Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-7474

AccessControlException in OpenSSL initialization

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 11.0.0.Alpha1
    • None
    • Web (Undertow)
    • None
    • Hide
      # Start server with security manager and check console for ERRORs
      bin/standalone.sh -secmgr | grep ERROR
      
      Show
      # Start server with security manager and check console for ERRORs bin/standalone.sh -secmgr | grep ERROR

      Issue description
      When starting server with security manager (i.e. with -secmgr argument), then OpenSSL initialization fails with

      java.lang.reflect.InvocationTargetException
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	at org.wildfly.openssl.SSL.init(SSL.java:73)
      	at org.wildfly.openssl.SSL.getInstance(SSL.java:49)
      	at org.wildfly.openssl.OpenSSLEngine.<clinit>(OpenSSLEngine.java:59)
      	at java.lang.Class.forName0(Native Method)
      	at java.lang.Class.forName(Class.java:348)
      	at io.undertow.protocols.alpn.OpenSSLAlpnProvider$1.run(OpenSSLAlpnProvider.java:47)
      	at io.undertow.protocols.alpn.OpenSSLAlpnProvider$1.run(OpenSSLAlpnProvider.java:43)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at io.undertow.protocols.alpn.OpenSSLAlpnProvider.<clinit>(OpenSSLAlpnProvider.java:43)
      	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
      	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
      	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
      	at java.lang.Class.newInstance(Class.java:442)
      	at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380)
      	at java.util.ServiceLoader$LazyIterator.access$700(ServiceLoader.java:323)
      	at java.util.ServiceLoader$LazyIterator$2.run(ServiceLoader.java:407)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:409)
      	at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
      	at io.undertow.protocols.alpn.ALPNManager.<init>(ALPNManager.java:40)
      	at io.undertow.protocols.alpn.ALPNManager.<clinit>(ALPNManager.java:35)
      	at io.undertow.server.protocol.http.AlpnOpenListener.<init>(AlpnOpenListener.java:64)
      	at io.undertow.server.protocol.http.AlpnOpenListener.<init>(AlpnOpenListener.java:83)
      	at io.undertow.server.protocol.http.AlpnOpenListener.<init>(AlpnOpenListener.java:75)
      	at org.wildfly.extension.undertow.HttpsListenerService.createAlpnOpenListener(HttpsListenerService.java:101)
      	at org.wildfly.extension.undertow.HttpsListenerService.createOpenListener(HttpsListenerService.java:86)
      	at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:158)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1963)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1896)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "loadLibrary.wfssl")" in code source "(null <no signer certificates>)" of "org.wildfly.openssl.SSL$LibraryClassLoader@37072772")
      	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
      	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
      	at java.lang.SecurityManager.checkLink(SecurityManager.java:835)
      	at org.wildfly.security.manager.WildFlySecurityManager.checkLink(WildFlySecurityManager.java:338)
      	at java.lang.Runtime.loadLibrary0(Runtime.java:864)
      	at java.lang.System.loadLibrary(System.java:1122)
      	at org.wildfly.openssl.SSL$LibraryLoader.load(SSL.java:180)
      	... 37 more
      

      There could be a wrong class-loader used or doPrivileged() block missing, so the initializing code doesn't get the AllPermission (which is assigned to server modules).

      Suggested improvement

      • check and fix OpenSSL initialization, so it gets correct permissions

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: