Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-4882

Security manager's maximum-permissions setting doesn't work

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 11.0.0.Alpha1
    • 10.0.0.Alpha4, 10.0.0.Alpha6
    • Security Manager
    • None

    Description

      Configuration of maximum-permissions attribute in /subsystem=security-manager/deployment-permissions=default doesn't work so the permissions for deployments can't be restricted.
      (The "policy of the product installation" in the words of EE specification is not enforced).

      If administrator specifies maximum-permissions in server configuration and also permissions.xml in the deployment, all permissions from the permissions.xml are granted even if the policies are in conflict.

      The maximum-permissions configuration has following meaning:
      A set containing the maximum permission scope that can be granted to deployments or jars

      The Java EE 7 platform specification (JSR 342) says in section EE.6.2.2.1:
      If security permissions are declared that conflict with the policy of the product installation, the Java EE product must fail deployment of the application module.

      Expected behavior:

      • based on EE spec the deployment should fail
      • deployed application should not get more permissions than specified in the maximum-permissions

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. WFLY-7680 Reenable regression tests in MaximumPermissionsTestCase

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-408 Security manager's maximum-permissions setting doesn't work

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              sguilhen Stefan Guilhen
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: