Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-861

org.jboss.security.client.SecurityClient#login() requires unusual permissions

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • PicketBox_4_0_21_Beta3
    • None
    • None

      In order to do a security client login, the caller needs to have (at least) the permission java.lang.RuntimePermission "org.jboss.security.getSecurityContext".

      Leaving aside that RuntimePermission should not be used for things like this, the point of having a login method is to abstract the security context manipulation away. Surely if some permission check is needed, the permission should be something specific to logging in (though in my opinion, no permission should be necessary here).

      The exact example stack trace is:

      15:09:20,307 SEVERE [org.jboss.arquillian.protocol.jmx.JMXTestRunner] (pool-1-thread-1) Failed: org.jboss.as.test.integration.ejb.security.RunAsPrincipalTestCase.testAnonymous: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "org.jboss.security.getSecurityContext")" in code source "(vfs:/content/runasprincipal-test.war/WEB-INF/classes <no signer certificates>)" of "null")
        at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:264) [wildfly-security-manager-1.0.2.Final-SNAPSHOT.jar:1.0.2.Final-SNAPSHOT]
        at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:169) [wildfly-security-manager-1.0.2.Final-SNAPSHOT.jar:1.0.2.Final-SNAPSHOT]
        at org.jboss.security.SecurityContextAssociation.getSecurityContext(SecurityContextAssociation.java:145) [picketbox-4.0.21.Beta3.jar:4.0.21.Beta3]
        at org.jboss.security.client.JBossSecurityClient.performSimpleLogin(JBossSecurityClient.java:77) [picketbox-4.0.21.Beta3.jar:4.0.21.Beta3]
        at org.jboss.security.client.SecurityClient.login(SecurityClient.java:74) [picketbox-4.0.21.Beta3.jar:4.0.21.Beta3]
        at org.jboss.as.test.integration.ejb.security.RunAsPrincipalTestCase.testAnonymous(RunAsPrincipalTestCase.java:173) [classes:]

      Here's the testAnonymous method:

          @Test
    public void testAnonymous() throws Exception {
        SecurityClient client = SecurityClientFactory.getSecurityClient();
        client.setSimple("user1", "password1");
        client.login(); // this is line 173
        try {
            WhoAmI bean = lookupCaller();
            String actual = bean.getCallerPrincipal();
            Assert.assertEquals("anonymous", actual);
        } finally {
            client.logout();
        }
    }

              sguilhen Stefan Guilhen
              dlloyd@redhat.com David Lloyd
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: