecurityManager.checkSecurityAccess(WildFlySecurityManager.java:581)
at java.security.Provider.check(Provider.java:658)
at java.security.Provider.putService(Provider.java:1120)
at org.wildfly.security.WildFlyElytronProvider.putHttpAuthenticationMechanismImplementations(WildFlyElytronProvider.java:232)
at org.wildfly.security.WildFlyElytronProvider.<init>(WildFlyElytronProvider.java:142)
at org.wildfly.security.auth.client.AuthenticationConfiguration.lambda$static$0(AuthenticationConfiguration.java:169)
at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:159)
at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:147)
at org.wildfly.security.sasl.util.SecurityProviderSaslClientFactory.createSaslClient(SecurityProviderSaslClientFactory.java:85)
at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
at org.wildfly.security.sasl.util.ProtocolSaslClientFactory.createSaslClient(ProtocolSaslClientFactory.java:50)
at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
at org.wildfly.security.sasl.util.PropertiesSaslClientFactory.createSaslClient(PropertiesSaslClientFactory.java:54)
at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
at org.wildfly.security.sasl.util.ProtocolSaslClientFactory.createSaslClient(ProtocolSaslClientFactory.java:50)
at org.wildfly.security.sasl.util.FilterMechanismSaslClientFactory.createSaslClient(FilterMechanismSaslClientFactory.java:102)
at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
at org.wildfly.security.sasl.util.LocalPrincipalSaslClientFactory.createSaslClient(LocalPrincipalSaslClientFactory.java:76)
at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.lambda$createSaslClient$0(PrivilegedSaslClientFactory.java:64)
at java.security.AccessController.doPrivileged(Native Method)
at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.createSaslClient(PrivilegedSaslClientFactory.java:64)
at org.wildfly.security.auth.client.AuthenticationConfiguration.createSaslClient(AuthenticationConfiguration.java:1348)
at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.createSaslClient(AuthenticationContextConfigurationClient.java:395)
...
Note that the doPrivileged in this stack trace is deceptive in that it is simply re-establishing the caller permission by way of PrivilegedSaslClientFactory.
The fix is probably to put the provider-creating lambda in AuthenticationConfiguration inside a privileged block.
Attachments
Issue Links
- causes
-
-
- Closed
-
- duplicates
-
-
- Resolved
-
