[wildfly-dev] Permissions in WildFly Core

Brian Stansberry brian.stansberry at redhat.com
Wed Aug 26 09:56:44 EDT 2015 

On 8/26/15 8:49 AM, Brian Stansberry wrote:
> Just some data, as I know distribution size is a significant factor in
> deciding what goes into WildFly Core:
>
> The org.wildfly.extension.security.manager module itself is 45KB
> unzipped, so not much of a concern.
>
> However, it depends on org.jboss.metadata.common, which is 475KB and
> isn't itself present in WildFly Core.

The requirement for org.jboss.metadata.common looks pretty simple to 
eliminate. It's just using a bit of what looks like easily duplicated 
utility code.

>
> All its other deps are present in WildFly Core.
>
> On 8/26/15 7:38 AM, Josef Cacek wrote:
>> Hi *,
>>
>> Is there a way how to configure Java security permissions in WildFly Core?
>> If not, is there any reason why not to move the wildfly-security-manager from WildFly into WildFly Core?
>>
>> I'm investigating failing tests in WildFly Core testsuite ([1],[2]) when security manager is enabled.
>>
>> The problem is, security manager is in place and I'm not able to define permissions for deployments
>> - using policy file (configured by java.security.policy system property) doesn't work for me;
>> - putting META-INF/permissions.xml into deployments doesn't help because PermissionsParseProcessor deployment processor is part of wildfly-security-manager (i.e. not in Core) and it is only activated when security-manager subsystem is present.
>>
>> So the tests fail because of AccessControlExceptions on the server side.
>>
>> Any thoughts?
>>
>> As a workaround we can run the Core testsuite against full WildFly and use either in-deployment permissions.xml or configure permissions in subsystem [3] - but both ways have some disadvantages.
>> We either have to put "unnecessary" permissions.xml in WFCORE deployments or we have to use too wide minimum-permissions in security-manager subsystem configuration.
>>
>> [1] https://issues.jboss.org/browse/WFCORE-846
>> [2] https://issues.jboss.org/browse/JBEAP-526
>> [3] /subsystem=security-manager/deployment-permissions=default:write-attribute(name=minimum-permissions, value=[{class=java.security.AllPermission}])")
>>
>> Thanks,
>>
>> -- Josef Cacek
>> _______________________________________________
>> wildfly-dev mailing list
>> wildfly-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>
>
>


-- 
Brian Stansberry
Senior Principal Software Engineer
JBoss by Red Hat

More information about the wildfly-dev mailing list