<div dir="ltr"><div>If we could make it support jboss-permissions.xml without using jboss metadata <br>that would solve the extra dependency and not much increase in distro size<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 27, 2015 at 1:08 PM, Jason T. Greene <span dir="ltr"><<a href="mailto:jason.greene@redhat.com" target="_blank">jason.greene@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>That might actually be ok, since we aren't talking about a Java API, and there are no reps on other specs. However I agree that is wierd. Alternatively we could add different format/schema but I suspect it would look just like permissions.xml.</div><div><div class="h5"><div><br>On Aug 26, 2015, at 9:00 AM, Tomaž Cerar <<a href="mailto:tomaz.cerar@gmail.com" target="_blank">tomaz.cerar@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><div>Also AFAIR, security manager subsystem implements EE7 security manager(permissions.xml) support.<br></div>and as such doesn't belong to core.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 26, 2015 at 3:56 PM, Brian Stansberry <span dir="ltr"><<a href="mailto:brian.stansberry@redhat.com" target="_blank">brian.stansberry@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 8/26/15 8:49 AM, Brian Stansberry wrote:<br>
> Just some data, as I know distribution size is a significant factor in<br>
> deciding what goes into WildFly Core:<br>
><br>
> The org.wildfly.extension.security.manager module itself is 45KB<br>
> unzipped, so not much of a concern.<br>
><br>
> However, it depends on org.jboss.metadata.common, which is 475KB and<br>
> isn't itself present in WildFly Core.<br>
<br>
</span>The requirement for org.jboss.metadata.common looks pretty simple to<br>
eliminate. It's just using a bit of what looks like easily duplicated<br>
utility code.<br>
<div><div><br>
><br>
> All its other deps are present in WildFly Core.<br>
><br>
> On 8/26/15 7:38 AM, Josef Cacek wrote:<br>
>> Hi *,<br>
>><br>
>> Is there a way how to configure Java security permissions in WildFly Core?<br>
>> If not, is there any reason why not to move the wildfly-security-manager from WildFly into WildFly Core?<br>
>><br>
>> I'm investigating failing tests in WildFly Core testsuite ([1],[2]) when security manager is enabled.<br>
>><br>
>> The problem is, security manager is in place and I'm not able to define permissions for deployments<br>
>> - using policy file (configured by java.security.policy system property) doesn't work for me;<br>
>> - putting META-INF/permissions.xml into deployments doesn't help because PermissionsParseProcessor deployment processor is part of wildfly-security-manager (i.e. not in Core) and it is only activated when security-manager subsystem is present.<br>
>><br>
>> So the tests fail because of AccessControlExceptions on the server side.<br>
>><br>
>> Any thoughts?<br>
>><br>
>> As a workaround we can run the Core testsuite against full WildFly and use either in-deployment permissions.xml or configure permissions in subsystem [3] - but both ways have some disadvantages.<br>
>> We either have to put "unnecessary" permissions.xml in WFCORE deployments or we have to use too wide minimum-permissions in security-manager subsystem configuration.<br>
>><br>
>> [1] <a href="https://issues.jboss.org/browse/WFCORE-846" rel="noreferrer" target="_blank">https://issues.jboss.org/browse/WFCORE-846</a><br>
>> [2] <a href="https://issues.jboss.org/browse/JBEAP-526" rel="noreferrer" target="_blank">https://issues.jboss.org/browse/JBEAP-526</a><br>
>> [3] /subsystem=security-manager/deployment-permissions=default:write-attribute(name=minimum-permissions, value=[{class=java.security.AllPermission}])")<br>
>><br>
>> Thanks,<br>
>><br>
>> -- Josef Cacek<br>
>> _______________________________________________<br>
>> wildfly-dev mailing list<br>
>> <a href="mailto:wildfly-dev@lists.jboss.org" target="_blank">wildfly-dev@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/wildfly-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/wildfly-dev</a><br>
>><br>
><br>
><br>
<br>
<br>
--<br>
Brian Stansberry<br>
Senior Principal Software Engineer<br>
JBoss by Red Hat<br>
_______________________________________________<br>
wildfly-dev mailing list<br>
<a href="mailto:wildfly-dev@lists.jboss.org" target="_blank">wildfly-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/wildfly-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/wildfly-dev</a><br>
</div></div></blockquote></div><br></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>wildfly-dev mailing list</span><br><span><a href="mailto:wildfly-dev@lists.jboss.org" target="_blank">wildfly-dev@lists.jboss.org</a></span><br><span><a href="https://lists.jboss.org/mailman/listinfo/wildfly-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/wildfly-dev</a></span></div></blockquote></div></div></div></blockquote></div><br></div>