Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10878

get method of ModuleClassLoaderLocator requires createClassLoader permission

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 7.1.0.ER2
    • 7.1.0.DR17
    • Security
    • None
    • Hide

      It can be reproduced with following test:
      1) Create properties file for authentication, /PATH/TO/users.properties:

      jduke=password

      /PATH/TO/roles.properties:

      jduke=Admin

      2) Run LDAP server on port 10389 with ldif:

      dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
uid: jduke
cn: Java Duke
sn: Duke
employeeNumber: 123456789
userPassword: Password1

      3) Configure following security domain in AS:

      <security-domain name="LdapAttributeMappingProviderBasic">
    <authentication>
        <login-module code="UsersRoles" flag="required">
            <module-option name="rolesProperties" value="/PATH/TO/roles.properties"/>
            <module-option name="usersProperties" value="/PATH/TO/users.properties"/>
        </login-module>
    </authentication>
    <mapping>
        <mapping-module code="LdapAttributes" type="attribute">
            <module-option name="bindDN" value="uid=admin,ou=system"/>
            <module-option name="bindCredential" value="secret"/>
            <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
            <module-option name="attributeList" value="sn,employeenumber,description"/>
            <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
            <module-option name="baseFilter" value="uid={0}"/>
        </mapping-module>
    </mapping>
</security-domain>

      4) Start application server with security manager

      5) Deploy testing application, see attachment

      6) Access http://127.0.0.1:8080/jbeap10878/protected/LdapAttributeMappingProviderServlet?securityDomain=LdapAttributeMappingProviderBasic with user jduke and password password -> Exception is thrown

      7) Add permission to META-INF/permissions.xml in testing deployment and access application again

      Show
      It can be reproduced with following test: 1) Create properties file for authentication, /PATH/TO/users.properties: jduke=password /PATH/TO/roles.properties: jduke=Admin 2) Run LDAP server on port 10389 with ldif: dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectclass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke employeeNumber: 123456789 userPassword: Password1 3) Configure following security domain in AS: <security-domain name= "LdapAttributeMappingProviderBasic" > <authentication> <login-module code= "UsersRoles" flag= "required" > <module-option name= "rolesProperties" value= "/PATH/TO/roles.properties" /> <module-option name= "usersProperties" value= "/PATH/TO/users.properties" /> </login-module> </authentication> <mapping> <mapping-module code= "LdapAttributes" type= "attribute" > <module-option name= "bindDN" value= "uid=admin,ou=system" /> <module-option name= "bindCredential" value= "secret" /> <module-option name= "baseCtxDN" value= "ou=People,dc=jboss,dc=org" /> <module-option name= "attributeList" value= "sn,employeenumber,description" /> <module-option name= "java.naming.provider.url" value= "ldap: //localhost:10389" /> <module-option name= "baseFilter" value= "uid={0}" /> </mapping-module> </mapping> </security-domain> 4) Start application server with security manager 5) Deploy testing application, see attachment 6) Access http://127.0.0.1:8080/jbeap10878/protected/LdapAttributeMappingProviderServlet?securityDomain=LdapAttributeMappingProviderBasic with user jduke and password password -> Exception is thrown 7) Add permission to META-INF/permissions.xml in testing deployment and access application again

    Description

      There is missing doPriviliged block in ModuleClassLoaderLocator. Fix of JBEAP-6559 for ModuleClassLoaderLocator introduces new CombinedClassLoader innner class which extends SecureClassLoader. Initialization of this class needs to createClassLoader RuntimePermission.

      That means:

      • All deployment which uses API which internally uses ModuleClassLoaderLocator needs createClassLoader RuntimePermission (which is new in EAP 7.1, the same deployments in EAP 7.0 does not need this permission)
        • i.e. getMappingContext(String mappingType) in org.jboss.security.plugins.mapping.JBossMappingManager works internally with ModuleClassLoaderLocator.
      • setting createClassLoader RuntimePermission for deployment can be dangerous and it should probably use own permission

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFLY-8760 get method of ModuleClassLoaderLocator requires createClassLoader permission

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              rhn-engineering-lgao Lin Gao
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 1 day
                  1d
                  Remaining:
                  Remaining Estimate - 1 day
                  1d
                  Logged:
                  Time Spent - Not Specified
                  Not Specified