December 2020 - jboss-jira - Jboss List Archives

[Red Hat JIRA] (ELY-2049) Add trace capability to o.w.s.m.WildFlySecurityManager findAccessDenial

by Boris Unckel (Jira)

[ https://issues.redhat.com/browse/ELY-2049?page=com.atlassian.jira.plugin.... ] Boris Unckel updated ELY-2049: ------------------------------ Description: The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions. Examples: [Undertow|https://issues.redhat.com/browse/UNDERTOW-1815] [java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...] line 2048 The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs. Current code: {code:java} public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) { ProtectionDomain deniedDomain = null; if (domains != null) for (ProtectionDomain domain : domains) { if (! domain.implies(permission)) { final CodeSource codeSource = domain.getCodeSource(); final ClassLoader classLoader = domain.getClassLoader(); final Principal[] principals = domain.getPrincipals(); if (principals == null || principals.length == 0) { access.accessCheckFailed(permission, codeSource, classLoader); } else { access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals)); } if (deniedDomain == null && ! LOG_ONLY) { deniedDomain = domain; } } } return deniedDomain; } {code} was: The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions. Example: [java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...] line 2048 The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs. Current code: {code:java} public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) { ProtectionDomain deniedDomain = null; if (domains != null) for (ProtectionDomain domain : domains) { if (! domain.implies(permission)) { final CodeSource codeSource = domain.getCodeSource(); final ClassLoader classLoader = domain.getClassLoader(); final Principal[] principals = domain.getPrincipals(); if (principals == null || principals.length == 0) { access.accessCheckFailed(permission, codeSource, classLoader); } else { access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals)); } if (deniedDomain == null && ! LOG_ONLY) { deniedDomain = domain; } } } return deniedDomain; } {code} > Add trace capability to o.w.s.m.WildFlySecurityManager findAccessDenial > ----------------------------------------------------------------------- > > Key: ELY-2049 > URL: https://issues.redhat.com/browse/ELY-2049 > Project: WildFly Elytron > Issue Type: Enhancement > Components: Security Manager > Affects Versions: 1.13.2.Final > Reporter: Boris Unckel > Priority: Major > > The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions. > Examples: > [Undertow|https://issues.redhat.com/browse/UNDERTOW-1815] > [java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...] > line 2048 > The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs. > Current code: > {code:java} > public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) { > ProtectionDomain deniedDomain = null; > if (domains != null) for (ProtectionDomain domain : domains) { > if (! domain.implies(permission)) { > final CodeSource codeSource = domain.getCodeSource(); > final ClassLoader classLoader = domain.getClassLoader(); > final Principal[] principals = domain.getPrincipals(); > if (principals == null || principals.length == 0) { > access.accessCheckFailed(permission, codeSource, classLoader); > } else { > access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals)); > } > if (deniedDomain == null && ! LOG_ONLY) { > deniedDomain = domain; > } > } > } > return deniedDomain; > } > {code} -- This message was sent by Atlassian Jira (v7.13.8#713008)

3 years, 4 months

1
0
0 / 0

[Red Hat JIRA] (WFCORE-4217) ManagementAuthenticationUsersTestCase fails with Elytron profile

by Martin Choma (Jira)

[ https://issues.redhat.com/browse/WFCORE-4217?page=com.atlassian.jira.plug... ] Martin Choma updated WFCORE-4217: --------------------------------- Steps to Reproduce: cd testsuite/standalone/ mvn test -Delytron -Dtest=ManagementAuthenticationUsersTestCase > ManagementAuthenticationUsersTestCase fails with Elytron profile > ---------------------------------------------------------------- > > Key: WFCORE-4217 > URL: https://issues.redhat.com/browse/WFCORE-4217 > Project: WildFly Core > Issue Type: Bug > Components: Security, Test Suite > Affects Versions: 7.0.0.Alpha5 > Reporter: Martin Choma > Priority: Major > > {noformat} > cd testsuite/standalone/ > mvn test -Delytron -Dtest=ManagementAuthenticationUsersTestCase > {noformat} > {noformat} > [INFO] Running null > [ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.004 s <<< FAILURE! - in null > [ERROR] Failure when constructing test Time elapsed: 0.003 s <<< FAILURE! > java.lang.AssertionError: > WFLYCTL0216: Management resource '[ > ("core-service" => "management"), > ("security-realm" => "ManagementRealm") > ]' not found > at org.junit.Assert.fail(Assert.java:88) > at org.jboss.as.test.integration.credential.store.ManagementAuthenticationUsersServerSetupTask.executeForSuccess(ManagementAuthenticationUsersServerSetupTask.java:113) > at org.jboss.as.test.integration.credential.store.ManagementAuthenticationUsersServerSetupTask.setup(ManagementAuthenticationUsersServerSetupTask.java:65) > at org.wildfly.core.testrunner.WildflyTestRunner.runSetupTasks(WildflyTestRunner.java:121) > at org.wildfly.core.testrunner.WildflyTestRunner.run(WildflyTestRunner.java:107) > at org.junit.runners.Suite.runChild(Suite.java:128) > at org.junit.runners.Suite.runChild(Suite.java:27) > at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290) > at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71) > at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288) > at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58) > at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268) > at org.junit.runners.ParentRunner.run(ParentRunner.java:363) > at org.apache.maven.surefire.junitcore.JUnitCore.run(JUnitCore.java:55) > at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.createRequestAndRun(JUnitCoreWrapper.java:137) > at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.executeEager(JUnitCoreWrapper.java:107) > at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.execute(JUnitCoreWrapper.java:83) > at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.execute(JUnitCoreWrapper.java:75) > at org.apache.maven.surefire.junitcore.JUnitCoreProvider.invoke(JUnitCoreProvider.java:158) > at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:383) > at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:344) > at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:125) > at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:417) > [INFO] > [INFO] Results: > [INFO] > [ERROR] Failures: > [ERROR] WFLYCTL0216: Management resource '[ > ("core-service" => "management"), > ("security-realm" => "ManagementRealm") > ]' not found > [INFO] > [ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0 > [INFO] > [INFO] ------------------------------------------------------------------------ > [INFO] BUILD FAILURE > {noformat} -- This message was sent by Atlassian Jira (v7.13.8#713008)

3 years, 4 months

1
0
0 / 0

[Red Hat JIRA] (ELY-2049) Add trace capability to o.w.s.m.WildFlySecurityManager findAccessDenial

by Boris Unckel (Jira)

[ https://issues.redhat.com/browse/ELY-2049?page=com.atlassian.jira.plugin.... ] Boris Unckel updated ELY-2049: ------------------------------ Description: The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions. Examples: [Undertow|https://issues.redhat.com/browse/UNDERTOW-1815] [WildFly 1|https://issues.redhat.com/browse/WFLY-14072] [WildFly 1a, including Stacktrace|https://issues.redhat.com/browse/WFLY-14039] [java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...] line 2048 The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs. Current code: {code:java} public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) { ProtectionDomain deniedDomain = null; if (domains != null) for (ProtectionDomain domain : domains) { if (! domain.implies(permission)) { final CodeSource codeSource = domain.getCodeSource(); final ClassLoader classLoader = domain.getClassLoader(); final Principal[] principals = domain.getPrincipals(); if (principals == null || principals.length == 0) { access.accessCheckFailed(permission, codeSource, classLoader); } else { access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals)); } if (deniedDomain == null && ! LOG_ONLY) { deniedDomain = domain; } } } return deniedDomain; } {code} was: The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions. Examples: [Undertow|https://issues.redhat.com/browse/UNDERTOW-1815] [java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...] line 2048 The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs. Current code: {code:java} public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) { ProtectionDomain deniedDomain = null; if (domains != null) for (ProtectionDomain domain : domains) { if (! domain.implies(permission)) { final CodeSource codeSource = domain.getCodeSource(); final ClassLoader classLoader = domain.getClassLoader(); final Principal[] principals = domain.getPrincipals(); if (principals == null || principals.length == 0) { access.accessCheckFailed(permission, codeSource, classLoader); } else { access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals)); } if (deniedDomain == null && ! LOG_ONLY) { deniedDomain = domain; } } } return deniedDomain; } {code} > Add trace capability to o.w.s.m.WildFlySecurityManager findAccessDenial > ----------------------------------------------------------------------- > > Key: ELY-2049 > URL: https://issues.redhat.com/browse/ELY-2049 > Project: WildFly Elytron > Issue Type: Enhancement > Components: Security Manager > Affects Versions: 1.13.2.Final > Reporter: Boris Unckel > Priority: Major > > The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions. > Examples: > [Undertow|https://issues.redhat.com/browse/UNDERTOW-1815] > [WildFly 1|https://issues.redhat.com/browse/WFLY-14072] > [WildFly 1a, including Stacktrace|https://issues.redhat.com/browse/WFLY-14039] > [java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...] > line 2048 > The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs. > Current code: > {code:java} > public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) { > ProtectionDomain deniedDomain = null; > if (domains != null) for (ProtectionDomain domain : domains) { > if (! domain.implies(permission)) { > final CodeSource codeSource = domain.getCodeSource(); > final ClassLoader classLoader = domain.getClassLoader(); > final Principal[] principals = domain.getPrincipals(); > if (principals == null || principals.length == 0) { > access.accessCheckFailed(permission, codeSource, classLoader); > } else { > access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals)); > } > if (deniedDomain == null && ! LOG_ONLY) { > deniedDomain = domain; > } > } > } > return deniedDomain; > } > {code} -- This message was sent by Atlassian Jira (v7.13.8#713008)

3 years, 4 months

1
0
0 / 0

[Red Hat JIRA] (WFCORE-4217) ManagementAuthenticationUsersTestCase fails with Elytron profile

by Martin Choma (Jira)

[ https://issues.redhat.com/browse/WFCORE-4217?page=com.atlassian.jira.plug... ] Martin Choma commented on WFCORE-4217: -------------------------------------- I still see the issue in master following reproducer. {code} [ERROR] Failures: [ERROR] WFLYCTL0216: Management resource '[ ("core-service" => "management"), ("security-realm" => "ManagementRealm") ]' not found [INFO] [ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0 {code} > ManagementAuthenticationUsersTestCase fails with Elytron profile > ---------------------------------------------------------------- > > Key: WFCORE-4217 > URL: https://issues.redhat.com/browse/WFCORE-4217 > Project: WildFly Core > Issue Type: Bug > Components: Security, Test Suite > Affects Versions: 7.0.0.Alpha5 > Reporter: Martin Choma > Priority: Major > > {noformat} > cd testsuite/standalone/ > mvn test -Delytron -Dtest=ManagementAuthenticationUsersTestCase > {noformat} > {noformat} > [INFO] Running null > [ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.004 s <<< FAILURE! - in null > [ERROR] Failure when constructing test Time elapsed: 0.003 s <<< FAILURE! > java.lang.AssertionError: > WFLYCTL0216: Management resource '[ > ("core-service" => "management"), > ("security-realm" => "ManagementRealm") > ]' not found > at org.junit.Assert.fail(Assert.java:88) > at org.jboss.as.test.integration.credential.store.ManagementAuthenticationUsersServerSetupTask.executeForSuccess(ManagementAuthenticationUsersServerSetupTask.java:113) > at org.jboss.as.test.integration.credential.store.ManagementAuthenticationUsersServerSetupTask.setup(ManagementAuthenticationUsersServerSetupTask.java:65) > at org.wildfly.core.testrunner.WildflyTestRunner.runSetupTasks(WildflyTestRunner.java:121) > at org.wildfly.core.testrunner.WildflyTestRunner.run(WildflyTestRunner.java:107) > at org.junit.runners.Suite.runChild(Suite.java:128) > at org.junit.runners.Suite.runChild(Suite.java:27) > at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290) > at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71) > at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288) > at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58) > at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268) > at org.junit.runners.ParentRunner.run(ParentRunner.java:363) > at org.apache.maven.surefire.junitcore.JUnitCore.run(JUnitCore.java:55) > at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.createRequestAndRun(JUnitCoreWrapper.java:137) > at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.executeEager(JUnitCoreWrapper.java:107) > at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.execute(JUnitCoreWrapper.java:83) > at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.execute(JUnitCoreWrapper.java:75) > at org.apache.maven.surefire.junitcore.JUnitCoreProvider.invoke(JUnitCoreProvider.java:158) > at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:383) > at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:344) > at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:125) > at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:417) > [INFO] > [INFO] Results: > [INFO] > [ERROR] Failures: > [ERROR] WFLYCTL0216: Management resource '[ > ("core-service" => "management"), > ("security-realm" => "ManagementRealm") > ]' not found > [INFO] > [ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0 > [INFO] > [INFO] ------------------------------------------------------------------------ > [INFO] BUILD FAILURE > {noformat} -- This message was sent by Atlassian Jira (v7.13.8#713008)

3 years, 4 months

1
0
0 / 0

[Red Hat JIRA] (DROOLS-5864) Mark kie-pmml legacy as deprecated and document how to re-enable it

by Gabriele Cardosi (Jira)

Gabriele Cardosi created DROOLS-5864: ---------------------------------------- Summary: Mark kie-pmml legacy as deprecated and document how to re-enable it Key: DROOLS-5864 URL: https://issues.redhat.com/browse/DROOLS-5864 Project: Drools Issue Type: Task Reporter: Gabriele Cardosi Assignee: Gabriele Cardosi -- This message was sent by Atlassian Jira (v7.13.8#713008)

3 years, 4 months

1
0
0 / 0

[Red Hat JIRA] (WFLY-14144) Can't update WildFly to more recent version

by Jean Francois Denise (Jira)

[ https://issues.redhat.com/browse/WFLY-14144?page=com.atlassian.jira.plugi... ] Jean Francois Denise updated WFLY-14144: ---------------------------------------- Affects Version/s: 19.0.0.Final > Can't update WildFly to more recent version > ------------------------------------------- > > Key: WFLY-14144 > URL: https://issues.redhat.com/browse/WFLY-14144 > Project: WildFly > Issue Type: Bug > Components: Build System > Affects Versions: 19.0.0.Final, 20.0.0.Final, 21.0.0.Final > Reporter: Jean Francois Denise > Assignee: Jean Francois Denise > Priority: Major > > An entry for wildfly-ee producer is needed in universe and producer. -- This message was sent by Atlassian Jira (v7.13.8#713008)

3 years, 4 months

1
0
0 / 0

[Red Hat JIRA] (WFLY-14139) Upgrade messaging schema version to 13.0

by Tomas Hofman (Jira)

[ https://issues.redhat.com/browse/WFLY-14139?page=com.atlassian.jira.plugi... ] Tomas Hofman closed WFLY-14139. ------------------------------- Resolution: Done Closing, we can still do changes in v12. > Upgrade messaging schema version to 13.0 > ---------------------------------------- > > Key: WFLY-14139 > URL: https://issues.redhat.com/browse/WFLY-14139 > Project: WildFly > Issue Type: Task > Components: JMS > Affects Versions: 22.0.0.Alpha1 > Reporter: Tomas Hofman > Assignee: Emmanuel Hugonnet > Priority: Major > > Upgrade messaging schema to 12.0 -- This message was sent by Atlassian Jira (v7.13.8#713008)

3 years, 4 months

1
0
0 / 0

[Red Hat JIRA] (WFLY-14025) Unable to remove the default datasource binding from the ee subsystem

by Lin Gao (Jira)

[ https://issues.redhat.com/browse/WFLY-14025?page=com.atlassian.jira.plugi... ] Lin Gao reassigned WFLY-14025: ------------------------------ Assignee: Tomasz Adamski (was: Lin Gao) > Unable to remove the default datasource binding from the ee subsystem > --------------------------------------------------------------------- > > Key: WFLY-14025 > URL: https://issues.redhat.com/browse/WFLY-14025 > Project: WildFly > Issue Type: Bug > Components: EE, JCA > Reporter: Lin Gao > Assignee: Tomasz Adamski > Priority: Major > Labels: Regression, downstream_dependency > Attachments: reproducer-spring.war, reproducer-spring2.war, reproducer2.war, standalone.xml > > > EAP 7.2+ is creating a dependency on the DefaultDataSource when it should not. > If the default datasource is removed from the ee subsystem and an application is deployed with a class that has @Resource specifying a name to inject which is not linked to the default datasource, it should NOT fail with a missing dependency. > This was found with a Spring application, where Spring configuration is defining java:comp/env/dataSource to link to the real datasource. In EAP 7.1 the application deployed with no issue, in EAP 7.2+ JBoss is failing the deployment due to the datasource=... being removed from the default bindings in the ee subsystem. > > {code:java} > @Resource(name = "dataSource") > private DataSource dataSource; {code} > > {code:java} > 18:08:15,547 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "reproducer2.war")]) - failure description: { > "WFLYCTL0412: Required services that are not installed:" => ["jboss.naming.context.java.module.reproducer2.reproducer2.DefaultDataSource"], > "WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.naming.context.java.module.reproducer2.reproducer2.env.non-existant is missing [jboss.naming.context.java.module.reproducer2.reproducer2.DefaultDataSource]"] > }{code} -- This message was sent by Atlassian Jira (v7.13.8#713008)

3 years, 4 months

1
0
0 / 0

[Red Hat JIRA] (WFLY-14146) Un-ignore SecurityCommandsTestCase

by Farah Juma (Jira)

Farah Juma created WFLY-14146: --------------------------------- Summary: Un-ignore SecurityCommandsTestCase Key: WFLY-14146 URL: https://issues.redhat.com/browse/WFLY-14146 Project: WildFly Issue Type: Task Components: Test Suite Reporter: Farah Juma Assignee: Farah Juma See WFLY-14145 for details on why it was ignored. -- This message was sent by Atlassian Jira (v7.13.8#713008)

3 years, 4 months

1
0
0 / 0

[Red Hat JIRA] (WFLY-14144) Can't update WildFly to more recent version

by Jean Francois Denise (Jira)

Jean Francois Denise created WFLY-14144: ------------------------------------------- Summary: Can't update WildFly to more recent version Key: WFLY-14144 URL: https://issues.redhat.com/browse/WFLY-14144 Project: WildFly Issue Type: Bug Components: Build System Affects Versions: 21.0.0.Final, 20.0.0.Final Reporter: Jean Francois Denise Assignee: Jean Francois Denise An entry for wildfly-ee producer is needed in universe and producer. -- This message was sent by Atlassian Jira (v7.13.8#713008)

3 years, 4 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira December 2020