August 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (ELY-1349) Incorrect doPrivileged usage causes AccessControlException (FilePermission) in Elytron's ServiceLoaderSupplier

by Ondrej Lukas (JIRA)

Ondrej Lukas created ELY-1349: --------------------------------- Summary: Incorrect doPrivileged usage causes AccessControlException (FilePermission) in Elytron's ServiceLoaderSupplier Key: ELY-1349 URL: https://issues.jboss.org/browse/ELY-1349 Project: WildFly Elytron Issue Type: Bug Reporter: Ondrej Lukas Assignee: Darran Lofthouse Priority: Critical When application server is running with Security Manager then using Elytron API (ElytronXmlParser.parseAuthenticationClientConfiguration()) from deployment leads to AccessControlException. The ServiceLoaderSupplier incorrectly uses doPrivileged, so the FilePermission check during accessing Elytron JAR fails. Workaround could be adding this FilePermission to each such deployment, but this is neither safe nor practical as the JAR name and location can change (e.g. version upgrade with patches applied). It seems the problem is caused by passing AccessControlContext as second parameter of {{doPrivileged}} method [1]. {{ServiceLoaderSupplier}} does not require this permission when second paramater is removed from {{doPrivileged}} method. This privileged block has been added as fix of JBEAP-12111 - {{doPrivileged}} call has been added into {{org.wildfly.security.util.ServiceLoaderSupplier}}. For example this is stacktrace for calling {{ElytronXmlParser.parseAuthenticationClientConfiguration}} method from Servlet in war application: {code} java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/user/jboss-eap-7.1/modules/system/layers/base/org/wildfly/security/elytron-private/main/wildfly-elytron-1.1.1.Final-redhat-1.jar" "read")" in code source "(vfs:/content/wildfly-config-xml-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.wildfly-config-xml-dep.war" from Service Module Loader") at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278) at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:350) at sun.net.www.protocol.jar.JarFileFactory.getCachedJarFile(JarFileFactory.java:137) at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:81) at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122) at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150) at java.net.URL.openStream(URL.java:1038) at java.util.ServiceLoader.parse(ServiceLoader.java:304) at java.util.ServiceLoader.access$200(ServiceLoader.java:185) at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357) at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323) at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396) at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395) at java.security.AccessController.doPrivileged(Native Method) at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398) at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474) at org.wildfly.security.util.ServiceLoaderSupplier.loadServices(ServiceLoaderSupplier.java:73) at org.wildfly.security.util.ServiceLoaderSupplier.lambda$get$0(ServiceLoaderSupplier.java:58) at java.security.AccessController.doPrivileged(Native Method) at org.wildfly.security.util.ServiceLoaderSupplier.get(ServiceLoaderSupplier.java:58) at org.wildfly.security.util.ServiceLoaderSupplier.get(ServiceLoaderSupplier.java:39) at org.wildfly.security.auth.client.ElytronXmlParser$DeferredSupplier.get(ElytronXmlParser.java:2433) at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:115) at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseClearPassword$40(ElytronXmlParser.java:2001) at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$27(ElytronXmlParser.java:918) at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895) at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$33(ElytronXmlParser.java:953) at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$18(ElytronXmlParser.java:691) at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895) at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895) at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$22(ElytronXmlParser.java:739) at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationRuleType$7(ElytronXmlParser.java:575) at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseRulesType$8(ElytronXmlParser.java:599) at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:299) at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:176) at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:137) ... {code} [1] https://github.com/wildfly-security/wildfly-elytron/blob/8c033958d78fcb1c... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 4 months

1
0
0 / 0

[JBoss JIRA] (ELY-1349) Incorrect doPrivileged usage causes AccessControlException (FilePermission) in Elytron's ServiceLoaderSupplier

by Ondrej Lukas (JIRA)

[ https://issues.jboss.org/browse/ELY-1349?page=com.atlassian.jira.plugin.s... ] Ondrej Lukas updated ELY-1349: ------------------------------ Affects Version/s: 1.1.1.Final > Incorrect doPrivileged usage causes AccessControlException (FilePermission) in Elytron's ServiceLoaderSupplier > -------------------------------------------------------------------------------------------------------------- > > Key: ELY-1349 > URL: https://issues.jboss.org/browse/ELY-1349 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.1.Final > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Priority: Critical > > When application server is running with Security Manager then using Elytron API (ElytronXmlParser.parseAuthenticationClientConfiguration()) from deployment leads to AccessControlException. The ServiceLoaderSupplier incorrectly uses doPrivileged, so the FilePermission check during accessing Elytron JAR fails. > Workaround could be adding this FilePermission to each such deployment, but this is neither safe nor practical as the JAR name and location can change (e.g. version upgrade with patches applied). > It seems the problem is caused by passing AccessControlContext as second parameter of {{doPrivileged}} method [1]. {{ServiceLoaderSupplier}} does not require this permission when second paramater is removed from {{doPrivileged}} method. This privileged block has been added as fix of JBEAP-12111 - {{doPrivileged}} call has been added into {{org.wildfly.security.util.ServiceLoaderSupplier}}. > For example this is stacktrace for calling {{ElytronXmlParser.parseAuthenticationClientConfiguration}} method from Servlet in war application: > {code} > java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/user/jboss-eap-7.1/modules/system/layers/base/org/wildfly/security/elytron-private/main/wildfly-elytron-1.1.1.Final-redhat-1.jar" "read")" in code source "(vfs:/content/wildfly-config-xml-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.wildfly-config-xml-dep.war" from Service Module Loader") > at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278) > at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175) > at java.lang.SecurityManager.checkRead(SecurityManager.java:888) > at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:350) > at sun.net.www.protocol.jar.JarFileFactory.getCachedJarFile(JarFileFactory.java:137) > at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:81) > at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122) > at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150) > at java.net.URL.openStream(URL.java:1038) > at java.util.ServiceLoader.parse(ServiceLoader.java:304) > at java.util.ServiceLoader.access$200(ServiceLoader.java:185) > at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357) > at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323) > at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396) > at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395) > at java.security.AccessController.doPrivileged(Native Method) > at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398) > at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474) > at org.wildfly.security.util.ServiceLoaderSupplier.loadServices(ServiceLoaderSupplier.java:73) > at org.wildfly.security.util.ServiceLoaderSupplier.lambda$get$0(ServiceLoaderSupplier.java:58) > at java.security.AccessController.doPrivileged(Native Method) > at org.wildfly.security.util.ServiceLoaderSupplier.get(ServiceLoaderSupplier.java:58) > at org.wildfly.security.util.ServiceLoaderSupplier.get(ServiceLoaderSupplier.java:39) > at org.wildfly.security.auth.client.ElytronXmlParser$DeferredSupplier.get(ElytronXmlParser.java:2433) > at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:115) > at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseClearPassword$40(ElytronXmlParser.java:2001) > at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$27(ElytronXmlParser.java:918) > at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895) > at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$33(ElytronXmlParser.java:953) > at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$18(ElytronXmlParser.java:691) > at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895) > at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895) > at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$22(ElytronXmlParser.java:739) > at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationRuleType$7(ElytronXmlParser.java:575) > at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseRulesType$8(ElytronXmlParser.java:599) > at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:299) > at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:176) > at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:137) > ... > {code} > [1] https://github.com/wildfly-security/wildfly-elytron/blob/8c033958d78fcb1c... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 4 months

1
0
0 / 0

[JBoss JIRA] (JGRP-2061) TYPE_STRING does not handle unicode

by Bela Ban (JIRA)

[ https://issues.jboss.org/browse/JGRP-2061?page=com.atlassian.jira.plugin.... ] Bela Ban commented on JGRP-2061: -------------------------------- Excellent! I'm trying to close this issue but JIRA seems to disallow me to do that... :-) Can you close it? > TYPE_STRING does not handle unicode > ----------------------------------- > > Key: JGRP-2061 > URL: https://issues.jboss.org/browse/JGRP-2061 > Project: JGroups > Issue Type: Bug > Reporter: Cody Ebberson > Assignee: Bela Ban > Fix For: 4.0.6 > > > In several places throughout the org.jgroups.util.Util class, it is assumed that Strings are one byte per character. > For example, see objectToByteBuffer lines 561-567: > https://github.com/belaban/JGroups/blob/master/src/org/jgroups/util/Util.... > {code:java} > case TYPE_STRING: > String str=(String)obj; > int len=str.length(); > ByteBuffer retval=ByteBuffer.allocate(Global.BYTE_SIZE + len).put(TYPE_STRING); > for(int i=0; i < len; i++) > retval.put((byte)str.charAt(i)); > return retval.array(); > {code} > This code will incorrectly encode any String with non ASCII encoding. > There are several options to fix. You could use str.getBytes(StandardCharsets.UTF_8) to get a proper byte encoding, or you could use the existing TYPE_SERIALIZABLE code path. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9275) unable to invoke server1 EJB via server2

by Loren Chang (JIRA)

[ https://issues.jboss.org/browse/WFLY-9275?page=com.atlassian.jira.plugin.... ] Loren Chang updated WFLY-9275: ------------------------------ Summary: unable to invoke server1 EJB via server2 (was: invoke server1 EJB via server2 Fail) > unable to invoke server1 EJB via server2 > ---------------------------------------- > > Key: WFLY-9275 > URL: https://issues.jboss.org/browse/WFLY-9275 > Project: WildFly > Issue Type: Bug > Components: EJB > Affects Versions: 10.0.0.Final > Reporter: Loren Chang > Attachments: EJBTest.png, EJBTest.zip, WildFlyBug.png > > > This test code on "public static void main" is ok, but fail on war/ear > EJB client API Version:wildfly-naming-client-1.0.0.Beta13.jar、jboss-remote-naming-2.0.4.Final.jar -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9275) invoke server1 EJB via server2 Fail

by Loren Chang (JIRA)

[ https://issues.jboss.org/browse/WFLY-9275?page=com.atlassian.jira.plugin.... ] Loren Chang updated WFLY-9275: ------------------------------ Attachment: EJBTest.png > invoke server1 EJB via server2 Fail > ----------------------------------- > > Key: WFLY-9275 > URL: https://issues.jboss.org/browse/WFLY-9275 > Project: WildFly > Issue Type: Bug > Components: EJB > Affects Versions: 10.0.0.Final > Reporter: Loren Chang > Attachments: EJBTest.png, EJBTest.zip, WildFlyBug.png > > > This test code on "public static void main" is ok, but fail on war/ear > EJB client API Version:wildfly-naming-client-1.0.0.Beta13.jar、jboss-remote-naming-2.0.4.Final.jar -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9275) invoke server1 EJB via server2 Fail

by Loren Chang (JIRA)

[ https://issues.jboss.org/browse/WFLY-9275?page=com.atlassian.jira.plugin.... ] Loren Chang updated WFLY-9275: ------------------------------ Attachment: EJBTest.zip > invoke server1 EJB via server2 Fail > ----------------------------------- > > Key: WFLY-9275 > URL: https://issues.jboss.org/browse/WFLY-9275 > Project: WildFly > Issue Type: Bug > Components: EJB > Affects Versions: 10.0.0.Final > Reporter: Loren Chang > Attachments: EJBTest.png, EJBTest.zip, WildFlyBug.png > > > This test code on "public static void main" is ok, but fail on war/ear > EJB client API Version:wildfly-naming-client-1.0.0.Beta13.jar、jboss-remote-naming-2.0.4.Final.jar -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9275) invoke server1 EJB via server2 Fail

by Loren Chang (JIRA)

[ https://issues.jboss.org/browse/WFLY-9275?page=com.atlassian.jira.plugin.... ] Loren Chang updated WFLY-9275: ------------------------------ Summary: invoke server1 EJB via server2 Fail (was: EJB client(on ear/war) lookup remote SessionBean on multi server fail, all request recieved by one server(client)) > invoke server1 EJB via server2 Fail > ----------------------------------- > > Key: WFLY-9275 > URL: https://issues.jboss.org/browse/WFLY-9275 > Project: WildFly > Issue Type: Bug > Components: EJB > Affects Versions: 10.0.0.Final > Reporter: Loren Chang > Attachments: WildFlyBug.png > > > This test code on "public static void main" is ok, but fail on war/ear > EJB client API Version:wildfly-naming-client-1.0.0.Beta13.jar、jboss-remote-naming-2.0.4.Final.jar -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 4 months

1
0
0 / 0

[JBoss JIRA] (LOGMGR-171) Add a PlatformLoggingMXBean implementation

by James Perkins (JIRA)

James Perkins created LOGMGR-171: ------------------------------------ Summary: Add a PlatformLoggingMXBean implementation Key: LOGMGR-171 URL: https://issues.jboss.org/browse/LOGMGR-171 Project: JBoss Log Manager Issue Type: Enhancement Reporter: James Perkins Assignee: James Perkins The {{LoggingMXBean}} is deprecated in Java 9. The {{PlatformLoggingMXBean}} has been available since Java 7 and should be implemented to be better context aware for JBoss Log Manager. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3214) PathInfoHandler should lazy create its DateTimeFormatter and ZoneId

by Brian Stansberry (JIRA)

Brian Stansberry created WFCORE-3214: ---------------------------------------- Summary: PathInfoHandler should lazy create its DateTimeFormatter and ZoneId Key: WFCORE-3214 URL: https://issues.jboss.org/browse/WFCORE-3214 Project: WildFly Core Issue Type: Enhancement Components: Domain Management Reporter: Brian Stansberry Assignee: Brian Stansberry Priority: Minor Profiling shows that PathInfoHandler's creation of a DateTimeFormatter and a ZoneId takes about 15ms. There's no need to do that during <clinit> which happens during boot; it can be deferred until the handler is used. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9283) Clarify community documentation for ignore-unused-configuration

by Ken Wills (JIRA)

[ https://issues.jboss.org/browse/WFLY-9283?page=com.atlassian.jira.plugin.... ] Ken Wills reassigned WFLY-9283: ------------------------------- Assignee: Ken Wills > Clarify community documentation for ignore-unused-configuration > --------------------------------------------------------------- > > Key: WFLY-9283 > URL: https://issues.jboss.org/browse/WFLY-9283 > Project: WildFly > Issue Type: Task > Components: Documentation > Reporter: Ken Wills > Assignee: Ken Wills > Priority: Minor > > Current Wildfly documentation uses "ignore unused resources" around the documented sections for ignore-unused-configuration: > https://docs.jboss.org/author/display/WFLY10/Admin+Guide#AdminGuide-Ignor... > This should be changed to be less confusing by just using the configuration term outside of the initial description. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 4 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira August 2017