Loading...

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 2.0.6.Final
Affects Version/s: 2.0.5.Final
Component/s: Server
Labels:
None

Steps to Reproduce:
Hide

1. Recompile jboss-modules after removing AllPermission from getAllPermissions.

Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git branch * (HEAD detached at 1.4.4.Final) master Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git diff src/main/java/org/jboss/modules/ModulesPolicy.java diff --git a/src/main/java/org/jboss/modules/ModulesPolicy.java b/src/main/java/org/jboss/modules/ModulesPolicy.java index 1b8da50..0db9345 100644 --- a/src/main/java/org/jboss/modules/ModulesPolicy.java +++ b/src/main/java/org/jboss/modules/ModulesPolicy.java @@ -39,7 +39,7 @@ final class ModulesPolicy extends Policy { private static Permissions getAllPermission() { final Permissions permissions = new Permissions(); - permissions.add(ALL_PERMISSION); + //permissions.add(ALL_PERMISSION); return permissions; }

2. Remove the Throw clauses from WildflySecurityManager

Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git branch * (HEAD detached at 1.0.2.Final) master Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git diff diff --git a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java index 379c61f..11dddff 100644 --- a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java +++ b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java @@ -270,7 +270,7 @@ public final class WildFlySecurityManager extends SecurityManager { } else { access.accessCheckFailed(perm, codeSource, classLoader, Arrays.toString(principals)); } - throw access.accessControlException(perm, perm, codeSource, classLoader); + //throw access.accessControlException(perm, perm, codeSource, classLoader); } } } finally { @@ -302,7 +302,7 @@ public final class WildFlySecurityManager extends SecurityManager { } else { access.accessCheckFailed(perm, codeSource, classLoader, Arrays.toString(principals)); } - throw access.accessControlException(perm, perm, codeSource, classLoader); + //throw access.accessControlException(perm, perm, codeSource, classLoader); } } } finally { @@ -1061,7 +1061,7 @@ public final class WildFlySecurityManager extends SecurityManager { return; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + //throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } private static void checkEnvPropertyReadPermission(Class<?> clazz, String propertyName) { @@ -1082,7 +1082,7 @@ public final class WildFlySecurityManager extends SecurityManager { return; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + //throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } private static void checkPropertyWritePermission(Class<?> clazz, String propertyName) { @@ -1103,7 +1103,7 @@ public final class WildFlySecurityManager extends SecurityManager { return; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + //throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } private static void checkPDPermission(Class<?> clazz, Permission permission) { @@ -1120,7 +1120,7 @@ public final class WildFlySecurityManager extends SecurityManager { return; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + //throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } /**

3. Start Wildfly
Show
1. Recompile jboss-modules after removing AllPermission from getAllPermissions. Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git branch * (HEAD detached at 1.4.4.Final) master Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git diff src/main/java/org/jboss/modules/ModulesPolicy.java diff --git a/src/main/java/org/jboss/modules/ModulesPolicy.java b/src/main/java/org/jboss/modules/ModulesPolicy.java index 1b8da50..0db9345 100644 --- a/src/main/java/org/jboss/modules/ModulesPolicy.java +++ b/src/main/java/org/jboss/modules/ModulesPolicy.java @@ -39,7 +39,7 @@ final class ModulesPolicy extends Policy { private static Permissions getAllPermission() { final Permissions permissions = new Permissions(); - permissions.add(ALL_PERMISSION); + //permissions.add(ALL_PERMISSION); return permissions; } 2. Remove the Throw clauses from WildflySecurityManager Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git branch * (HEAD detached at 1.0.2.Final) master Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git diff diff --git a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java index 379c61f..11dddff 100644 --- a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java +++ b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java @@ -270,7 +270,7 @@ public final class WildFlySecurityManager extends SecurityManager { } else { access.accessCheckFailed(perm, codeSource, classLoader, Arrays.toString(principals)); } - throw access.accessControlException(perm, perm, codeSource, classLoader); + // throw access.accessControlException(perm, perm, codeSource, classLoader); } } } finally { @@ -302,7 +302,7 @@ public final class WildFlySecurityManager extends SecurityManager { } else { access.accessCheckFailed(perm, codeSource, classLoader, Arrays.toString(principals)); } - throw access.accessControlException(perm, perm, codeSource, classLoader); + // throw access.accessControlException(perm, perm, codeSource, classLoader); } } } finally { @@ -1061,7 +1061,7 @@ public final class WildFlySecurityManager extends SecurityManager { return ; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + // throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } private static void checkEnvPropertyReadPermission( Class <?> clazz, String propertyName) { @@ -1082,7 +1082,7 @@ public final class WildFlySecurityManager extends SecurityManager { return ; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + // throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } private static void checkPropertyWritePermission( Class <?> clazz, String propertyName) { @@ -1103,7 +1103,7 @@ public final class WildFlySecurityManager extends SecurityManager { return ; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + // throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } private static void checkPDPermission( Class <?> clazz, Permission permission) { @@ -1120,7 +1120,7 @@ public final class WildFlySecurityManager extends SecurityManager { return ; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + // throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } /** 3. Start Wildfly
Git Pull Request:
https://github.com/wildfly/wildfly-core/pull/1340

If we modify jboss-modules to remove the allPermissions by default, then change the WildflySecurityManager to avoid throwing exceptions, we get this error when starting Wildfly:

 org.jboss.msc.service.StartException in service jboss.as: Failed to start service
         at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
         at java.lang.Thread.run(Thread.java:745)
 Caused by: java.security.AccessControlException: access denied ("org.jboss.as.server.security.ServerPermission" "setCurrentServiceContainer")
         at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
         at java.security.AccessController.checkPermission(AccessController.java:884)
         at org.jboss.as.server.CurrentServiceContainer.checkPermission(CurrentServiceContainer.java:63)
         at org.jboss.as.server.CurrentServiceContainer.setServiceContainer(CurrentServiceContainer.java:56)
         at org.jboss.as.server.ApplicationServerService.start(ApplicationServerService.java:137)
         at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
         at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
         ... 3 more

blocks

JBEAP-2543 Incorreclty bypassing the SecurityManager and call AccessControl.checkPermission() directly

Closed

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates