Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-12526

doPrivileged needed for isUserInRole

    Details

      Description

      Currently experiencing the following error: -

      Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "org.jboss.security.plugins.ClassLoaderLocatorFactory.get")" in code source "(vfs:/content/mydeployment.war/ <no signer certificates>)" of "org.apache.jasper.servlet.JasperLoader@24d700ba")
      	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294) [wildfly-elytron-security-manager-1.10.0.Final.jar:1.10.0.Final]
      	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191) [wildfly-elytron-security-manager-1.10.0.Final.jar:1.10.0.Final]
      	at org.jboss.security.plugins.ClassLoaderLocatorFactory.get(ClassLoaderLocatorFactory.java:51) [picketbox-5.0.3.Final.jar:5.0.3.Final]
      	at org.jboss.security.plugins.authorization.JBossAuthorizationContext.initializeModules(JBossAuthorizationContext.java:187) [picketbox-5.0.3.Final.jar:5.0.3.Final]
      	at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:141) [picketbox-5.0.3.Final.jar:5.0.3.Final]
      	at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:438) [picketbox-5.0.3.Final.jar:5.0.3.Final]
      	at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:115) [picketbox-5.0.3.Final.jar:5.0.3.Final]
      	at org.jboss.security.plugins.javaee.WebAuthorizationHelper.hasRole(WebAuthorizationHelper.java:201) [picketbox-5.0.3.Final.jar:5.0.3.Final]
      	at org.wildfly.extension.undertow.security.JbossAuthorizationManager.isUserInRole(JbossAuthorizationManager.java:99)
      	at io.undertow.servlet.spec.HttpServletRequestImpl.isUserInRole(HttpServletRequestImpl.java:337) [undertow-servlet-2.0.26.Final.jar:2.0.26.Final]
      	at org.apache.jsp.secured_jsp._jspService(secured_jsp.java:109)
      	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [jastow-2.0.7.Final.jar:2.0.7.Final]
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:590) [jboss-servlet-api_4.0_spec-2.0.0.CR2.jar:2.0.0.CR2]
      	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:433) [jastow-2.0.7.Final.jar:2.0.7.Final]
      	... 51 more
      

      The reason I believe this requires a doPrivileged is the permission required is entirely internal to our implementation of isUserInRole - whilst the deployment can trigger this call the deployment can not influence how this is implemented so the deployment's ProtectionDomain should not require the permissions needed for our internal class loading so a doPrivileged call will drop the deployment's ProtectionDomain from the stack.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                dlofthouse Darran Lofthouse
                Reporter:
                dlofthouse Darran Lofthouse
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: