Uploaded image for project: 'JBoss Remoting (3+)'
  1. JBoss Remoting (3+)
  2. REM3-263

Remoting requires additional FilePermissions to read SASL chalenge when running with Security Manager enabled

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 5.0.0.Beta18
    • Fix Version/s: 5.0.0.Beta19
    • Labels:
      None

      Description

      When Security Manager is enabled, Remoting requires additional FilePermissions to read SASL chalenge, see the stacktrace:

      Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
         JBOSS-LOCAL-USER: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/istudens/work/git/jboss-eap-upstream/testsuite/integration/basic/target/jbossas/standalone/tmp/auth/local8187140844322767624.challenge" "read")" in code source "(vfs:/content/flush-operations.jar <no signer certificates>)" of "ModuleClassLoader for Module "deployment.flush-operations.jar" from Service Module Loader")
         DIGEST-MD5: Server rejected authentication
      	at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:107)
      	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:390)
      	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:236)
      	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
      	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
      	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
      	at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
      	at ...asynchronous invocation...(Unknown Source)
      	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:464)
      	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:426)
      	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:414)
      	at org.jboss.as.protocol.ProtocolConnectionUtils.connect(ProtocolConnectionUtils.java:164)
      	at org.jboss.as.protocol.ProtocolConnectionUtils.connectSync(ProtocolConnectionUtils.java:111)
      	... 147 more
      

      The exception comes from org.wildfly.security.sasl.localuser.LocalUserClient#evaluateMessage()#L92:

      LocalUserClient.java
                          final FileInputStream stream = new FileInputStream(file);
      

      Although the invocation involves PrivilegedSaslClient, its accessControlContext cached by the constructor represents a client ACC and thus fails to read the file mentioned above.

      One option to fix this is to invoke the PrivilegedSaslClient's constructor inside of a privileged block, as there already is a permission check in org.jboss.remoting3.EndpointImpl#connect() around that code, see:

      Unable to find source-code formatter for language: endpointimpl.java. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
      445       if (sm != null) {
      446            sm.checkPermission(RemotingPermission.CONNECT);
      447       }
      

      Another option might be to invoke the entire EndpointImpl.construct() within doPrivileged().

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  istudens Ivo Studensky
                  Reporter:
                  istudens Ivo Studensky
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: