Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-4805

WildFly Security Manager does not act for javaagents

    XMLWordPrintable

Details

    • Bug
    • Resolution: Not a Bug
    • Major
    • None
    • None
    • Security
    • None
    • Hide

      Assuming the OpenSource InspectIt and Linux.
      add to standalone.conf: JAVA_OPTS="$JAVA_OPTS -javaagent:\"/path/to/inspectit-ocelot-agent-0.6.jar\""
      Start Server ./standalone.sh -secmgr

      Show
      Assuming the OpenSource InspectIt and Linux. add to standalone.conf: JAVA_OPTS="$JAVA_OPTS -javaagent:\"/path/to/inspectit-ocelot-agent-0.6.jar\"" Start Server ./standalone.sh -secmgr

    Description

      The WildFly Core Security Manager cares for modules and deployed artifacts. It offers a JavaEE 7 compliant solution to permissions.xml in META-INF of EARs/WARs.

      Unfortunately it does not take care of javaagents, specified in
      https://docs.oracle.com/javase/8/docs/api/java/lang/instrument/package-summary.html

      OpenSource:
      https://inspectit.github.io/inspectit-ocelot/docs/getting-started/quick-start

      java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "setContextClassLoader")" in code source "(file:/opt/inspectit/inspectit-ocelot-agent-0.6.jar <no signer certificates>)" of "sun.misc.Launcher$AppClassLoader@18b4aac2")
      at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
      at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
      at java.lang.Thread.setContextClassLoader(Thread.java:1474)
      at rocks.inspectit.ocelot.bootstrap.AgentManager.startOrReplaceInspectitCore(AgentManager.java:49)
      at rocks.inspectit.ocelot.agent.AgentMain.startAgent(AgentMain.java:78)
      at rocks.inspectit.ocelot.agent.AgentMain.lambda$premain$0(AgentMain.java:67)
      at java.lang.Thread.run(Thread.java:748)

      The specified JARs need AllPermission Config in the same way as container modules.

      Other Examples for JavaAgents - closed source:
      https://docs.appdynamics.com/display/PRO45/Java+Agent
      https://docs.appdynamics.com/display/PRO45/JBoss+and+Wildfly+Startup+Settings
      https://docs.appdynamics.com/display/PRO45/Java+Security+Manager+Configuration

      Attachments

        Issue Links

          is related to

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) MODULES-393 Make jboss-modules a Java agent and allow other agents to be set as module arguments

          • Critical - To be worked on immediately following BLOCKER issues.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              xf01213 Boris Unckel (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: