Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-14039

AbstractInvocationHandler.getComponentView is missing JSM AccessController.doPrivileged

    XMLWordPrintable

Details

    • Hide

      I cannot disclose the application, it's propietary.

      Show
      I cannot disclose the application, it's propietary.
    • Undefined
    • ---
    • ---

    Description

      The Class
      https://github.com/wildfly/wildfly/blob/master/webservices/server-integration/src/main/java/org/jboss/as/webservices/invocation/AbstractInvocationHandler.java
      does a call to getCurrentServiceConatainer without a AccessController.doPrivileged, which causes an issues with a CXF Thread. We have a custom WildFly Security Manager, which makes all SecurityExceptions visible with a stacktrace, even if the application hides the SecurityException (catch with NOOP, or rethrow without root cause).

      2020-10-07 {17:35:06,553 DEBUG [org.wildfly.security.access] (default task-4) Permission check failed (permission "("org.jboss.as.server.security.ServerPermission" "getCurrentServiceContainer")" in code source "(vfs:/content/sample.ear/lib/sample_security_spring_core-20.1.4.jar <no signer certificates>)" of "ModuleClassLoader for Module "deployment.sample.ear" from Service Module Loader")

2020-10-07 {17:35:06,553 TRACE [org.wildfly.security.access] (default task-4) Stacktrace of check of Permission ("org.jboss.as.server.security.ServerPermission" "getCurrentServiceContainer") in Domain ProtectionDomain (static) (vfs:/content/sample.ear/lib/sample_security_spring_core-20.1.4.jar <no signer certificates>)
ModuleClassLoader for Module "deployment.sample.ear" from Service Module Loader
org.jboss.modules.security.FactoryPermissionCollection@50219131
Exception is not thrown, analysis only.: java.lang.RuntimeException: Trace-Only-Exception, not thrown.
            at org.wildfly.security.manager.WildFlySecurityManager.findAccessDenial(WildFlySecurityManager.java:320) [wildfly-elytron-1.6.12.jar:1.6.12]
            at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:408) [wildfly-elytron-1.6.12.jar:1.6.12]
            at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:227) [wildfly-elytron-1.6.12.jar:1.6.12]
            at org.jboss.as.server.CurrentServiceContainer.checkPermission(CurrentServiceContainer.java:62)
            at org.jboss.as.server.CurrentServiceContainer.getServiceContainer(CurrentServiceContainer.java:50)
            at org.jboss.as.webservices.util.ASHelper.getMSCService(ASHelper.java:397)
            at org.jboss.as.webservices.invocation.AbstractInvocationHandler.getComponentView(AbstractInvocationHandler.java:84)
            at org.jboss.as.webservices.invocation.AbstractInvocationHandler.invokeInternal(AbstractInvocationHandler.java:130)
            at org.jboss.as.webservices.invocation.AbstractInvocationHandler.lambda$invoke$0(AbstractInvocationHandler.java:116)
            at org.jboss.as.webservices.security.SecurityDomainContextImpl.runAs(SecurityDomainContextImpl.java:124)
            at org.jboss.as.webservices.invocation.AbstractInvocationHandler.invoke(AbstractInvocationHandler.java:115)
            at org.jboss.wsf.stack.cxf.JBossWSInvoker.performInvocation(JBossWSInvoker.java:170)
            at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
            at org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.invoke(AbstractJAXWSMethodInvoker.java:232)
            at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:85)
            at org.jboss.wsf.stack.cxf.JBossWSInvoker.invoke(JBossWSInvoker.java:146)
            at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
            at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [rt.jar:1.8.0_202]
            at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0_202]
            at org.apache.cxf.interceptor.ServiceInvokerInterceptor$2.run(ServiceInvokerInterceptor.java:126)
            at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
            at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:131)
            at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
            at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
            at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
            at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:110)
            at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:134)
            at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
            at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
            at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:706) [jboss-servlet-api_4.0_spec-1.0.0.Final.jar:1.0.0.Final]
            at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136)
            at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-3.2.3.Final.jar:3.2.3.Final]
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) [jboss-servlet-api_4.0_spec-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) [undertow-servlet-2.0.32.jar:2.0.32]
            at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208) [spring-security-web-4.2.16.RELEASE.jar:4.2.16.RELEASE]
            at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) [spring-security-web-4.2.16.RELEASE.jar:4.2.16.RELEASE]
            at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) [spring-web-4.3.27.RELEASE.jar:4.3.27.RELEASE]
            at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) [spring-web-4.3.27.RELEASE.jar:4.3.27.RELEASE]
            at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-2.0.32.jar:2.0.32]
            at net.unckel.sample.server.filter.GWTCacheControlFilter.doFilter(GWTCacheControlFilter.java:97) [classes:]
            at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-2.0.32.jar:2.0.32]
            at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197) [spring-web-4.3.27.RELEASE.jar:4.3.27.RELEASE]

            at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.27.RELEASE.jar:4.3.27.RELEASE]
            at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-2.0.32.jar:2.0.32]
            at net.unckel.sample.filter.LoggingFilter.doFilter(LoggingFilter.java:101) [cid_security_spring_core-20.1.4.jar:20.1.4]
            at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.opentracing.contrib.jaxrs2.server.SpanFinishingFilter.doFilter(SpanFinishingFilter.java:52)
            at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-2.0.32.jar:2.0.32]
            at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.0.32.jar:2.0.32]
            at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [undertow-core-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) [undertow-core-2.0.32.jar:2.0.32]
            at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [undertow-core-2.0.32.jar:2.0.32]
            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.0.32.jar:2.0.32]
            at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.0.32.jar:2.0.32]
            at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-2.0.32.jar:2.0.32]
            at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
            at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
            at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
            at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
            at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
            at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:105) [undertow-servlet-2.0.32.jar:2.0.32]
            at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_202]
            at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:102) [undertow-servlet-2.0.32.jar:2.0.32]
            at io.undertow.server.Connectors.executeRootHandler(Connectors.java:376) [undertow-core-2.0.32.jar:2.0.32]
            at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) [undertow-core-2.0.32.jar:2.0.32]
            at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
            at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
            at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
            at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
            at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_202]

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFLY-14086 AbstractInvocationHandler.getComponentView is missing JSM AccessController.doPrivileged

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              xf01213 Boris Unckel (Inactive)
              xf01213 Boris Unckel (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: