Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8648

HttpSession.invalidate() requires additional permissions if Security Manager is enabled

    Details

      Description

      If Security Manager is enforced and a Servlet invokes request.getSession(false).invalidate(), it fails due to insufficient permissions as follows:

      15:04:55,001 ERROR [io.undertow.request] (default task-4) UT005023: Exception handling request to /form-auth/Logout: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "io.undertow.servlet.GET_CURRENT_REQUEST")" in code source "(vfs:/content/form-auth.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.form-auth.war" from Service Module Loader")
      	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
      	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
      	at io.undertow.servlet.handlers.ServletRequestContext.current(ServletRequestContext.java:92)
      	at org.wildfly.extension.undertow.deployment.LogoutSessionListener.sessionDestroyed(LogoutSessionListener.java:66)
      	at io.undertow.servlet.core.ApplicationListeners.sessionDestroyed(ApplicationListeners.java:315)
      	at io.undertow.servlet.core.SessionListenerBridge.doDestroy(SessionListenerBridge.java:98)
      	at io.undertow.servlet.core.SessionListenerBridge.sessionDestroyed(SessionListenerBridge.java:78)
      	at io.undertow.server.session.SessionListeners.sessionDestroyed(SessionListeners.java:61)
      	at io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:551)
      	at io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:529)
      	at io.undertow.servlet.spec.HttpSessionImpl.invalidate(HttpSessionImpl.java:198)
      	at org.jboss.as.test.integration.web.formauth.LogoutServlet.processRequest(LogoutServlet.java:45)
      	at org.jboss.as.test.integration.web.formauth.LogoutServlet.doGet(LogoutServlet.java:51)
      	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
      

      The io.undertow.servlet.spec.HttpSessionImpl.invalidate() method requires RuntimePermission("io.undertow.servlet.GET_CURRENT_REQUEST") and also RuntimePermission("io.undertow.servlet.spec.UNWRAP_HTTP_SESSION"), see
      https://github.com/wildfly/wildfly/blob/master/undertow/src/main/java/org/wildfly/extension/undertow/deployment/LogoutSessionListener.java#L66
      https://github.com/wildfly/wildfly/blob/master/undertow/src/main/java/org/wildfly/extension/undertow/deployment/LogoutSessionListener.java#L81

      From the stacktrace above, I would opt for adding a privileged block into io.undertow.servlet.core.SessionListenerBridge#doDestroy(Session) as that's a private method. That's the reason why I filed Undertow issue for this.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  swd847 Stuart Douglas
                  Reporter:
                  istudens Ivo Studensky
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: