Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10878

get method of ModuleClassLoaderLocator requires createClassLoader permission

    Details

    • Type: Bug
    • Status: Verified (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 7.1.0.DR17
    • Fix Version/s: 7.1.0.ER2
    • Component/s: Security
    • Labels:
      None
    • Target Release:
    • Steps to Reproduce:
      Hide

      It can be reproduced with following test:
      1) Create properties file for authentication, /PATH/TO/users.properties:

      jduke=password
      

      /PATH/TO/roles.properties:

      jduke=Admin
      

      2) Run LDAP server on port 10389 with ldif:

      dn: ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: People
      
      dn: uid=jduke,ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: person
      objectclass: inetOrgPerson
      uid: jduke
      cn: Java Duke
      sn: Duke
      employeeNumber: 123456789
      userPassword: Password1
      

      3) Configure following security domain in AS:

      <security-domain name="LdapAttributeMappingProviderBasic">
          <authentication>
              <login-module code="UsersRoles" flag="required">
                  <module-option name="rolesProperties" value="/PATH/TO/roles.properties"/>
                  <module-option name="usersProperties" value="/PATH/TO/users.properties"/>
              </login-module>
          </authentication>
          <mapping>
              <mapping-module code="LdapAttributes" type="attribute">
                  <module-option name="bindDN" value="uid=admin,ou=system"/>
                  <module-option name="bindCredential" value="secret"/>
                  <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
                  <module-option name="attributeList" value="sn,employeenumber,description"/>
                  <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
                  <module-option name="baseFilter" value="uid={0}"/>
              </mapping-module>
          </mapping>
      </security-domain>
      

      4) Start application server with security manager

      5) Deploy testing application, see attachment

      6) Access http://127.0.0.1:8080/jbeap10878/protected/LdapAttributeMappingProviderServlet?securityDomain=LdapAttributeMappingProviderBasic with user jduke and password password -> Exception is thrown

      7) Add permission to META-INF/permissions.xml in testing deployment and access application again

      Show
      It can be reproduced with following test: 1) Create properties file for authentication, /PATH/TO/users.properties: jduke=password /PATH/TO/roles.properties: jduke=Admin 2) Run LDAP server on port 10389 with ldif: dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectclass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke employeeNumber: 123456789 userPassword: Password1 3) Configure following security domain in AS: <security-domain name= "LdapAttributeMappingProviderBasic" > <authentication> <login-module code= "UsersRoles" flag= "required" > <module-option name= "rolesProperties" value= "/PATH/TO/roles.properties" /> <module-option name= "usersProperties" value= "/PATH/TO/users.properties" /> </login-module> </authentication> <mapping> <mapping-module code= "LdapAttributes" type= "attribute" > <module-option name= "bindDN" value= "uid=admin,ou=system" /> <module-option name= "bindCredential" value= "secret" /> <module-option name= "baseCtxDN" value= "ou=People,dc=jboss,dc=org" /> <module-option name= "attributeList" value= "sn,employeenumber,description" /> <module-option name= "java.naming.provider.url" value= "ldap: //localhost:10389" /> <module-option name= "baseFilter" value= "uid={0}" /> </mapping-module> </mapping> </security-domain> 4) Start application server with security manager 5) Deploy testing application, see attachment 6) Access http://127.0.0.1:8080/jbeap10878/protected/LdapAttributeMappingProviderServlet?securityDomain=LdapAttributeMappingProviderBasic with user jduke and password password -> Exception is thrown 7) Add permission to META-INF/permissions.xml in testing deployment and access application again

      Description

      There is missing doPriviliged block in ModuleClassLoaderLocator. Fix of JBEAP-6559 for ModuleClassLoaderLocator introduces new CombinedClassLoader innner class which extends SecureClassLoader. Initialization of this class needs to createClassLoader RuntimePermission.

      That means:

      • All deployment which uses API which internally uses ModuleClassLoaderLocator needs createClassLoader RuntimePermission (which is new in EAP 7.1, the same deployments in EAP 7.0 does not need this permission)
        • i.e. getMappingContext(String mappingType) in org.jboss.security.plugins.mapping.JBossMappingManager works internally with ModuleClassLoaderLocator.
      • setting createClassLoader RuntimePermission for deployment can be dangerous and it should probably use own permission

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  gaol Lin Gao
                  Reporter:
                  olukas Ondrej Lukas
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - 1 day
                    1d
                    Remaining:
                    Remaining Estimate - 1 day
                    1d
                    Logged:
                    Time Spent - Not Specified
                    Not Specified