Details
-
Task
-
Resolution: Done
-
Major
-
None
-
None
Description
The upgrades to JBoss Jakarta JACC 2.0.0.CR1 and JBoss Jakarta JASPI fork 2.0.0.CR1 are causing the following test failures with the security manager enabled:
PolicyContextTestCase.testHttpServletRequestFromPolicyContext
Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.security.SecurityPermission" "setPolicy")" in code source "(vfs:/content/ear-jacc-context.ear/ear-jacc-context.jar <no signer certificates>)" of "ModuleClassLoader for Module "deployment.ear-jacc-context.ear.ear-jacc-context.jar" from Service Module Loader") at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294) at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191) at javax.security.jacc.PolicyContext.checkSetPolicyPermission(PolicyContext.java:237) at javax.security.jacc.PolicyContext.getContext(PolicyContext.java:226)
AuthenticationPolicyContextTestCase.test
Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.security.SecurityPermission" "setPolicy")" in code source "(vfs:/content/picketlink-sts-ws.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.picketlink-sts-ws.war" from Service Module Loader") at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294) at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191) at javax.security.jacc.PolicyContext.checkSetPolicyPermission(PolicyContext.java:237) at javax.security.jacc.PolicyContext.getContext(PolicyContext.java:226)
The above two failures are occurring because PolicyContext.getContext now checks for the "setPolicy" permission instead of the "getPolicy" permission:
PolicyContext.getContext before JACC upgrade:
https://github.com/jboss/jboss-jacc-api_spec/blob/master/src/main/java/javax/security/jacc/PolicyContext.java#L93
PolicyContext.getContext after JACC upgrade:
https://github.com/jboss/jboss-jakarta-jacc-api_spec/blob/6b5f2641b115239df97b10ad95b4972ac62d01e3/api/src/main/java/javax/security/jacc/PolicyContext.java#L226
DynamicJaspiTestCase.testCalls
&#27;[0m&#27;[31m09:18:43,183 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /ConfiguredJaspiTestCase/: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.security.SecurityPermission" "getProperty.authconfigprovider.factory")" in code source "(vfs:/content/ConfiguredJaspiTestCase.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.ConfiguredJaspiTestCase.war" from Service Module Loader") at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294) at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191) at javax.security.auth.message.config.AuthConfigFactory.checkPermission(AuthConfigFactory.java:166) at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:201) at org.wildfly.security.auth.jaspi.JaspiConfigurationBuilder.register(JaspiConfigurationBuilder.java:106)
The above failure occurs because AuthConfigFactory.getFactory now checks for the "getProperty.authconfigprovider.factory" permission instead of the "getFactory" permission:
AuthConfigFactory.getFactory before JASPI upgrade:
https://github.com/jboss/jboss-jaspi-api_spec/blob/jboss-jaspi-api_1.1_spec-1.0.2.Final/src/main/java/javax/security/auth/message/config/AuthConfigFactory.java#L205
AuthConfigFactory.getFactory after JASPI upgrade:
https://github.com/jboss/jboss-jakarta-jaspi-api_spec/blob/3e290bd05a6518015f6f2e4ab6defe6a5e07fc29/api/src/main/java/javax/security/auth/message/config/AuthConfigFactory.java#L201
