Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.1.0.DR18
Affects Version/s: None
Component/s: Undertow
Labels:
None

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

If Security Manager is enforced and a Servlet invokes request.getSession(false).invalidate(), it fails due to insufficient permissions as follows:

15:04:55,001 ERROR [io.undertow.request] (default task-4) UT005023: Exception handling request to /form-auth/Logout: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "io.undertow.servlet.GET_CURRENT_REQUEST")" in code source "(vfs:/content/form-auth.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.form-auth.war" from Service Module Loader")
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
	at io.undertow.servlet.handlers.ServletRequestContext.current(ServletRequestContext.java:92)
	at org.wildfly.extension.undertow.deployment.LogoutSessionListener.sessionDestroyed(LogoutSessionListener.java:66)
	at io.undertow.servlet.core.ApplicationListeners.sessionDestroyed(ApplicationListeners.java:315)
	at io.undertow.servlet.core.SessionListenerBridge.doDestroy(SessionListenerBridge.java:98)
	at io.undertow.servlet.core.SessionListenerBridge.sessionDestroyed(SessionListenerBridge.java:78)
	at io.undertow.server.session.SessionListeners.sessionDestroyed(SessionListeners.java:61)
	at io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:551)
	at io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:529)
	at io.undertow.servlet.spec.HttpSessionImpl.invalidate(HttpSessionImpl.java:198)
	at org.jboss.as.test.integration.web.formauth.LogoutServlet.processRequest(LogoutServlet.java:45)
	at org.jboss.as.test.integration.web.formauth.LogoutServlet.doGet(LogoutServlet.java:51)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)

The io.undertow.servlet.spec.HttpSessionImpl.invalidate() method requires RuntimePermission("io.undertow.servlet.GET_CURRENT_REQUEST") and also RuntimePermission("io.undertow.servlet.spec.UNWRAP_HTTP_SESSION"), see
https://github.com/wildfly/wildfly/blob/master/undertow/src/main/java/org/wildfly/extension/undertow/deployment/LogoutSessionListener.java#L66
https://github.com/wildfly/wildfly/blob/master/undertow/src/main/java/org/wildfly/extension/undertow/deployment/LogoutSessionListener.java#L81

From the stacktrace above, I would opt for adding a privileged block into io.undertow.servlet.core.SessionListenerBridge#doDestroy(Session) as that's a private method. That's the reason why I filed Undertow issue for this.

clones

WFLY-8648 HttpSession.invalidate() requires additional permissions if Security Manager is enabled

Closed

is cloned by

JBEAP-12838 [SET](7.0.z) HttpSession.invalidate() requires additional permissions if Security Manager is enabled

Closed

is related to

JBEAP-1564 [GSS](7.1.0) The flushOnSessionInvalidation is not parsed correctly from jboss-web.xml

Verified

Assignee:: Stuart Douglas (Inactive)

Reporter:: Ivo Studensky

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2017/04/26 5:31 PM

Updated:: 2024/09/02 3:51 PM

Resolved:: 2017/04/28 6:06 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates