Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-4882

Security manager's maximum-permissions setting doesn't work


    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 11.0.0.Alpha1
    • 10.0.0.Alpha4, 10.0.0.Alpha6
    • Security Manager
    • None

      Configuration of maximum-permissions attribute in /subsystem=security-manager/deployment-permissions=default doesn't work so the permissions for deployments can't be restricted.
      (The "policy of the product installation" in the words of EE specification is not enforced).

      If administrator specifies maximum-permissions in server configuration and also permissions.xml in the deployment, all permissions from the permissions.xml are granted even if the policies are in conflict.

      The maximum-permissions configuration has following meaning:
      A set containing the maximum permission scope that can be granted to deployments or jars

      The Java EE 7 platform specification (JSR 342) says in section EE.
      If security permissions are declared that conflict with the policy of the product installation, the Java EE product must fail deployment of the application module.

      Expected behavior:

      • based on EE spec the deployment should fail
      • deployed application should not get more permissions than specified in the maximum-permissions

            sguilhen Stefan Guilhen
            josef.cacek@gmail.com Josef Cacek (Inactive)
            0 Vote for this issue
            6 Start watching this issue