Details
-
Bug
-
Resolution: Done
-
Major
-
7.2.8.GA
Description
When the security manager is enabled and a Servlet tries to use the RequestDispatcher to forward to a jsp, it fails silently even when the security manager permission for the VFS directory is granted.
It looks like it may be running under the wrong security context when the security manager is invoked.
2020-04-16 14:46:55,390 DEBUG [io.undertow.request] (default task-1) Invalid path forward.jsp: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/jboss/jboss-eap-7.2/standalone/tmp" "read")" in code source "(vfs:/content/JBEAP-19256.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.JBEAP-19256.war" from Service Module Loader") at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:307) at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:204) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:372) at sun.nio.fs.UnixPath.checkRead(UnixPath.java:795) at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:49) at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:144) at java.nio.file.Files.readAttributes(Files.java:1737) at java.nio.file.Files.isSymbolicLink(Files.java:2153) at io.undertow.server.handlers.resource.PathResourceManager.getSymlinkBase(PathResourceManager.java:309) at io.undertow.server.handlers.resource.PathResourceManager.getResource(PathResourceManager.java:218) at org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource(ServletResourceManager.java:74) at io.undertow.server.handlers.resource.CachingResourceManager.getResource(CachingResourceManager.java:114) at io.undertow.server.handlers.resource.CachingResourceManager.getResource(CachingResourceManager.java:32) at io.undertow.servlet.handlers.ServletPathMatches.getServletHandlerByPath(ServletPathMatches.java:96) at io.undertow.servlet.spec.RequestDispatcherImpl.<init>(RequestDispatcherImpl.java:74) at io.undertow.servlet.spec.ServletContextImpl.getRequestDispatcher(ServletContextImpl.java:334) at com.redhat.examples.servlet.Servlet.doPost(Servlet.java:51) at com.redhat.examples.servlet.Servlet.doGet(Servlet.java:40) at javax.servlet.http.HttpServlet.service(HttpServlet.java:686) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269) at io.undertow.servlet.handlers.ServletInitialHandler.access(ServletInitialHandler.java:78) at io.undertow.servlet.handlers.ServletInitialHandler.call(ServletInitialHandler.java:133) at io.undertow.servlet.handlers.ServletInitialHandler.call(ServletInitialHandler.java:130) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoService.java:1504) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoService.java:1504) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoService.java:1504) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoService.java:1504) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249) at io.undertow.servlet.handlers.ServletInitialHandler.access(ServletInitialHandler.java:78) at io.undertow.servlet.handlers.ServletInitialHandler.run(ServletInitialHandler.java:105) at java.security.AccessController.doPrivileged(Native Method) at io.undertow.servlet.handlers.ServletInitialHandler.handleRequest(ServletInitialHandler.java:102) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:376) at io.undertow.server.HttpServerExchange.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748)
Attachments
Issue Links
- incorporates
-
UNDERTOW-1703 Checking isSymbolicLink should be in doPrivileged block
- Resolved
- is cloned by
-
JBEAP-19256 [GSS](7.2.z) UNDERTOW-1703 - WFSM000001: Permission check failed ... FilePermission when Security Manager enabled and Web App tries to forward to jsp
- Verified
-
WFLY-13392 WFSM000001: Permission check failed ... FilePermission when Security Manager enabled and Web App tries to forward to jsp
- Closed