Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-4882

Security manager's maximum-permissions setting doesn't work

    XMLWordPrintable

Details

    Description

      Configuration of maximum-permissions attribute in /subsystem=security-manager/deployment-permissions=default doesn't work so the permissions for deployments can't be restricted.
      (The "policy of the product installation" in the words of EE specification is not enforced).

      If administrator specifies maximum-permissions in server configuration and also permissions.xml in the deployment, all permissions from the permissions.xml are granted even if the policies are in conflict.

      The maximum-permissions configuration has following meaning:
      A set containing the maximum permission scope that can be granted to deployments or jars

      The Java EE 7 platform specification (JSR 342) says in section EE.6.2.2.1:
      If security permissions are declared that conflict with the policy of the product installation, the Java EE product must fail deployment of the application module.

      Expected behavior:

      • based on EE spec the deployment should fail
      • deployed application should not get more permissions than specified in the maximum-permissions

      Attachments

        Issue Links

          Activity

            People

              sguilhen Stefan Guilhen
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: