Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-903

Unable to grant custom permission from a WildFly module

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.0.0.ER4
    • 7.0.0.DR9
    • Security Manager
    • None
    • Hide
      # store attached reproducers to the /tmp folder
      
      # configure JBOSS_HOME to point to your WildFly installation
      export JBOSS_HOME=/path/to/wildfly-xxx
      
      # install custom module which includes a custom permission
      # just unzip it to ${JBOSS_HOME}/modules
      unzip /tmp/custom-module.zip -d ${JBOSS_HOME}/modules
      
      # deploy test application - it has dependency on the custom module and it checks java.util.PropertyPermission and also org.jboss.test.CustomPermission (included in the custom module)
      cp /tmp/secured-webapp.war ${JBOSS_HOME}/standalone/deployments
      
      # start WildFly with security manager
      ${JBOSS_HOME}/bin/standalone.sh -secmgr
      
      # configure minimum permissions in WildFly
      ${JBOSS_HOME}/bin/jboss-cli.sh -c '/subsystem=security-manager/deployment-permissions=default:write-attribute(name=minimum-permissions, value=[{class=java.util.PropertyPermission, actions=read, name="org.jboss.test"}, {class=org.jboss.test.CustomPermission, name="org.jboss.test", module="org.jboss.test"}])'
      
      # reload the server
      ${JBOSS_HOME}/bin/jboss-cli.sh -c reload
      
      # use the test application
      curl 'http://localhost:8080/secured-webapp/?property=org.jboss.test&custom=org.jboss.test'
      

      Expected result:

      Checking custom permission with name org.jboss.test
      OK
      
      Checking property 'read' permission for org.jboss.test
      OK
      

      Actual result:

      Checking custom permission with name org.jboss.test
      java.security.AccessControlException: WFSM000001: Permission check failed (permission "("org.jboss.test.CustomPermission" "org.jboss.test")" in code source "(vfs:/content/secured-webapp.war/WEB-INF/classes <no signer certificates>)" of "null")
              at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273)
              at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
              at org.jboss.test.CheckJSMUtils.checkCustomPermission(CheckJSMUtils.java:47)
              at org.jboss.test.JSMCheckServlet.doGet(JSMCheckServlet.java:49)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
              at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
              at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
              at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
              at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
              at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
              at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
              at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
              at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
              at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
              at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
              at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
              at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
              at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
              at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:178)
              at java.security.AccessController.doPrivileged(Native Method)
              at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
              at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
              at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:778)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at java.lang.Thread.run(Thread.java:745)
      
      Checking property 'read' permission for org.jboss.test
      OK
      
      Show
      # store attached reproducers to the /tmp folder # configure JBOSS_HOME to point to your WildFly installation export JBOSS_HOME=/path/to/wildfly-xxx # install custom module which includes a custom permission # just unzip it to ${JBOSS_HOME}/modules unzip /tmp/custom-module.zip -d ${JBOSS_HOME}/modules # deploy test application - it has dependency on the custom module and it checks java.util.PropertyPermission and also org.jboss.test.CustomPermission (included in the custom module) cp /tmp/secured-webapp.war ${JBOSS_HOME}/standalone/deployments # start WildFly with security manager ${JBOSS_HOME}/bin/standalone.sh -secmgr # configure minimum permissions in WildFly ${JBOSS_HOME}/bin/jboss-cli.sh -c '/subsystem=security-manager/deployment-permissions=default:write-attribute(name=minimum-permissions, value=[{class=java.util.PropertyPermission, actions=read, name= "org.jboss.test" }, {class=org.jboss.test.CustomPermission, name= "org.jboss.test" , module= "org.jboss.test" }])' # reload the server ${JBOSS_HOME}/bin/jboss-cli.sh -c reload # use the test application curl 'http://localhost:8080/secured-webapp/?property=org.jboss.test&custom=org.jboss.test' Expected result: Checking custom permission with name org.jboss.test OK Checking property 'read' permission for org.jboss.test OK Actual result: Checking custom permission with name org.jboss.test java.security.AccessControlException: WFSM000001: Permission check failed (permission "(" org.jboss.test.CustomPermission " " org.jboss.test ")" in code source "(vfs:/content/secured-webapp.war/WEB-INF/classes <no signer certificates>)" of " null " ) at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273) at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175) at org.jboss.test.CheckJSMUtils.checkCustomPermission(CheckJSMUtils.java:47) at org.jboss.test.JSMCheckServlet.doGet(JSMCheckServlet.java:49) at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80) at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:178) at java.security.AccessController.doPrivileged(Native Method) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:778) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang. Thread .run( Thread .java:745) Checking property 'read' permission for org.jboss.test OK

      When a custom permission (without 2 param constructor) is defined in a WildFly module then it's not possible to grant it to deployments.

      Neither defining permissions in security-manager subsystem nor requesting them in META-INF/permissions.xml works.

        1. secured-webapp.war
          5 kB
          Josef Cacek
        2. secured-webapp-with-permissions.war
          6 kB
          Josef Cacek

              sguilhen Stefan Guilhen
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: