Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-1266

Incorreclty bypass the SecurityManager and call AccessControl.checkPermission() directly

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 2.0.6.Final
    • 2.0.5.Final
    • Server
    • None
    • Hide

      1. Recompile jboss-modules after removing AllPermission from getAllPermissions.

       Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git branch
 * (HEAD detached at 1.4.4.Final)
    master
 Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git diff src/main/java/org/jboss/modules/ModulesPolicy.java
 diff --git a/src/main/java/org/jboss/modules/ModulesPolicy.java b/src/main/java/org/jboss/modules/ModulesPolicy.java
 index 1b8da50..0db9345 100644
 --- a/src/main/java/org/jboss/modules/ModulesPolicy.java
 +++ b/src/main/java/org/jboss/modules/ModulesPolicy.java
 @@ -39,7 +39,7 @@ final class ModulesPolicy extends Policy {

       private static Permissions getAllPermission() {
           final Permissions permissions = new Permissions();
 -        permissions.add(ALL_PERMISSION);
 +        //permissions.add(ALL_PERMISSION);
           return permissions;
       }

      2. Remove the Throw clauses from WildflySecurityManager

       Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git branch
 * (HEAD detached at 1.0.2.Final)
    master
 Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git diff
 diff --git a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java
 index 379c61f..11dddff 100644
 --- a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java
 +++ b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java
 @@ -270,7 +270,7 @@ public final class WildFlySecurityManager extends SecurityManager {
                           } else {
                               access.accessCheckFailed(perm, codeSource, classLoader, Arrays.toString(principals));
                           }
 -                        throw access.accessControlException(perm, perm, codeSource, classLoader);
 +                        //throw access.accessControlException(perm, perm, codeSource, classLoader);
                       }
                   }
               } finally {
 @@ -302,7 +302,7 @@ public final class WildFlySecurityManager extends SecurityManager {
                           } else {
                               access.accessCheckFailed(perm, codeSource, classLoader, Arrays.toString(principals));
                           }
 -                        throw access.accessControlException(perm, perm, codeSource, classLoader);
 +                        //throw access.accessControlException(perm, perm, codeSource, classLoader);
                       }
                  }
               } finally {
 @@ -1061,7 +1061,7 @@ public final class WildFlySecurityManager extends SecurityManager {
               return;
           }
           access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader);
 -        throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
 +        //throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
       }

       private static void checkEnvPropertyReadPermission(Class<?> clazz, String propertyName) {
 @@ -1082,7 +1082,7 @@ public final class WildFlySecurityManager extends SecurityManager {
               return;
           }
           access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader);
 -        throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
 +        //throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
       }

       private static void checkPropertyWritePermission(Class<?> clazz, String propertyName) {
 @@ -1103,7 +1103,7 @@ public final class WildFlySecurityManager extends SecurityManager {
               return;
           }
           access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader);
 -        throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
 +        //throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
       }

       private static void checkPDPermission(Class<?> clazz, Permission permission) {
 @@ -1120,7 +1120,7 @@ public final class WildFlySecurityManager extends SecurityManager {
               return;
           }
           access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader);
 -        throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
 +        //throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
       }

       /**

      3. Start Wildfly

      Show
      1. Recompile jboss-modules after removing AllPermission from getAllPermissions. Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git branch * (HEAD detached at 1.4.4.Final) master Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git diff src/main/java/org/jboss/modules/ModulesPolicy.java diff --git a/src/main/java/org/jboss/modules/ModulesPolicy.java b/src/main/java/org/jboss/modules/ModulesPolicy.java index 1b8da50..0db9345 100644 --- a/src/main/java/org/jboss/modules/ModulesPolicy.java +++ b/src/main/java/org/jboss/modules/ModulesPolicy.java @@ -39,7 +39,7 @@ final class ModulesPolicy extends Policy { private static Permissions getAllPermission() { final Permissions permissions = new Permissions(); - permissions.add(ALL_PERMISSION); + //permissions.add(ALL_PERMISSION); return permissions; } 2. Remove the Throw clauses from WildflySecurityManager Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git branch * (HEAD detached at 1.0.2.Final) master Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git diff diff --git a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java index 379c61f..11dddff 100644 --- a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java +++ b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java @@ -270,7 +270,7 @@ public final class WildFlySecurityManager extends SecurityManager { } else { access.accessCheckFailed(perm, codeSource, classLoader, Arrays.toString(principals)); } - throw access.accessControlException(perm, perm, codeSource, classLoader); + // throw access.accessControlException(perm, perm, codeSource, classLoader); } } } finally { @@ -302,7 +302,7 @@ public final class WildFlySecurityManager extends SecurityManager { } else { access.accessCheckFailed(perm, codeSource, classLoader, Arrays.toString(principals)); } - throw access.accessControlException(perm, perm, codeSource, classLoader); + // throw access.accessControlException(perm, perm, codeSource, classLoader); } } } finally { @@ -1061,7 +1061,7 @@ public final class WildFlySecurityManager extends SecurityManager { return ; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + // throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } private static void checkEnvPropertyReadPermission( Class <?> clazz, String propertyName) { @@ -1082,7 +1082,7 @@ public final class WildFlySecurityManager extends SecurityManager { return ; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + // throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } private static void checkPropertyWritePermission( Class <?> clazz, String propertyName) { @@ -1103,7 +1103,7 @@ public final class WildFlySecurityManager extends SecurityManager { return ; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + // throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } private static void checkPDPermission( Class <?> clazz, Permission permission) { @@ -1120,7 +1120,7 @@ public final class WildFlySecurityManager extends SecurityManager { return ; } access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader); - throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); + // throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader); } /** 3. Start Wildfly

    Description

      If we modify jboss-modules to remove the allPermissions by default, then change the WildflySecurityManager to avoid throwing exceptions, we get this error when starting Wildfly:

       org.jboss.msc.service.StartException in service jboss.as: Failed to start service
         at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
         at java.lang.Thread.run(Thread.java:745)
 Caused by: java.security.AccessControlException: access denied ("org.jboss.as.server.security.ServerPermission" "setCurrentServiceContainer")
         at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
         at java.security.AccessController.checkPermission(AccessController.java:884)
         at org.jboss.as.server.CurrentServiceContainer.checkPermission(CurrentServiceContainer.java:63)
         at org.jboss.as.server.CurrentServiceContainer.setServiceContainer(CurrentServiceContainer.java:56)
         at org.jboss.as.server.ApplicationServerService.start(ApplicationServerService.java:137)
         at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
         at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
         ... 3 more

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-2543 Incorreclty bypassing the SecurityManager and call AccessControl.checkPermission() directly

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-jshepher Jason Shepherd
              rhn-support-jshepher Jason Shepherd
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: