Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-2543

Incorreclty bypassing the SecurityManager and call AccessControl.checkPermission() directly

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.0.0.ER5
    • 7.0.0.ER2 (Beta)
    • Server
    • None
    • Hide

      1. Recompile jboss-modules after removing AllPermission from getAllPermissions.

       Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git branch
       * (HEAD detached at 1.4.4.Final)
          master
       Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git diff src/main/java/org/jboss/modules/ModulesPolicy.java
       diff --git a/src/main/java/org/jboss/modules/ModulesPolicy.java b/src/main/java/org/jboss/modules/ModulesPolicy.java
       index 1b8da50..0db9345 100644
       --- a/src/main/java/org/jboss/modules/ModulesPolicy.java
       +++ b/src/main/java/org/jboss/modules/ModulesPolicy.java
       @@ -39,7 +39,7 @@ final class ModulesPolicy extends Policy {
      
             private static Permissions getAllPermission() {
                 final Permissions permissions = new Permissions();
       -        permissions.add(ALL_PERMISSION);
       +        //permissions.add(ALL_PERMISSION);
                 return permissions;
             }
      

      2. Remove the Throw clauses from WildflySecurityManager

       Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git branch
       * (HEAD detached at 1.0.2.Final)
          master
       Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git diff
       diff --git a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java
       index 379c61f..11dddff 100644
       --- a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java
       +++ b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java
       @@ -270,7 +270,7 @@ public final class WildFlySecurityManager extends SecurityManager {
                                 } else {
                                     access.accessCheckFailed(perm, codeSource, classLoader, Arrays.toString(principals));
                                 }
       -                        throw access.accessControlException(perm, perm, codeSource, classLoader);
       +                        //throw access.accessControlException(perm, perm, codeSource, classLoader);
                             }
                         }
                     } finally {
       @@ -302,7 +302,7 @@ public final class WildFlySecurityManager extends SecurityManager {
                                 } else {
                                     access.accessCheckFailed(perm, codeSource, classLoader, Arrays.toString(principals));
                                 }
       -                        throw access.accessControlException(perm, perm, codeSource, classLoader);
       +                        //throw access.accessControlException(perm, perm, codeSource, classLoader);
                             }
                        }
                     } finally {
       @@ -1061,7 +1061,7 @@ public final class WildFlySecurityManager extends SecurityManager {
                     return;
                 }
                 access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader);
       -        throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
       +        //throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
             }
      
             private static void checkEnvPropertyReadPermission(Class<?> clazz, String propertyName) {
       @@ -1082,7 +1082,7 @@ public final class WildFlySecurityManager extends SecurityManager {
                     return;
                 }
                 access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader);
       -        throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
       +        //throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
             }
      
             private static void checkPropertyWritePermission(Class<?> clazz, String propertyName) {
       @@ -1103,7 +1103,7 @@ public final class WildFlySecurityManager extends SecurityManager {
                     return;
                 }
                 access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader);
       -        throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
       +        //throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
             }
      
             private static void checkPDPermission(Class<?> clazz, Permission permission) {
       @@ -1120,7 +1120,7 @@ public final class WildFlySecurityManager extends SecurityManager {
                     return;
                 }
                 access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader);
       -        throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
       +        //throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
             }
      
             /**
      

      3. Start Wildfly

      Show
      1. Recompile jboss-modules after removing AllPermission from getAllPermissions. Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git branch * (HEAD detached at 1.4.4.Final) master Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git diff src/main/java/org/jboss/modules/ModulesPolicy.java diff --git a/src/main/java/org/jboss/modules/ModulesPolicy.java b/src/main/java/org/jboss/modules/ModulesPolicy.java index 1b8da50..0db9345 100644 --- a/src/main/java/org/jboss/modules/ModulesPolicy.java +++ b/src/main/java/org/jboss/modules/ModulesPolicy.java @@ -39,7 +39,7 @@ final class ModulesPolicy extends Policy { private static Permissions getAllPermission() { final Permissions permissions = new Permissions(); - permissions.add(ALL_PERMISSION); + //permissions.add(ALL_PERMISSION); return permissions; } 2. Remove the Throw clauses from WildflySecurityManager Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git branch * (HEAD detached at 1.0.2.Final) master Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git diff diff --git a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java index 379c61f..11dddff 100644 --- a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java +++ b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java @@ -270,7 +270,7 @@ public final class WildFlySecurityManager extends SecurityManager { } else { access.accessCheckFailed(perm, codeSource, classLoader, Arrays.toString(principals)); } - throw access.accessControlException(perm, perm, codeSource, classLoader); + // throw access.accessControlException(perm, perm, codeSource, classLoader); } } } finally { @@ -302,7 +302,7 @@ public final class WildFlySecurityManager extends SecurityManager { } else { access.accessCheckFailed(perm, codeSource, classLoader, Arrays.toString(principals)); } - throw access.accessControlException(perm, perm, codeSource, classLoader); + // throw access.accessControlException(perm, perm, codeSource, classLoader); } } } finally { @@ -1061,7 +1061,7 @@ public final class WildFlySecurityManager extends SecurityManager { return ; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + // throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } private static void checkEnvPropertyReadPermission( Class <?> clazz, String propertyName) { @@ -1082,7 +1082,7 @@ public final class WildFlySecurityManager extends SecurityManager { return ; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + // throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } private static void checkPropertyWritePermission( Class <?> clazz, String propertyName) { @@ -1103,7 +1103,7 @@ public final class WildFlySecurityManager extends SecurityManager { return ; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + // throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } private static void checkPDPermission( Class <?> clazz, Permission permission) { @@ -1120,7 +1120,7 @@ public final class WildFlySecurityManager extends SecurityManager { return ; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + // throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } /** 3. Start Wildfly

      If we modify jboss-modules to remove the allPermissions by default, then change the WildflySecurityManager to avoid throwing exceptions, we get this error when starting Wildfly:

       org.jboss.msc.service.StartException in service jboss.as: Failed to start service
               at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
               at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
               at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
               at java.lang.Thread.run(Thread.java:745)
       Caused by: java.security.AccessControlException: access denied ("org.jboss.as.server.security.ServerPermission" "setCurrentServiceContainer")
               at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
               at java.security.AccessController.checkPermission(AccessController.java:884)
               at org.jboss.as.server.CurrentServiceContainer.checkPermission(CurrentServiceContainer.java:63)
               at org.jboss.as.server.CurrentServiceContainer.setServiceContainer(CurrentServiceContainer.java:56)
               at org.jboss.as.server.ApplicationServerService.start(ApplicationServerService.java:137)
               at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
               at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
               ... 3 more
      

              rhn-support-jshepher Jason Shepherd
              rhn-support-jshepher Jason Shepherd
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: