Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10569

HttpSession.invalidate() requires additional permissions if Security Manager is enabled

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 7.1.0.DR18
    • None
    • Undertow
    • None

    Description

      If Security Manager is enforced and a Servlet invokes request.getSession(false).invalidate(), it fails due to insufficient permissions as follows:

      15:04:55,001 ERROR [io.undertow.request] (default task-4) UT005023: Exception handling request to /form-auth/Logout: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "io.undertow.servlet.GET_CURRENT_REQUEST")" in code source "(vfs:/content/form-auth.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.form-auth.war" from Service Module Loader")
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
	at io.undertow.servlet.handlers.ServletRequestContext.current(ServletRequestContext.java:92)
	at org.wildfly.extension.undertow.deployment.LogoutSessionListener.sessionDestroyed(LogoutSessionListener.java:66)
	at io.undertow.servlet.core.ApplicationListeners.sessionDestroyed(ApplicationListeners.java:315)
	at io.undertow.servlet.core.SessionListenerBridge.doDestroy(SessionListenerBridge.java:98)
	at io.undertow.servlet.core.SessionListenerBridge.sessionDestroyed(SessionListenerBridge.java:78)
	at io.undertow.server.session.SessionListeners.sessionDestroyed(SessionListeners.java:61)
	at io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:551)
	at io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:529)
	at io.undertow.servlet.spec.HttpSessionImpl.invalidate(HttpSessionImpl.java:198)
	at org.jboss.as.test.integration.web.formauth.LogoutServlet.processRequest(LogoutServlet.java:45)
	at org.jboss.as.test.integration.web.formauth.LogoutServlet.doGet(LogoutServlet.java:51)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)

      The io.undertow.servlet.spec.HttpSessionImpl.invalidate() method requires RuntimePermission("io.undertow.servlet.GET_CURRENT_REQUEST") and also RuntimePermission("io.undertow.servlet.spec.UNWRAP_HTTP_SESSION"), see
      https://github.com/wildfly/wildfly/blob/master/undertow/src/main/java/org/wildfly/extension/undertow/deployment/LogoutSessionListener.java#L66
      https://github.com/wildfly/wildfly/blob/master/undertow/src/main/java/org/wildfly/extension/undertow/deployment/LogoutSessionListener.java#L81

      From the stacktrace above, I would opt for adding a privileged block into io.undertow.servlet.core.SessionListenerBridge#doDestroy(Session) as that's a private method. That's the reason why I filed Undertow issue for this.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. WFLY-8648 HttpSession.invalidate() requires additional permissions if Security Manager is enabled

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-12838 [SET](7.0.z) HttpSession.invalidate() requires additional permissions if Security Manager is enabled

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-1564 [GSS](7.1.0) The flushOnSessionInvalidation is not parsed correctly from jboss-web.xml

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              sdouglas1@redhat.com Stuart Douglas
              istudens@redhat.com Ivo Studensky
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: