Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10116

Missing privileged section in Elytron FileSystemRealm

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.DR17
    • 7.1.0.DR15
    • Security
    • None
    • Hide
      • start the server with security manager bin/standalone.sh -secmgr
      • reconfigure it to use Elytron Domain with FileSystemSecurityRealm
        bin/jboss-cli.sh -c <<EOT
        /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=application-http-authentication)
        /subsystem=elytron/filesystem-realm=ApplicationFsRealm:add(path=application-users,relative-to=jboss.server.config.dir)
        /subsystem=elytron/security-domain=ApplicationDomain:list-add(name=realms, index=0, value={realm=ApplicationFsRealm, role-decoder=groups-to-roles})
        /subsystem=elytron/security-domain=ApplicationDomain:write-attribute(name=default-realm, value=ApplicationFsRealm)
        /subsystem=elytron/filesystem-realm=ApplicationFsRealm/identity=guest:add()
        /subsystem=elytron/filesystem-realm=ApplicationFsRealm/identity=guest:set-password(clear={password="guest"})
        /subsystem=elytron/filesystem-realm=ApplicationFsRealm/identity=guest:add-attribute(name=groups, value=["guest"])
        reload
        EOT
        
      • deploy attached test application
      • open URL http://localhost:8080/elytron-authenticate/ in brower

      Expected result similar to:

      SecurityIdentity=org.wildfly.security.auth.server.SecurityIdentity@45671668
      

      Current Result

      java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/path/to/server/standalone/configuration/application-users/g/u/guest.xml" "read")" in code source "(vfs:/content/elytron-authenticate.war/ <no signer certificates>)" of "org.apache.jasper.servlet.JasperLoader@71c47b5a")
      
      Show
      start the server with security manager bin/standalone.sh -secmgr reconfigure it to use Elytron Domain with FileSystemSecurityRealm bin/jboss-cli.sh -c <<EOT /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=application-http-authentication) /subsystem=elytron/filesystem-realm=ApplicationFsRealm:add(path=application-users,relative-to=jboss.server.config.dir) /subsystem=elytron/security-domain=ApplicationDomain:list-add(name=realms, index=0, value={realm=ApplicationFsRealm, role-decoder=groups-to-roles}) /subsystem=elytron/security-domain=ApplicationDomain:write-attribute(name= default -realm, value=ApplicationFsRealm) /subsystem=elytron/filesystem-realm=ApplicationFsRealm/identity=guest:add() /subsystem=elytron/filesystem-realm=ApplicationFsRealm/identity=guest:set-password(clear={password= "guest" }) /subsystem=elytron/filesystem-realm=ApplicationFsRealm/identity=guest:add-attribute(name=groups, value=[ "guest" ]) reload EOT deploy attached test application open URL http://localhost:8080/elytron-authenticate/ in brower Expected result similar to: SecurityIdentity=org.wildfly.security.auth.server.SecurityIdentity@45671668 Current Result java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/path/to/server/standalone/configuration/application-users/g/u/guest.xml" "read")" in code source "(vfs:/content/elytron-authenticate.war/ <no signer certificates>)" of "org.apache.jasper.servlet.JasperLoader@71c47b5a")

      Calling Elytron SecurityDomain.authenticate() method results in AccessControlException (missing FilePermission) when Elytron FileSystemSecurityRealm is used for the domain and server runs with security manager enabled.

      This file permission check must not be propagated to the calling user. The only permissions required for him/her should be the ElytronPermission ones.

              jkalina@redhat.com Jan Kalina (Inactive)
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: