Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-2715

AccessControlException thrown when the security manager is enabled and a client endpoint is created

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • None

      When a Jakarta WebSocket client endpoint is created via the @ClientEndpoint annotation on a type and the security manager is enabled, a AccessControlException is thrown due to missing permissions. The permissions are created to use reflection to create the type.

      A snippet from the failure in WildFly:

      16:48:46,640 SEVERE [org.jboss.arquillian.protocol.jmx.JMXTestRunner] (pool-12-thread-1) Failed: org.jboss.as.test.integration.web.websocket.WebSocketTestCase.testBeanInjectionInDeployment: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.reflect.ReflectPermission" "suppressAccessChecks")" in code source "(vfs:/content/indeployment.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.indeployment.war" from Service Module Loader")
    at org.wildfly.security.elytron-base@2.8.3.Final//org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:309)
    at org.wildfly.security.elytron-base@2.8.3.Final//org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:201)
    at java.base/java.lang.reflect.AccessibleObject.checkPermission(AccessibleObject.java:91)
    at java.base/java.lang.reflect.Method.setAccessible(Method.java:193)
    at io.undertow.websocket@2.3.23.Final//io.undertow.websockets.jsr.annotated.BoundMethod.<init>(BoundMethod.java:78)
    at io.undertow.websocket@2.3.23.Final//io.undertow.websockets.jsr.annotated.AnnotatedEndpointFactory.create(AnnotatedEndpointFactory.java:210)
    at io.undertow.websocket@2.3.23.Final//io.undertow.websockets.jsr.ServerWebSocketContainer.addEndpointInternal(ServerWebSocketContainer.java:725)
    at io.undertow.websocket@2.3.23.Final//io.undertow.websockets.jsr.ServerWebSocketContainer.getClientEndpoint(ServerWebSocketContainer.java:807)
    at io.undertow.websocket@2.3.23.Final//io.undertow.websockets.jsr.ServerWebSocketContainer.connectToServer(ServerWebSocketContainer.java:207)
    at deployment.indeployment.war//org.jboss.as.test.integration.web.websocket.WebSocketTestCase.assertWebSocket(WebSocketTestCase.java:105)
    at deployment.indeployment.war//org.jboss.as.test.integration.web.websocket.WebSocketTestCase.testBeanInjectionInDeployment(WebSocketTestCase.java:95)

      The io.undertow.websockets.jsr.ServerWebSocketContainer.connectToServer() caches the endpoints in a WeakCopyOnWriteMap. Previously in WildFly, client endpoints were created in a DUP, but that seems like it violates the specification, see WFLY-21528. The instance passed in to the connectToServer() method is itself not cached, but created. When being created, we get the constructor and do the reflective construction within a privileged block for versions that support the use of the security manager.

              flaviarnn Flavia Rainone
              jperkins-rhn James Perkins
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: