Loading...

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.0.0.ER4
Affects Version/s: 7.0.0.DR9
Component/s: Security Manager
Labels:
None

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.0.0.GA
Steps to Reproduce:
Hide

# store attached reproducers to the /tmp folder # configure JBOSS_HOME to point to your WildFly installation export JBOSS_HOME=/path/to/wildfly-xxx # install custom module which includes a custom permission # just unzip it to ${JBOSS_HOME}/modules unzip /tmp/custom-module.zip -d ${JBOSS_HOME}/modules # deploy test application - it has dependency on the custom module and it checks java.util.PropertyPermission and also org.jboss.test.CustomPermission (included in the custom module) cp /tmp/secured-webapp.war ${JBOSS_HOME}/standalone/deployments # start WildFly with security manager ${JBOSS_HOME}/bin/standalone.sh -secmgr # configure minimum permissions in WildFly ${JBOSS_HOME}/bin/jboss-cli.sh -c '/subsystem=security-manager/deployment-permissions=default:write-attribute(name=minimum-permissions, value=[{class=java.util.PropertyPermission, actions=read, name="org.jboss.test"}, {class=org.jboss.test.CustomPermission, name="org.jboss.test", module="org.jboss.test"}])' # reload the server ${JBOSS_HOME}/bin/jboss-cli.sh -c reload # use the test application curl 'http://localhost:8080/secured-webapp/?property=org.jboss.test&custom=org.jboss.test'

Expected result:

Checking custom permission with name org.jboss.test OK Checking property 'read' permission for org.jboss.test OK

Actual result:

Checking custom permission with name org.jboss.test java.security.AccessControlException: WFSM000001: Permission check failed (permission "("org.jboss.test.CustomPermission" "org.jboss.test")" in code source "(vfs:/content/secured-webapp.war/WEB-INF/classes <no signer certificates>)" of "null") at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273) at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175) at org.jboss.test.CheckJSMUtils.checkCustomPermission(CheckJSMUtils.java:47) at org.jboss.test.JSMCheckServlet.doGet(JSMCheckServlet.java:49) at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:178) at java.security.AccessController.doPrivileged(Native Method) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:778) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Checking property 'read' permission for org.jboss.test OK
Show
# store attached reproducers to the /tmp folder # configure JBOSS_HOME to point to your WildFly installation export JBOSS_HOME=/path/to/wildfly-xxx # install custom module which includes a custom permission # just unzip it to ${JBOSS_HOME}/modules unzip /tmp/custom-module.zip -d ${JBOSS_HOME}/modules # deploy test application - it has dependency on the custom module and it checks java.util.PropertyPermission and also org.jboss.test.CustomPermission (included in the custom module) cp /tmp/secured-webapp.war ${JBOSS_HOME}/standalone/deployments # start WildFly with security manager ${JBOSS_HOME}/bin/standalone.sh -secmgr # configure minimum permissions in WildFly ${JBOSS_HOME}/bin/jboss-cli.sh -c '/subsystem=security-manager/deployment-permissions=default:write-attribute(name=minimum-permissions, value=[{class=java.util.PropertyPermission, actions=read, name= "org.jboss.test" }, {class=org.jboss.test.CustomPermission, name= "org.jboss.test" , module= "org.jboss.test" }])' # reload the server ${JBOSS_HOME}/bin/jboss-cli.sh -c reload # use the test application curl 'http://localhost:8080/secured-webapp/?property=org.jboss.test&custom=org.jboss.test' Expected result: Checking custom permission with name org.jboss.test OK Checking property 'read' permission for org.jboss.test OK Actual result: Checking custom permission with name org.jboss.test java.security.AccessControlException: WFSM000001: Permission check failed (permission "(" org.jboss.test.CustomPermission " " org.jboss.test ")" in code source "(vfs:/content/secured-webapp.war/WEB-INF/classes <no signer certificates>)" of " null " ) at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273) at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175) at org.jboss.test.CheckJSMUtils.checkCustomPermission(CheckJSMUtils.java:47) at org.jboss.test.JSMCheckServlet.doGet(JSMCheckServlet.java:49) at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:178) at java.security.AccessController.doPrivileged(Native Method) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:778) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang. Thread .run( Thread .java:745) Checking property 'read' permission for org.jboss.test OK

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

When a custom permission (without 2 param constructor) is defined in a WildFly module then it's not possible to grant it to deployments.

Neither defining permissions in security-manager subsystem nor requesting them in META-INF/permissions.xml works.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

custom-module.zip
5 kB
2015/08/27 9:21 AM
secured-webapp.war
5 kB
2015/08/27 9:21 AM
secured-webapp-with-permissions.war
6 kB
2015/08/28 7:33 AM

blocks

JBEAP-971 Fix issues in tests with Security Manager

Closed

is cloned by

WFLY-5222 Unable to grant custom permission from a WildFly module

Closed

relates to

JBEAP-3188 Add regression test for JBEAP-903 - Custom permissions without 2-param constructor

Verified

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates