Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12913

Incorrect doPrivileged usage causes AccessControlException (FilePermission) in Elytron's ServiceLoaderSupplier

    Details

      Description

      When application server is running with Security Manager then using Elytron API (ElytronXmlParser.parseAuthenticationClientConfiguration()) from deployment leads to AccessControlException. The ServiceLoaderSupplier incorrectly uses doPrivileged, so the FilePermission check during accessing Elytron JAR fails.

      Workaround could be adding this FilePermission to each such deployment, but this is neither safe nor practical as the JAR name and location can change (e.g. version upgrade with patches applied).

      It seems the problem is caused by passing AccessControlContext as second parameter of doPrivileged method [1]. ServiceLoaderSupplier does not require this permission when second paramater is removed from doPrivileged method. This privileged block has been added as fix of JBEAP-12111 - doPrivileged call has been added into org.wildfly.security.util.ServiceLoaderSupplier.

      For example this is stacktrace for calling ElytronXmlParser.parseAuthenticationClientConfiguration method from Servlet in war application:

      java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/user/jboss-eap-7.1/modules/system/layers/base/org/wildfly/security/elytron-private/main/wildfly-elytron-1.1.1.Final-redhat-1.jar" "read")" in code source "(vfs:/content/wildfly-config-xml-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.wildfly-config-xml-dep.war" from Service Module Loader")
              at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
              at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
              at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
              at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:350)
              at sun.net.www.protocol.jar.JarFileFactory.getCachedJarFile(JarFileFactory.java:137)
              at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:81)
              at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
              at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150)
              at java.net.URL.openStream(URL.java:1038)
              at java.util.ServiceLoader.parse(ServiceLoader.java:304)
              at java.util.ServiceLoader.access$200(ServiceLoader.java:185)
              at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357)
              at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323)
              at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396)
              at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395)
              at java.security.AccessController.doPrivileged(Native Method)
              at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398)
              at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
              at org.wildfly.security.util.ServiceLoaderSupplier.loadServices(ServiceLoaderSupplier.java:73)
              at org.wildfly.security.util.ServiceLoaderSupplier.lambda$get$0(ServiceLoaderSupplier.java:58)
              at java.security.AccessController.doPrivileged(Native Method)
              at org.wildfly.security.util.ServiceLoaderSupplier.get(ServiceLoaderSupplier.java:58)
              at org.wildfly.security.util.ServiceLoaderSupplier.get(ServiceLoaderSupplier.java:39)
              at org.wildfly.security.auth.client.ElytronXmlParser$DeferredSupplier.get(ElytronXmlParser.java:2433)
              at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:115)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseClearPassword$40(ElytronXmlParser.java:2001)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$27(ElytronXmlParser.java:918)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$33(ElytronXmlParser.java:953)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$18(ElytronXmlParser.java:691)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$22(ElytronXmlParser.java:739)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationRuleType$7(ElytronXmlParser.java:575)
              at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseRulesType$8(ElytronXmlParser.java:599)
              at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:299)
              at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:176)
              at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:137)
          ...
      

      [1] https://github.com/wildfly-security/wildfly-elytron/blob/8c033958d78fcb1c4756a7d6c878855b0c099bbe/src/main/java/org/wildfly/security/util/ServiceLoaderSupplier.java#L58

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  honza889 Jan Kalina
                  Reporter:
                  olukas Ondrej Lukas
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: