Uploaded image for project: 'JBoss Remoting (3+)'
  1. JBoss Remoting (3+)
  2. REM3-263

Remoting requires additional FilePermissions to read SASL chalenge when running with Security Manager enabled

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 5.0.0.Beta19
    • 5.0.0.Beta18
    • None

      When Security Manager is enabled, Remoting requires additional FilePermissions to read SASL chalenge, see the stacktrace:

      Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
         JBOSS-LOCAL-USER: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/istudens/work/git/jboss-eap-upstream/testsuite/integration/basic/target/jbossas/standalone/tmp/auth/local8187140844322767624.challenge" "read")" in code source "(vfs:/content/flush-operations.jar <no signer certificates>)" of "ModuleClassLoader for Module "deployment.flush-operations.jar" from Service Module Loader")
         DIGEST-MD5: Server rejected authentication
      	at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:107)
      	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:390)
      	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:236)
      	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
      	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
      	at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
      	at ...asynchronous invocation...(Unknown Source)
      	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:464)
      	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:426)
      	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:414)
      	at org.jboss.as.protocol.ProtocolConnectionUtils.connect(ProtocolConnectionUtils.java:164)
      	at org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:111)
      	... 147 more
      

      The exception comes from org.wildfly.security.sasl.localuser.LocalUserClient#evaluateMessage()#L92:

      LocalUserClient.java
                          final FileInputStream stream = new FileInputStream(file);
      

      Although the invocation involves PrivilegedSaslClient, its accessControlContext cached by the constructor represents a client ACC and thus fails to read the file mentioned above.

      One option to fix this is to invoke the PrivilegedSaslClient's constructor inside of a privileged block, as there already is a permission check in org.jboss.remoting3.EndpointImpl#connect() around that code, see:

      Unable to find source-code formatter for language: endpointimpl.java. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
      445       if (sm != null) {
      446            sm.checkPermission(RemotingPermission.CONNECT);
      447       }
      

      Another option might be to invoke the entire EndpointImpl.construct() within doPrivileged().

              istudens@redhat.com Ivo Studensky
              istudens@redhat.com Ivo Studensky
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: