Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-13392

WFSM000001: Permission check failed ... FilePermission when Security Manager enabled and Web App tries to forward to jsp

    Details

    • Steps to Reproduce:
      Hide

      Deploy the war
      Hit: http://localhost:8080/JBEAP-19256/Servlet
      expected:

      This is the Forward Servlet doPost for /forward
      
      remoteHost: 127.0.0.1
      queryString: null
      servletPath: /forward
      getRequestURL: http://localhost:8080/JBEAP-19256/forward
      

      Hit: http://localhost:8080/JBEAP-19256/Servlet?forward=forward.jsp
      expected:

      This is the Forward Servlet doPost for /forward
      

      Enable security manager:

      • in bin/standalone.conf , uncomment SECMGR="true"
      • add to standalone.xml :
                <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
                    <deployment-permissions>
                        <minimum-set>
                            <permission class="java.io.FilePermission" name="${jboss.server.temp.dir}/-" actions="read"/>
                            <permission class="java.util.PropertyPermission" name="*" actions="read"/>
                        </minimum-set>
                        <maximum-set>
                            <permission class="java.security.AllPermission"/>
                        </maximum-set>
                    </deployment-permissions>
                </subsystem>
        

      Hit: http://localhost:8080/JBEAP-19256/Servlet
      expected:

      This is the Forward Servlet doPost for /forward
      
      remoteHost: 127.0.0.1
      queryString: null
      servletPath: /forward
      getRequestURL: http://localhost:8080/JBEAP-19256/forward
      

      Hit: http://localhost:8080/JBEAP-19256/Servlet?forward=forward.jsp
      expected:

      This is the Forward Servlet doPost for /forward
      
      Show
      Deploy the war Hit: http://localhost:8080/JBEAP-19256/Servlet expected: This is the Forward Servlet doPost for /forward remoteHost: 127.0.0.1 queryString: null servletPath: /forward getRequestURL: http: //localhost:8080/JBEAP-19256/forward Hit: http://localhost:8080/JBEAP-19256/Servlet?forward=forward.jsp expected: This is the Forward Servlet doPost for /forward Enable security manager: in bin/standalone.conf , uncomment SECMGR="true" add to standalone.xml : <subsystem xmlns= "urn:jboss:domain:security-manager:1.0" > <deployment-permissions> <minimum-set> <permission class= "java.io.FilePermission" name= "${jboss.server.temp.dir}/-" actions= "read" /> <permission class= "java.util.PropertyPermission" name= "*" actions= "read" /> </minimum-set> <maximum-set> <permission class= "java.security.AllPermission" /> </maximum-set> </deployment-permissions> </subsystem> Hit: http://localhost:8080/JBEAP-19256/Servlet expected: This is the Forward Servlet doPost for /forward remoteHost: 127.0.0.1 queryString: null servletPath: /forward getRequestURL: http: //localhost:8080/JBEAP-19256/forward Hit: http://localhost:8080/JBEAP-19256/Servlet?forward=forward.jsp expected: This is the Forward Servlet doPost for /forward

      Description

      When the security manager is enabled and a Servlet tries to use the RequestDispatcher to forward to a jsp, it fails silently even when the security manager permission for the VFS directory is granted.

      It looks like it may be running under the wrong security context when the security manager is invoked.

      2020-04-16 14:46:55,390 DEBUG [io.undertow.request] (default task-1) Invalid path forward.jsp: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/jboss/jboss-eap-7.2/standalone/tmp" "read")" in code source "(vfs:/content/JBEAP-19256.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.JBEAP-19256.war" from Service Module Loader")
        at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:307)
        at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:204)
        at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
        at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:372)
        at sun.nio.fs.UnixPath.checkRead(UnixPath.java:795)
        at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:49)
        at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:144)
        at java.nio.file.Files.readAttributes(Files.java:1737)
        at java.nio.file.Files.isSymbolicLink(Files.java:2153)
        at io.undertow.server.handlers.resource.PathResourceManager.getSymlinkBase(PathResourceManager.java:309)
        at io.undertow.server.handlers.resource.PathResourceManager.getResource(PathResourceManager.java:218)
        at org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource(ServletResourceManager.java:74)
        at io.undertow.server.handlers.resource.CachingResourceManager.getResource(CachingResourceManager.java:114)
        at io.undertow.server.handlers.resource.CachingResourceManager.getResource(CachingResourceManager.java:32)
        at io.undertow.servlet.handlers.ServletPathMatches.getServletHandlerByPath(ServletPathMatches.java:96)
        at io.undertow.servlet.spec.RequestDispatcherImpl.<init>(RequestDispatcherImpl.java:74)
        at io.undertow.servlet.spec.ServletContextImpl.getRequestDispatcher(ServletContextImpl.java:334)
        at com.redhat.examples.servlet.Servlet.doPost(Servlet.java:51)
        at com.redhat.examples.servlet.Servlet.doGet(Servlet.java:40)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:686)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
        at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:105)
        at java.security.AccessController.doPrivileged(Native Method)
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:102)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:376)
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
        at java.lang.Thread.run(Thread.java:748)
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  gaol Lin Gao
                  Reporter:
                  gaol Lin Gao
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: