[jboss-dev] Security Dependency Mismatch Was: Where are allowable methods configured?

Wed Jul 1 13:05:59 EDT 2009

Thanks, and I'll touch base again w/ Anil too.

S,
ALR

On 07/01/2009 12:30 PM, Scott Stark wrote:
> I would create a https://jira.jboss.org/jira/browse/SECURITY issue since
> it appears that the older sun jacc api implementation has different
> behavior from the org.jboss.javaee:jboss-jacc-api version and are not
> testing these in the security project.
>
> Andrew Lee Rubinger wrote:
>> Looks to me like another case of mismatched dependencies.
>>
>> From AS Branch_5_x "build" module:
>> [INFO] [dependency:tree]
>> [INFO] org.jboss.jbossas:jboss-as-build:pom:5.2.0-SNAPSHOT
>> [INFO] \- org.jboss.jbossas:jboss-as-aspects:jar:5.2.0-SNAPSHOT:compile
>> [INFO] \- org.jboss.aspects:jboss-security-aspects:jar:1.0.0.GA:compile
>> [INFO] \- javax.security:jacc:jar:1.0:compile
>>
>> However I don't see the jacc JAR anywhere in the distribution (hence
>> not available at runtime):
>>
>> JBOSS_HOME $> find . -name '*jacc*' > Nothing
>>
>> Instead, we've got org.jboss.javaee:jboss-javaee declared by the
>> thirdparty module and placed into $JBOSS_HOME/common/lib. This JAR is
>> incorrectly *not* a dependency of the build module:
>>
>> build $> mvn dependency:tree -Dincludes=org.jboss.javaee:jboss-javaee
>> > Nothing
>>
>> So some fancy excludes on javax.security:jacc and an explicit
>> additional dependency upon org.jboss.javaee:jboss-javaee within
>> Embedded yield an error-free AS boot in the "default" config. :D
>>
>> I'll add this to my list of tasks to revisit when looking at the AS
>> dependency chain.
>>
>> S,
>> ALR
>>
>> On 06/30/2009 06:31 PM, Andrew Lee Rubinger wrote:
>>> Booting Embedded I've got a fun exception informing me that methods
>>> "!GET,POST" are not allowed while creating a WebResourcePermission.
>>> These are the identical parameters passed in while running AS in
>>> Standalone. Where are the allowed HTTP methods configured? Does this
>>> ring any bells to anyone?
>>>
>>> Thx. :)
>>>
>>> 17:25:01,895 ERROR [AbstractKernelController] Error installing to Real:
>>> name=vfsfile:/home/alrubinger/business/jboss/wc/jbossas/branches/Branch_5_x/build/output/jboss-5.2.0.Beta/server/default/deploy/http-invoker.sar/
>>>
>>> state=PreReal mode=Manual requiredState=Real
>>> org.jboss.deployers.spi.DeploymentException: Error deploying:
>>> jboss.jacc:service=jacc,id="vfsfile:/home/alrubinger/business/jboss/wc/jbossas/branches/Branch_5_x/build/output/jboss-5.2.0.Beta/server/default/deploy/http-invoker.sar/invoker.war/",parent="http-invoker.sar"
>>>
>>>
>>> at
>>> org.jboss.deployers.spi.DeploymentException.rethrowAsDeploymentException(DeploymentException.java:49)
>>>
>>>
>>> at ...
>>> Caused by: java.lang.IllegalArgumentException: Could not create resource
>>> permission with pattern "/restricted/*" and methods: !GET,POST
>>> at
>>> org.jboss.web.WebPermissionMapping.createPermissions(WebPermissionMapping.java:229)
>>>
>>>
>>> at
>>> org.jboss.deployment.security.WarJaccPolicy.createPermissions(WarJaccPolicy.java:55)
>>>
>>>
>>> at
>>> org.jboss.deployment.security.WarJaccPolicy.createPermissions(WarJaccPolicy.java:38)
>>>
>>>
>>> at org.jboss.deployment.security.JaccPolicy.create(JaccPolicy.java:94)
>>> ...
>>> Caused by: java.lang.IllegalArgumentException: illegal HTTP method
>>> at
>>> javax.security.jacc.HttpMethodSpec.makeMethodSet(HttpMethodSpec.java:100)
>>>
>>> at
>>> javax.security.jacc.HttpMethodSpec.getMethodSet(HttpMethodSpec.java:74)
>>> at
>>> javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:137)
>>>
>>>
>>> at
>>> org.jboss.web.WebPermissionMapping.createPermissions(WebPermissionMapping.java:225)
>>>
>>>
>>>
>>> S,
>>> ALR
>>
>
> _______________________________________________
> jboss-development mailing list
> jboss-development at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/jboss-development

-- 
Andrew Lee Rubinger
Sr. Software Engineer
JBoss by Red Hat
http://exitcondition.alrubinger.com