[wildfly-dev] Security policy problems migrating jBoss 6.1+Java7 to Wildfly10+Java8

[jboydnolan]

Hello, All,
I'm not sure if this forum is the right place to be asking this level of
question, but I wanted to throw it out to see if anyone might have some
insight.

I am migrating an application from JBoss 6.1 with Java7 to Wildfly10 with
Java8, and have found that our java security implementation has stopped
working as expected.

In our application we load up a dynamic policy (java.security.Policy object)
with a collection of permissions representing actions you can take in the
application. We then evaluate actions a user tries to do using the
java.security.auth.Subject class and the doAsPrivileged method.

When running this same code setup in Wildfly10 with Java 8, all the security
policy data loads up just fine, however the doAsPrivileged strategy returns
without exception for all actions and all users, essentially allowing
everyone full access to everything regardless of whether or not they should
be able to get to all the actions.

When debugging the fully loaded policy objects down inside of the
java.security.auth space, what I see is that in addition to the standard
actions, there always seems to be an AllPermissions / AllActions entry
showing up. It seems like this entry is what might be causing the security
behavior I am seeing. I’ve tried removing all the configuration entries that
refer to java.security.AllPermission in places like the java.policy,
standalone_full.xml, etc. Even with all those removed, the AllPermission
type of entry still shows up.

Does anyone have any insight into this behavior, or have some suggested
technical documentation that might help me figure it out?

I appreciate any help or direction you can provide.




--
View this message in context: http://wildfly-development.1055759.n5.nabble.com/Security-policy-problems-migrating-jBoss-6-1-Java7-to-Wildfly10-Java8-tp5718006.html
Sent from the WildFly Development mailing list archive at Nabble.com.