Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.3.2.CR1, 7.3.2.GA
Affects Version/s: 7.2.8.GA
Component/s: Undertow
Labels:
- downstream_dependency
- test_included

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
QE Test Coverage:
+
Target Release:

7.3.z.GA
Git Pull Request:
https://gitlab.cee.redhat.com/undertow-io/undertow/merge_requests/17, https://github.com/jbossas/jboss-eap7/pull/3495
Steps to Reproduce:
Hide

Deploy the war
Hit: http://localhost:8080/JBEAP-19256/Servlet
expected:

This is the Forward Servlet doPost for /forward remoteHost: 127.0.0.1 queryString: null servletPath: /forward getRequestURL: http://localhost:8080/JBEAP-19256/forward

Hit: http://localhost:8080/JBEAP-19256/Servlet?forward=forward.jsp
expected:

This is the Forward Servlet doPost for /forward

Enable security manager:

in bin/standalone.conf , uncomment SECMGR="true"

add to standalone.xml :

<subsystem xmlns="urn:jboss:domain:security-manager:1.0"> <deployment-permissions> <minimum-set> <permission class="java.io.FilePermission" name="${jboss.server.temp.dir}/-" actions="read"/> <permission class="java.util.PropertyPermission" name="*" actions="read"/> </minimum-set> <maximum-set> <permission class="java.security.AllPermission"/> </maximum-set> </deployment-permissions> </subsystem>

Hit: http://localhost:8080/JBEAP-19256/Servlet
expected:

This is the Forward Servlet doPost for /forward remoteHost: 127.0.0.1 queryString: null servletPath: /forward getRequestURL: http://localhost:8080/JBEAP-19256/forward

Hit: http://localhost:8080/JBEAP-19256/Servlet?forward=forward.jsp
expected:

This is the Forward Servlet doPost for /forward
Show
Deploy the war Hit: http://localhost:8080/JBEAP-19256/Servlet expected: This is the Forward Servlet doPost for /forward remoteHost: 127.0.0.1 queryString: null servletPath: /forward getRequestURL: http: //localhost:8080/JBEAP-19256/forward Hit: http://localhost:8080/JBEAP-19256/Servlet?forward=forward.jsp expected: This is the Forward Servlet doPost for /forward Enable security manager: in bin/standalone.conf , uncomment SECMGR="true" add to standalone.xml : <subsystem xmlns= "urn:jboss:domain:security-manager:1.0" > <deployment-permissions> <minimum-set> <permission class= "java.io.FilePermission" name= "${jboss.server.temp.dir}/-" actions= "read" /> <permission class= "java.util.PropertyPermission" name= "*" actions= "read" /> </minimum-set> <maximum-set> <permission class= "java.security.AllPermission" /> </maximum-set> </deployment-permissions> </subsystem> Hit: http://localhost:8080/JBEAP-19256/Servlet expected: This is the Forward Servlet doPost for /forward remoteHost: 127.0.0.1 queryString: null servletPath: /forward getRequestURL: http: //localhost:8080/JBEAP-19256/forward Hit: http://localhost:8080/JBEAP-19256/Servlet?forward=forward.jsp expected: This is the Forward Servlet doPost for /forward

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

When the security manager is enabled and a Servlet tries to use the RequestDispatcher to forward to a jsp, it fails silently even when the security manager permission for the VFS directory is granted.

It looks like it may be running under the wrong security context when the security manager is invoked.

2020-04-16 14:46:55,390 DEBUG [io.undertow.request] (default task-1) Invalid path forward.jsp: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/jboss/jboss-eap-7.2/standalone/tmp" "read")" in code source "(vfs:/content/JBEAP-19256.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.JBEAP-19256.war" from Service Module Loader")
  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:307)
  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:204)
  at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
  at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:372)
  at sun.nio.fs.UnixPath.checkRead(UnixPath.java:795)
  at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:49)
  at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:144)
  at java.nio.file.Files.readAttributes(Files.java:1737)
  at java.nio.file.Files.isSymbolicLink(Files.java:2153)
  at io.undertow.server.handlers.resource.PathResourceManager.getSymlinkBase(PathResourceManager.java:309)
  at io.undertow.server.handlers.resource.PathResourceManager.getResource(PathResourceManager.java:218)
  at org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource(ServletResourceManager.java:74)
  at io.undertow.server.handlers.resource.CachingResourceManager.getResource(CachingResourceManager.java:114)
  at io.undertow.server.handlers.resource.CachingResourceManager.getResource(CachingResourceManager.java:32)
  at io.undertow.servlet.handlers.ServletPathMatches.getServletHandlerByPath(ServletPathMatches.java:96)
  at io.undertow.servlet.spec.RequestDispatcherImpl.<init>(RequestDispatcherImpl.java:74)
  at io.undertow.servlet.spec.ServletContextImpl.getRequestDispatcher(ServletContextImpl.java:334)
  at com.redhat.examples.servlet.Servlet.doPost(Servlet.java:51)
  at com.redhat.examples.servlet.Servlet.doGet(Servlet.java:40)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:686)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
  at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
  at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
  at io.undertow.servlet.handlers.ServletChain.handleRequest(ServletChain.java:68)
  at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
  at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
  at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
  at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
  at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
  at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
  at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
  at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
  at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
  at io.undertow.servlet.handlers.ServletInitialHandler.access(ServletInitialHandler.java:78)
  at io.undertow.servlet.handlers.ServletInitialHandler.call(ServletInitialHandler.java:133)
  at io.undertow.servlet.handlers.ServletInitialHandler.call(ServletInitialHandler.java:130)
  at io.undertow.servlet.core.ServletRequestContextThreadSetupAction.call(ServletRequestContextThreadSetupAction.java:48)
  at io.undertow.servlet.core.ContextClassLoaderSetupAction.call(ContextClassLoaderSetupAction.java:43)
  at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create(SecurityContextThreadSetupAction.java:105)
  at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoService.java:1504)
  at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoService.java:1504)
  at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoService.java:1504)
  at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create(UndertowDeploymentInfoService.java:1504)
  at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
  at io.undertow.servlet.handlers.ServletInitialHandler.access(ServletInitialHandler.java:78)
  at io.undertow.servlet.handlers.ServletInitialHandler.run(ServletInitialHandler.java:105)
  at java.security.AccessController.doPrivileged(Native Method)
  at io.undertow.servlet.handlers.ServletInitialHandler.handleRequest(ServletInitialHandler.java:102)
  at io.undertow.server.Connectors.executeRootHandler(Connectors.java:376)
  at io.undertow.server.HttpServerExchange.run(HttpServerExchange.java:830)
  at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
  at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
  at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
  at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
  at java.lang.Thread.run(Thread.java:748)

incorporates

UNDERTOW-1703 Checking isSymbolicLink should be in doPrivileged block

Resolved

is cloned by

JBEAP-19256 [GSS](7.2.z) UNDERTOW-1703 - WFSM000001: Permission check failed ... FilePermission when Security Manager enabled and Web App tries to forward to jsp

Closed

WFLY-13392 WFSM000001: Permission check failed ... FilePermission when Security Manager enabled and Web App tries to forward to jsp

Closed

Assignee:: Lin Gao

Reporter:: Lin Gao

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2020/04/17 2:10 AM

Updated:: 2024/08/27 1:44 PM

Resolved:: 2020/06/17 3:37 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates