Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-778

DelegatingPolicy should delegate refresh()

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Unresolved
    • Icon: Optional Optional
    • None
    • None
    • PicketBox

      DelegatingPolicy delegates non-JACC permissions to the java.security.Policy (or subclass) object.
      It delegates getPermissions() and implies() methods, but not refresh() method.

      It is bad, because DelegatingPolicy is used by default in current Wildfly and applications assuming standard policy provider and using normal security policy file will not refresh policies from file.

      Yes, user application can bypass it by using

      Policy.getPolicy().getPolicyProxy().refresh();

      but this require to have "org.picketbox" in dependencies, so application on picketlink depends, or is incompatible...

      This illustrate patch of my policy switching jboss extension - before patch it works only without picketlink, after it works only with picketlink:
      https://github.com/honza889/jsm-policy-subsystem/commit/f2fb420b43ac3eedbe5acde32762042e095189d6#diff-998db8f249fa4f686067810e0c894afeL41

      This should resolve this one line in DelegatingPolicy class:

         public void refresh()
   {
         delegate.refresh();
   }

      Thanks

      More informations about DelegatingPolicy:
      https://community.jboss.org/wiki/DelegatingPolicy
      https://github.com/picketbox/picketbox-container/blob/e8dfc3e8306cdbd2329de2dc73bfa8fd61eca6cd/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/jacc/DelegatingPolicy.java#L219

              Unassigned Unassigned
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: