Uploaded image for project: 'JBoss Transaction Manager'
  1. JBoss Transaction Manager
  2. JBTM-2577

CDR Input/Output streams need SerializablePermission("enableSubclassImplementation") when Security Manager is in force

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 5.2.9.Final
    • 5.2.8.Final
    • JTS
    • None

    Description

      Since JDK 7u25 version org.omg.CORBA_2_3.portable.Output/InputStream classes need extra permissions if Security Manager is enabled. Because of a previous vulnerability, it now checks SerializablePermission("enableSubclassImplementation"). There is a property flag to allow subclass instantiations without the security check (jdk.corba.allowOutputStreamSubclass=true), but this system property is subject to removal in the future Java releases, according to my findings.

      At the moment, our IIOP code fails (can be seen in iiop tests of WildFly testsuite) when running with SM enabled.

      See the following stacktraces:

      	  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:271)
	  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
	  at org.omg.CORBA_2_3.portable.InputStream.checkPermission(InputStream.java:67)
	  at org.omg.CORBA_2_3.portable.InputStream.<init>(InputStream.java:84)
	  at com.sun.corba.se.impl.encoding.WrapperInputStream.<init>(WrapperInputStream.java:74)
	  at com.sun.corba.se.impl.corba.TypeCodeImpl.read_value(TypeCodeImpl.java:1273)
	  at com.sun.corba.se.impl.encoding.CDRInputStream_1_0.read_any(CDRInputStream_1_0.java:695)
	  at com.sun.corba.se.impl.encoding.CDRInputStream.read_any(CDRInputStream.java:238)
	  at org.omg.CosTransactions.PropagationContextHelper.read(PropagationContextHelper.java:88)
	  at com.arjuna.ArjunaOTS._ArjunaTransactionStub.get_txcontext(_ArjunaTransactionStub.java:387)
	  at com.arjuna.ats.jts.orbspecific.javaidl.interceptors.interposition.InterpositionClientRequestInterceptorImpl.send_request(InterpositionClientRequestInterceptorImpl.java:223)
	  at com.sun.corba.se.impl.interceptors.InterceptorInvoker.invokeClientInterceptorStartingPoint(InterceptorInvoker.java:245)
	  at com.sun.corba.se.impl.interceptors.PIHandlerImpl.invokeClientPIStartingPoint(PIHandlerImpl.java:355)
	  at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.beginRequest(CorbaClientRequestDispatcherImpl.java:293)
	  at com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.request(CorbaClientDelegateImpl.java:137)
	  at org.omg.CORBA.portable.ObjectImpl._request(ObjectImpl.java:449)
	  at org.omg.CosTransactions._ResourceStub.commit_one_phase(_ResourceStub.java:94)
	  at com.arjuna.ats.internal.jts.resources.ResourceRecord.topLevelOnePhaseCommit(ResourceRecord.java:537)
	  at com.arjuna.ats.arjuna.coordinator.BasicAction.onePhaseCommit(BasicAction.java:2361)
	  at com.arjuna.ats.arjuna.coordinator.BasicAction.End(BasicAction.java:1495)
	  - locked <0x360a> (a com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple)
	  at com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple.commit(ArjunaTransactionImple.java:375)
	  at com.arjuna.ats.internal.jts.ControlWrapper.commit(ControlWrapper.java:244)
	  at com.arjuna.ats.internal.jts.orbspecific.CurrentImple.commit(CurrentImple.java:247)
	  at com.arjuna.ats.jts.extensions.AtomicTransaction.commit(AtomicTransaction.java:276)
	  at com.arjuna.ats.internal.jta.transaction.jts.TransactionImple.commitAndDisassociate(TransactionImple.java:1313)
	  at com.arjuna.ats.internal.jta.transaction.jts.BaseTransaction.commit(BaseTransaction.java:130)
	  at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
	  at org.jboss.tm.usertx.client.ServerVMClientUserTransaction.commit(ServerVMClientUserTransaction.java:178)
	  at org.jboss.as.test.iiop.transaction.ClientEjb.testSynchronization(ClientEjb.java:65)

      	  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:271)
	  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
	  at org.omg.CORBA_2_3.portable.InputStream.checkPermission(InputStream.java:67)
	  at org.omg.CORBA_2_3.portable.InputStream.<init>(InputStream.java:84)
	  at com.sun.corba.se.impl.encoding.WrapperInputStream.<init>(WrapperInputStream.java:74)
	  at com.sun.corba.se.impl.corba.TypeCodeImpl.read_value(TypeCodeImpl.java:1273)
	  at com.sun.corba.se.impl.corba.TypeCodeImpl.copy(TypeCodeImpl.java:2018)
	  at com.sun.corba.se.impl.corba.TypeCodeImpl.copy(TypeCodeImpl.java:2054)
	  at com.sun.corba.se.impl.corba.AnyImpl.write_value(AnyImpl.java:610)
	  at com.sun.corba.se.impl.interceptors.CDREncapsCodec.encodeImpl(CDREncapsCodec.java:173)
	  at com.sun.corba.se.impl.interceptors.CDREncapsCodec.encode_value(CDREncapsCodec.java:119)
	  at com.arjuna.ats.jts.orbspecific.javaidl.interceptors.interposition.InterpositionClientRequestInterceptorImpl.send_request(InterpositionClientRequestInterceptorImpl.java:280)
	  at com.sun.corba.se.impl.interceptors.InterceptorInvoker.invokeClientInterceptorStartingPoint(InterceptorInvoker.java:245)
	  at com.sun.corba.se.impl.interceptors.PIHandlerImpl.invokeClientPIStartingPoint(PIHandlerImpl.java:355)
	  at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.beginRequest(CorbaClientRequestDispatcherImpl.java:293)
	  at com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.request(CorbaClientDelegateImpl.java:137)
	  at org.omg.CORBA.portable.ObjectImpl._request(ObjectImpl.java:449)
	  at com.arjuna.ArjunaOTS._ArjunaTransactionStub.is_top_level_transaction(_ArjunaTransactionStub.java:193)
	  at com.arjuna.ats.jts.OTSManager.destroyControl(OTSManager.java:133)
	  at com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple.destroyAction(ArjunaTransactionImple.java:2201)
	  at com.arjuna.ats.internal.jts.orbspecific.coordinator.ArjunaTransactionImple.commit(ArjunaTransactionImple.java:392)
	  at com.arjuna.ats.internal.jts.ControlWrapper.commit(ControlWrapper.java:244)
	  at com.arjuna.ats.internal.jts.orbspecific.CurrentImple.commit(CurrentImple.java:247)
	  at com.arjuna.ats.jts.extensions.AtomicTransaction.commit(AtomicTransaction.java:276)
	  at com.arjuna.ats.internal.jta.transaction.jts.TransactionImple.commitAndDisassociate(TransactionImple.java:1313)
	  at com.arjuna.ats.internal.jta.transaction.jts.BaseTransaction.commit(BaseTransaction.java:130)
	  at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
	  at org.jboss.tm.usertx.client.ServerVMClientUserTransaction.commit(ServerVMClientUserTransaction.java:178)
	  at org.jboss.as.test.iiop.transaction.ClientEjb.testSynchronization(ClientEjb.java:65)

      Attachments

        Issue Links

          causes

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-2265 CDR Input/Output streams need SerializablePermission("enableSubclassImplementation") when Security Manager is in force

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. WFLY-5521 Tests from IIOP module fails with security manager

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              istudens@redhat.com Ivo Studensky
              istudens@redhat.com Ivo Studensky
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: