-
Bug
-
Resolution: Done
-
Major
-
5.0.0.Beta18
-
None
When Security Manager is enabled, Remoting requires additional FilePermissions to read SASL chalenge, see the stacktrace:
Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed: JBOSS-LOCAL-USER: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/istudens/work/git/jboss-eap-upstream/testsuite/integration/basic/target/jbossas/standalone/tmp/auth/local8187140844322767624.challenge" "read")" in code source "(vfs:/content/flush-operations.jar <no signer certificates>)" of "ModuleClassLoader for Module "deployment.flush-operations.jar" from Service Module Loader") DIGEST-MD5: Server rejected authentication at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:107) at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:390) at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:236) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89) at org.xnio.nio.WorkerThread.run(WorkerThread.java:567) at ...asynchronous invocation...(Unknown Source) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:464) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:426) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:414) at org.jboss.as.protocol.ProtocolConnectionUtils.connect(ProtocolConnectionUtils.java:164) at org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:111) ... 147 more
The exception comes from org.wildfly.security.sasl.localuser.LocalUserClient#evaluateMessage()#L92:
final FileInputStream stream = new FileInputStream(file);
Although the invocation involves PrivilegedSaslClient, its accessControlContext cached by the constructor represents a client ACC and thus fails to read the file mentioned above.
One option to fix this is to invoke the PrivilegedSaslClient's constructor inside of a privileged block, as there already is a permission check in org.jboss.remoting3.EndpointImpl#connect() around that code, see:
445 if (sm != null) { 446 sm.checkPermission(RemotingPermission.CONNECT); 447 }
Another option might be to invoke the entire EndpointImpl.construct() within doPrivileged().
- causes
-
WFLY-7594 FlushOperationsTestCase fails with security manager
- Closed
- is incorporated by
-
JBEAP-9110 (7.1.x) Upgrade JBoss Remoting from 5.0.0.Beta17 to 5.0.0.Beta19
- Closed
- is related to
-
JBEAP-12547 LocalUserClient (JBOSS-LOCAL-USER) fails SASL authentication if a security manager is used
- Closed