[wildfly-dev] Permissions in WildFly Core

Thu Aug 27 09:31:03 EDT 2015

The security manager subsystem should definitely be in core.  It only 
has a casual association with Java EE 7 and there's really no practical 
way to run under a security manager without it.

On 08/27/2015 06:08 AM, Jason T. Greene wrote:
> That might actually be ok, since we aren't talking about a Java API, and
> there are no reps on other specs. However I agree that is wierd.
> Alternatively we could add different format/schema but I suspect it
> would look just like permissions.xml.
>
> On Aug 26, 2015, at 9:00 AM, Tomaž Cerar <tomaz.cerar at gmail.com
> <mailto:tomaz.cerar at gmail.com>> wrote:
>
>> Also AFAIR, security manager subsystem implements EE7 security
>> manager(permissions.xml) support.
>> and as such doesn't belong to core.
>>
>> On Wed, Aug 26, 2015 at 3:56 PM, Brian Stansberry
>> <brian.stansberry at redhat.com <mailto:brian.stansberry at redhat.com>> wrote:
>>
>>     On 8/26/15 8:49 AM, Brian Stansberry wrote:
>>     > Just some data, as I know distribution size is a significant factor in
>>     > deciding what goes into WildFly Core:
>>     >
>>     > The org.wildfly.extension.security.manager module itself is 45KB
>>     > unzipped, so not much of a concern.
>>     >
>>     > However, it depends on org.jboss.metadata.common, which is 475KB and
>>     > isn't itself present in WildFly Core.
>>
>>     The requirement for org.jboss.metadata.common looks pretty simple to
>>     eliminate. It's just using a bit of what looks like easily duplicated
>>     utility code.
>>
>>     >
>>     > All its other deps are present in WildFly Core.
>>     >
>>     > On 8/26/15 7:38 AM, Josef Cacek wrote:
>>     >> Hi *,
>>     >>
>>     >> Is there a way how to configure Java security permissions in WildFly Core?
>>     >> If not, is there any reason why not to move the wildfly-security-manager from WildFly into WildFly Core?
>>     >>
>>     >> I'm investigating failing tests in WildFly Core testsuite ([1],[2]) when security manager is enabled.
>>     >>
>>     >> The problem is, security manager is in place and I'm not able to define permissions for deployments
>>     >> - using policy file (configured by java.security.policy system property) doesn't work for me;
>>     >> - putting META-INF/permissions.xml into deployments doesn't help because PermissionsParseProcessor deployment processor is part of wildfly-security-manager (i.e. not in Core) and it is only activated when security-manager subsystem is present.
>>     >>
>>     >> So the tests fail because of AccessControlExceptions on the server side.
>>     >>
>>     >> Any thoughts?
>>     >>
>>     >> As a workaround we can run the Core testsuite against full WildFly and use either in-deployment permissions.xml or configure permissions in subsystem [3] - but both ways have some disadvantages.
>>     >> We either have to put "unnecessary" permissions.xml in WFCORE deployments or we have to use too wide minimum-permissions in security-manager subsystem configuration.
>>     >>
>>     >> [1]https://issues.jboss.org/browse/WFCORE-846
>>     >> [2]https://issues.jboss.org/browse/JBEAP-526
>>     >> [3] /subsystem=security-manager/deployment-permissions=default:write-attribute(name=minimum-permissions, value=[{class=java.security.AllPermission}])")
>>     >>
>>     >> Thanks,
>>     >>
>>     >> -- Josef Cacek
>>     >> _______________________________________________
>>     >> wildfly-dev mailing list
>>     >>wildfly-dev at lists.jboss.org <mailto:wildfly-dev at lists.jboss.org>
>>     >>https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>     >>
>>     >
>>     >
>>
>>
>>     --
>>     Brian Stansberry
>>     Senior Principal Software Engineer
>>     JBoss by Red Hat
>>     _______________________________________________
>>     wildfly-dev mailing list
>>     wildfly-dev at lists.jboss.org <mailto:wildfly-dev at lists.jboss.org>
>>     https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>
>>
>> _______________________________________________
>> wildfly-dev mailing list
>> wildfly-dev at lists.jboss.org <mailto:wildfly-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>
>
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>

-- 
- DML