February 2014 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-174) Missing JSP or EL privileged action(s)

by Tomaz Cerar (JIRA)

[ https://issues.jboss.org/browse/WFLY-174?page=com.atlassian.jira.plugin.s... ] Tomaz Cerar closed WFLY-174. ---------------------------- Resolution: Out of Date JbossWeb is no longer used in WildFly 8. > Missing JSP or EL privileged action(s) > -------------------------------------- > > Key: WFLY-174 > URL: https://issues.jboss.org/browse/WFLY-174 > Project: WildFly > Issue Type: Bug > Security Level: Public(Everyone can see) > Components: Web (JBoss Web) > Reporter: David Lloyd > Assignee: Remy Maucherat > Fix For: 8.0.0.Final, 8.0.0.CR1 > > > When running with a security manager, we're seeing an access control problem with this stack trace: > {noformat} > 18:21:08,471 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/web-secure].[jsp]] (http-/127.0.0.1:8080-1) JBWEB000236: Servlet.service() for servlet jsp threw exception: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader") > at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366) [rt.jar:1.7.0_15] > at java.security.AccessController.checkPermission(AccessController.java:560) [rt.jar:1.7.0_15] > at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) [rt.jar:1.7.0_15] > at java.lang.Thread.getContextClassLoader(Thread.java:1451) [rt.jar:1.7.0_15] > at javax.el.FactoryFinder.find(FactoryFinder.java:130) [jboss-el-api_2.2_spec-1.0.2.Final.jar:1.0.2.Final] > at javax.el.ExpressionFactory.newInstance(ExpressionFactory.java:185) [jboss-el-api_2.2_spec-1.0.2.Final.jar:1.0.2.Final] > at javax.el.ExpressionFactory.newInstance(ExpressionFactory.java:156) [jboss-el-api_2.2_spec-1.0.2.Final.jar:1.0.2.Final] > at org.apache.jasper.runtime.JspApplicationContextImpl.<init>(JspApplicationContextImpl.java:48) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.runtime.JspApplicationContextImpl.getInstance(JspApplicationContextImpl.java:77) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.runtime.JspFactoryImpl.getJspApplicationContext(JspFactoryImpl.java:197) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jsp.login_jsp._jspInit(login_jsp.java:22) > at org.apache.jasper.runtime.HttpJspBase.init(HttpJspBase.java:51) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.java:151) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:320) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:309) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:242) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final.jar:1.0.2.Final] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_15] > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_15] > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_15] > at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_15] > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:263) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:261) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_15] > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) [rt.jar:1.7.0_15] > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:295) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:155) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:288) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:59) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:197) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_15] > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:832) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:620) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:553) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher.access$000(ApplicationDispatcher.java:69) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher$PrivilegedForward.run(ApplicationDispatcher.java:84) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_15] > at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:474) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage(FormAuthenticator.java:372) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:265) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:447) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-8.0.0.Alpha1-SNAPSHOT.jar:8.0.0.Alpha1-SNAPSHOT] > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_15] > {noformat} > It looks like javax.el should probably be getting TCCL from a privileged block, or else org.apache.jasper.runtime.JspApplicationContextImpl.<init> should be executing in a privileged context. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-174) Missing JSP or EL privileged action(s)

by Tomaz Cerar (JIRA)

[ https://issues.jboss.org/browse/WFLY-174?page=com.atlassian.jira.plugin.s... ] Tomaz Cerar updated WFLY-174: ----------------------------- Component/s: Web (Undertow) (was: Web (JBoss Web)) > Missing JSP or EL privileged action(s) > -------------------------------------- > > Key: WFLY-174 > URL: https://issues.jboss.org/browse/WFLY-174 > Project: WildFly > Issue Type: Bug > Security Level: Public(Everyone can see) > Components: Web (Undertow) > Reporter: David Lloyd > Assignee: Remy Maucherat > Fix For: 8.0.0.CR1, 8.0.0.Final > > > When running with a security manager, we're seeing an access control problem with this stack trace: > {noformat} > 18:21:08,471 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/web-secure].[jsp]] (http-/127.0.0.1:8080-1) JBWEB000236: Servlet.service() for servlet jsp threw exception: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader") > at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366) [rt.jar:1.7.0_15] > at java.security.AccessController.checkPermission(AccessController.java:560) [rt.jar:1.7.0_15] > at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) [rt.jar:1.7.0_15] > at java.lang.Thread.getContextClassLoader(Thread.java:1451) [rt.jar:1.7.0_15] > at javax.el.FactoryFinder.find(FactoryFinder.java:130) [jboss-el-api_2.2_spec-1.0.2.Final.jar:1.0.2.Final] > at javax.el.ExpressionFactory.newInstance(ExpressionFactory.java:185) [jboss-el-api_2.2_spec-1.0.2.Final.jar:1.0.2.Final] > at javax.el.ExpressionFactory.newInstance(ExpressionFactory.java:156) [jboss-el-api_2.2_spec-1.0.2.Final.jar:1.0.2.Final] > at org.apache.jasper.runtime.JspApplicationContextImpl.<init>(JspApplicationContextImpl.java:48) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.runtime.JspApplicationContextImpl.getInstance(JspApplicationContextImpl.java:77) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.runtime.JspFactoryImpl.getJspApplicationContext(JspFactoryImpl.java:197) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jsp.login_jsp._jspInit(login_jsp.java:22) > at org.apache.jasper.runtime.HttpJspBase.init(HttpJspBase.java:51) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.java:151) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:320) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:309) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:242) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final.jar:1.0.2.Final] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_15] > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_15] > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_15] > at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_15] > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:263) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:261) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_15] > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) [rt.jar:1.7.0_15] > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:295) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:155) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:288) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:59) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:197) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_15] > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:832) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:620) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:553) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher.access$000(ApplicationDispatcher.java:69) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher$PrivilegedForward.run(ApplicationDispatcher.java:84) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_15] > at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:474) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage(FormAuthenticator.java:372) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:265) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:447) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-8.0.0.Alpha1-SNAPSHOT.jar:8.0.0.Alpha1-SNAPSHOT] > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_15] > {noformat} > It looks like javax.el should probably be getting TCCL from a privileged block, or else org.apache.jasper.runtime.JspApplicationContextImpl.<init> should be executing in a privileged context. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-2884) WildFly issuing new cookie for every request, when faces view is not directly in root (/ )

by André Prata (JIRA)

[ https://issues.jboss.org/browse/WFLY-2884?page=com.atlassian.jira.plugin.... ] André Prata updated WFLY-2884: ------------------------------ Attachment: test.war Using this "test.war", the following happens. The problem is 2.1, which does not happen if we start the new session going from the root directory. 1- Open the "/admin/index.html" address in a new browser session 2- Press the command button 2.1- ViewExpiredException 3- Open "/index.html" 4- Press the command button 4.1- "command executed" 5- Open "/admin/index.xhtml" again 6- Press the command button 6.1- "command executed" > WildFly issuing new cookie for every request, when faces view is not directly in root (/ ) > ------------------------------------------------------------------------------------------ > > Key: WFLY-2884 > URL: https://issues.jboss.org/browse/WFLY-2884 > Project: WildFly > Issue Type: Bug > Security Level: Public(Everyone can see) > Components: Web (Undertow) > Affects Versions: 8.0.0.CR1 > Reporter: André Prata > Assignee: Stuart Douglas > Attachments: test.war > > > Hello everyone. > I have seen possibly similar issues, but people just aren't able to reproduce them anymore and they seem to be closed without further inspection. Maybe this is the same problem. > I started seeing a problem in a new application I'm developing. For views such as "/view.xhtml" everything is working fine. But if I move the view to another directory, e.g. "/admin/view.xtml", I get ViewExpiredExceptions when interacting with backing beans. > Two things: > - This does not happen if there is already a cookie associated with the session. I.e., I can only reproduce the issue if the first cookie is created by accessing "/admin/view.xhtml". Accessing something in the root and then the other directories works just fine (the server won't send set-cookies again). > - When accessing "/admin/view.xhtml" new cookies are issued for every .xhtml request. Fetching PrimeFaces .js.xhtml files after the initial page is loaded, for example, triggers new sessions. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-174) Missing JSP or EL privileged action(s)

by Tomaz Cerar (JIRA)

[ https://issues.jboss.org/browse/WFLY-174?page=com.atlassian.jira.plugin.s... ] Tomaz Cerar updated WFLY-174: ----------------------------- Component/s: Web (JBoss Web) (was: Web (Undertow)) > Missing JSP or EL privileged action(s) > -------------------------------------- > > Key: WFLY-174 > URL: https://issues.jboss.org/browse/WFLY-174 > Project: WildFly > Issue Type: Bug > Security Level: Public(Everyone can see) > Components: Web (JBoss Web) > Reporter: David Lloyd > Assignee: Remy Maucherat > Fix For: 8.0.0.CR1, 8.0.0.Final > > > When running with a security manager, we're seeing an access control problem with this stack trace: > {noformat} > 18:21:08,471 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/web-secure].[jsp]] (http-/127.0.0.1:8080-1) JBWEB000236: Servlet.service() for servlet jsp threw exception: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader") > at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366) [rt.jar:1.7.0_15] > at java.security.AccessController.checkPermission(AccessController.java:560) [rt.jar:1.7.0_15] > at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) [rt.jar:1.7.0_15] > at java.lang.Thread.getContextClassLoader(Thread.java:1451) [rt.jar:1.7.0_15] > at javax.el.FactoryFinder.find(FactoryFinder.java:130) [jboss-el-api_2.2_spec-1.0.2.Final.jar:1.0.2.Final] > at javax.el.ExpressionFactory.newInstance(ExpressionFactory.java:185) [jboss-el-api_2.2_spec-1.0.2.Final.jar:1.0.2.Final] > at javax.el.ExpressionFactory.newInstance(ExpressionFactory.java:156) [jboss-el-api_2.2_spec-1.0.2.Final.jar:1.0.2.Final] > at org.apache.jasper.runtime.JspApplicationContextImpl.<init>(JspApplicationContextImpl.java:48) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.runtime.JspApplicationContextImpl.getInstance(JspApplicationContextImpl.java:77) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.runtime.JspFactoryImpl.getJspApplicationContext(JspFactoryImpl.java:197) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jsp.login_jsp._jspInit(login_jsp.java:22) > at org.apache.jasper.runtime.HttpJspBase.init(HttpJspBase.java:51) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.java:151) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:320) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:309) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:242) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final.jar:1.0.2.Final] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_15] > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_15] > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_15] > at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_15] > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:263) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:261) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_15] > at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) [rt.jar:1.7.0_15] > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:295) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:155) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:288) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:59) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:197) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_15] > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:832) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:620) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:553) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher.access$000(ApplicationDispatcher.java:69) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.ApplicationDispatcher$PrivilegedForward.run(ApplicationDispatcher.java:84) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_15] > at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:474) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage(FormAuthenticator.java:372) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:265) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:447) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-8.0.0.Alpha1-SNAPSHOT.jar:8.0.0.Alpha1-SNAPSHOT] > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.0.Final.jar:7.2.0.Final] > at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_15] > {noformat} > It looks like javax.el should probably be getting TCCL from a privileged block, or else org.apache.jasper.runtime.JspApplicationContextImpl.<init> should be executing in a privileged context. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-435) Validate servlet run as identity propagation

by Tomaz Cerar (JIRA)

[ https://issues.jboss.org/browse/WFLY-435?page=com.atlassian.jira.plugin.s... ] Tomaz Cerar updated WFLY-435: ----------------------------- Component/s: Web (Undertow) (was: Web (JBoss Web)) > Validate servlet run as identity propagation > -------------------------------------------- > > Key: WFLY-435 > URL: https://issues.jboss.org/browse/WFLY-435 > Project: WildFly > Issue Type: Task > Security Level: Public(Everyone can see) > Components: EJB, Security, Web (Undertow) > Reporter: Marcus Moyses > Assignee: Peter Skopek > Priority: Minor > Fix For: 8.0.0.Final > > > Need to validate if the run as identity configured in jboss-web.xml for a servlet is propagated to ejb invocations. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-466) Detect JBossWS Configuration for @PermitAll endpoints within Undertow subsystem.

by Tomaz Cerar (JIRA)

[ https://issues.jboss.org/browse/WFLY-466?page=com.atlassian.jira.plugin.s... ] Tomaz Cerar updated WFLY-466: ----------------------------- Component/s: Web (Undertow) (was: Web (JBoss Web)) > Detect JBossWS Configuration for @PermitAll endpoints within Undertow subsystem. > -------------------------------------------------------------------------------- > > Key: WFLY-466 > URL: https://issues.jboss.org/browse/WFLY-466 > Project: WildFly > Issue Type: Task > Security Level: Public(Everyone can see) > Components: Web (Undertow) > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 8.0.1.Final > > > UNDERTOW-38 has added the possibility of deploying web applications where authentication is mandated but no authorization checks are performed - this is required for integration use cases such as EJB endpoints where authorization checks are being left to the EJB container. > This task is to update the Undertow susbsystem to detect this scenario and enable the new mode for UNDERTOW-38. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-435) Validate servlet run as identity propagation

by Tomaz Cerar (JIRA)

[ https://issues.jboss.org/browse/WFLY-435?page=com.atlassian.jira.plugin.s... ] Tomaz Cerar resolved WFLY-435. ------------------------------ Resolution: Done This looks done. org.jboss.as.test.integration.ejb.security.runas.RunAsTestCase > Validate servlet run as identity propagation > -------------------------------------------- > > Key: WFLY-435 > URL: https://issues.jboss.org/browse/WFLY-435 > Project: WildFly > Issue Type: Task > Security Level: Public(Everyone can see) > Components: EJB, Security, Web (JBoss Web) > Reporter: Marcus Moyses > Assignee: Peter Skopek > Priority: Minor > Fix For: 8.0.0.Final > > > Need to validate if the run as identity configured in jboss-web.xml for a servlet is propagated to ejb invocations. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-1477) JACC HttpServletRequestPolicyContextHandler removal on single application undeploy impacting all other deployed applications

by Tomaz Cerar (JIRA)

[ https://issues.jboss.org/browse/WFLY-1477?page=com.atlassian.jira.plugin.... ] Tomaz Cerar commented on WFLY-1477: ----------------------------------- Frank / Steve, does this issue still occurs in latest builds of WildFly 8? There ware many fixes in this area post CR1 > JACC HttpServletRequestPolicyContextHandler removal on single application undeploy impacting all other deployed applications > ---------------------------------------------------------------------------------------------------------------------------- > > Key: WFLY-1477 > URL: https://issues.jboss.org/browse/WFLY-1477 > Project: WildFly > Issue Type: Bug > Security Level: Public(Everyone can see) > Components: Web (Undertow) > Affects Versions: 8.0.0.Alpha1 > Environment: CentOS 6.x, JBoss AS 7.1.1.Final > Reporter: Steve S > Assignee: Tomaz Cerar > Labels: domain, jaas, jboss, jbossweb, login, module, security > > Please see the following forum post for a detailed explanation and findings(and potential workaround): > https://community.jboss.org/message/822054#822054 > If multiple WARs are deployed that depend on a login module leveraging: > HttpServletRequest request = (HttpServletRequest)PolicyContext.getContext("javax.servlet.http.HttpServletRequest"); > then upon undeploy of any web application in the container the HttpServletRequestPolicyContextHandler is removed(deregistered) in the stop() lifecycle method of the JBossWebRealmService, resulting in: > 13:03:35,335 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (ajp--0.0.0.0-8009-1) Login failure: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: No PolicyContextHandler for key=javax.servlet.http.HttpServletRequest at javax.security.jacc.PolicyContext.getContext(PolicyContext.java:117) > for any webapps still deployed for every subsequent access to them. > Simply redeploying any ONE of the remaining webapps or the previously undeployed webapp causes this problem to go away for all deployed applications. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-84) Jasper using wrong ProtectionDomain for compiled JSP

by Tomaz Cerar (JIRA)

[ https://issues.jboss.org/browse/WFLY-84?page=com.atlassian.jira.plugin.sy... ] Tomaz Cerar updated WFLY-84: ---------------------------- Component/s: Web (Undertow) (was: Web (JBoss Web)) > Jasper using wrong ProtectionDomain for compiled JSP > ---------------------------------------------------- > > Key: WFLY-84 > URL: https://issues.jboss.org/browse/WFLY-84 > Project: WildFly > Issue Type: Bug > Security Level: Public(Everyone can see) > Components: Web (Undertow) > Reporter: David Lloyd > Assignee: Remy Maucherat > Fix For: 8.0.0.Final > > > Compiled JSPs loaded via JasperLoader appear to be using a different ProtectionDomain than the rest of the WAR deployment. I think it should probably be using a PD which contains the permissions from the deployment's ClassLoader, and probably the CodeSource from the deployment unit from which the JSP file originated. This will ensure that permissions set via deployment descriptor and/or the management model will take proper effect. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 2 months

1
0
0 / 0

[JBoss JIRA] (JBJCA-1137) NPE in o.j.j.c.CommonBundle.Annotations#processConfigProperty() line:765

by Jesper Pedersen (JIRA)

[ https://issues.jboss.org/browse/JBJCA-1137?page=com.atlassian.jira.plugin... ] Jesper Pedersen closed JBJCA-1137. ---------------------------------- Resolution: Rejected Class loading issue in WildFly - use the forum for questions > NPE in o.j.j.c.CommonBundle.Annotations#processConfigProperty() line:765 > ------------------------------------------------------------------------ > > Key: JBJCA-1137 > URL: https://issues.jboss.org/browse/JBJCA-1137 > Project: IronJacamar > Issue Type: Bug > Components: Common > Affects Versions: 1.1.2.Final > Reporter: Darryl Miles > Assignee: Jesper Pedersen > > org.jboss.jca.common.CommonBundle.Annotations > Map<Metadatas, ArrayList<ConfigProperty16>> processConfigProperty(AnnotationRepository annotationRepository, ClassLoader classLoader) > for (Annotation annotation : values) > { > javax.resource.spi.ConfigProperty configPropertyAnnotation = (javax.resource.spi.ConfigProperty) annotation > .getAnnotation(); > if (trace) > log.trace("Processing: " + configPropertyAnnotation); > XsdString configPropertyValue = XsdString.NULL_XSDSTRING; > if (configPropertyAnnotation.defaultValue() != null && !configPropertyAnnotation.defaultValue().equals("")) > configPropertyValue = new XsdString(configPropertyAnnotation.defaultValue(), null); > javax.resource.spi.ConfigProperty configPropertyAnnotation = (javax.resource.spi.ConfigProperty) annotation.getAnnotation(); > can return null when there is ClassNotFoundException for the class with the annotation in it. > at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:166) [wildfly-server-8.0.0.CR1.jar:8.0.0.CR1] > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.0.CR1.jar:1.2.0.CR1] > at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.0.CR1.jar:1.2.0.CR1] > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_25] > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_25] > at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25] > Caused by: java.lang.IllegalArgumentException: JBAS017220: Class not found > at org.jboss.as.service.ReflectionUtils.getClass(ReflectionUtils.java:115) > at org.jboss.as.service.ReflectionUtils.getClassHierarchy(ReflectionUtils.java:122) > at org.jboss.as.service.ParsedServiceDeploymentProcessor.addServices(ParsedServiceDeploymentProcessor.java:113) > at org.jboss.as.service.ParsedServiceDeploymentProcessor.deploy(ParsedServiceDeploymentProcessor.java:104) > at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:159) [wildfly-server-8.0.0.CR1.jar:8.0.0.CR1] > ... 5 more > Caused by: java.lang.ClassNotFoundException: com.domain.project.ejb.mbean.Monitor from [Module "deployment.com.domain.project.ear.ear.com-domain-project.ejb-0.0.1-SNAPSHOT.jar:main" from Service Module Loader] > at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:197) [jboss-modules.jar:1.3.0.Final] > at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:443) [jboss-modules.jar:1.3.0.Final] > at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:431) [jboss-modules.jar:1.3.0.Final] > at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:373) [jboss-modules.jar:1.3.0.Final] > at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:118) [jboss-modules.jar:1.3.0.Final] > at java.lang.Class.forName0(Native Method) [rt.jar:1.7.0_25] > at java.lang.Class.forName(Class.java:270) [rt.jar:1.7.0_25] > at org.jboss.as.service.ReflectionUtils.getClass(ReflectionUtils.java:113) > ... 9 more -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira

12 years, 2 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira February 2014