[Red Hat JIRA] (ELY-2049) Add trace capability to o.w.s.m.WildFlySecurityManager findAccessDenial
by Boris Unckel (Jira)
[ https://issues.redhat.com/browse/ELY-2049?page=com.atlassian.jira.plugin.... ]
Boris Unckel updated ELY-2049:
------------------------------
Description:
The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions.
Examples:
[Undertow|https://issues.redhat.com/browse/UNDERTOW-1815]
[java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...]
line 2048
The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs.
Current code:
{code:java}
public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) {
ProtectionDomain deniedDomain = null;
if (domains != null) for (ProtectionDomain domain : domains) {
if (! domain.implies(permission)) {
final CodeSource codeSource = domain.getCodeSource();
final ClassLoader classLoader = domain.getClassLoader();
final Principal[] principals = domain.getPrincipals();
if (principals == null || principals.length == 0) {
access.accessCheckFailed(permission, codeSource, classLoader);
} else {
access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals));
}
if (deniedDomain == null && ! LOG_ONLY) {
deniedDomain = domain;
}
}
}
return deniedDomain;
}
{code}
was:
The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions.
Example:
[java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...]
line 2048
The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs.
Current code:
{code:java}
public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) {
ProtectionDomain deniedDomain = null;
if (domains != null) for (ProtectionDomain domain : domains) {
if (! domain.implies(permission)) {
final CodeSource codeSource = domain.getCodeSource();
final ClassLoader classLoader = domain.getClassLoader();
final Principal[] principals = domain.getPrincipals();
if (principals == null || principals.length == 0) {
access.accessCheckFailed(permission, codeSource, classLoader);
} else {
access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals));
}
if (deniedDomain == null && ! LOG_ONLY) {
deniedDomain = domain;
}
}
}
return deniedDomain;
}
{code}
> Add trace capability to o.w.s.m.WildFlySecurityManager findAccessDenial
> -----------------------------------------------------------------------
>
> Key: ELY-2049
> URL: https://issues.redhat.com/browse/ELY-2049
> Project: WildFly Elytron
> Issue Type: Enhancement
> Components: Security Manager
> Affects Versions: 1.13.2.Final
> Reporter: Boris Unckel
> Priority: Major
>
> The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions.
> Examples:
> [Undertow|https://issues.redhat.com/browse/UNDERTOW-1815]
> [java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...]
> line 2048
> The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs.
> Current code:
> {code:java}
> public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) {
> ProtectionDomain deniedDomain = null;
> if (domains != null) for (ProtectionDomain domain : domains) {
> if (! domain.implies(permission)) {
> final CodeSource codeSource = domain.getCodeSource();
> final ClassLoader classLoader = domain.getClassLoader();
> final Principal[] principals = domain.getPrincipals();
> if (principals == null || principals.length == 0) {
> access.accessCheckFailed(permission, codeSource, classLoader);
> } else {
> access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals));
> }
> if (deniedDomain == null && ! LOG_ONLY) {
> deniedDomain = domain;
> }
> }
> }
> return deniedDomain;
> }
> {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
3 years, 4 months
[Red Hat JIRA] (WFCORE-4217) ManagementAuthenticationUsersTestCase fails with Elytron profile
by Martin Choma (Jira)
[ https://issues.redhat.com/browse/WFCORE-4217?page=com.atlassian.jira.plug... ]
Martin Choma updated WFCORE-4217:
---------------------------------
Steps to Reproduce:
cd testsuite/standalone/
mvn test -Delytron -Dtest=ManagementAuthenticationUsersTestCase
> ManagementAuthenticationUsersTestCase fails with Elytron profile
> ----------------------------------------------------------------
>
> Key: WFCORE-4217
> URL: https://issues.redhat.com/browse/WFCORE-4217
> Project: WildFly Core
> Issue Type: Bug
> Components: Security, Test Suite
> Affects Versions: 7.0.0.Alpha5
> Reporter: Martin Choma
> Priority: Major
>
> {noformat}
> cd testsuite/standalone/
> mvn test -Delytron -Dtest=ManagementAuthenticationUsersTestCase
> {noformat}
> {noformat}
> [INFO] Running null
> [ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.004 s <<< FAILURE! - in null
> [ERROR] Failure when constructing test Time elapsed: 0.003 s <<< FAILURE!
> java.lang.AssertionError:
> WFLYCTL0216: Management resource '[
> ("core-service" => "management"),
> ("security-realm" => "ManagementRealm")
> ]' not found
> at org.junit.Assert.fail(Assert.java:88)
> at org.jboss.as.test.integration.credential.store.ManagementAuthenticationUsersServerSetupTask.executeForSuccess(ManagementAuthenticationUsersServerSetupTask.java:113)
> at org.jboss.as.test.integration.credential.store.ManagementAuthenticationUsersServerSetupTask.setup(ManagementAuthenticationUsersServerSetupTask.java:65)
> at org.wildfly.core.testrunner.WildflyTestRunner.runSetupTasks(WildflyTestRunner.java:121)
> at org.wildfly.core.testrunner.WildflyTestRunner.run(WildflyTestRunner.java:107)
> at org.junit.runners.Suite.runChild(Suite.java:128)
> at org.junit.runners.Suite.runChild(Suite.java:27)
> at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
> at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
> at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
> at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
> at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
> at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
> at org.apache.maven.surefire.junitcore.JUnitCore.run(JUnitCore.java:55)
> at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.createRequestAndRun(JUnitCoreWrapper.java:137)
> at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.executeEager(JUnitCoreWrapper.java:107)
> at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.execute(JUnitCoreWrapper.java:83)
> at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.execute(JUnitCoreWrapper.java:75)
> at org.apache.maven.surefire.junitcore.JUnitCoreProvider.invoke(JUnitCoreProvider.java:158)
> at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:383)
> at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:344)
> at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:125)
> at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:417)
> [INFO]
> [INFO] Results:
> [INFO]
> [ERROR] Failures:
> [ERROR] WFLYCTL0216: Management resource '[
> ("core-service" => "management"),
> ("security-realm" => "ManagementRealm")
> ]' not found
> [INFO]
> [ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0
> [INFO]
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> {noformat}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
3 years, 4 months
[Red Hat JIRA] (ELY-2049) Add trace capability to o.w.s.m.WildFlySecurityManager findAccessDenial
by Boris Unckel (Jira)
[ https://issues.redhat.com/browse/ELY-2049?page=com.atlassian.jira.plugin.... ]
Boris Unckel updated ELY-2049:
------------------------------
Description:
The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions.
Examples:
[Undertow|https://issues.redhat.com/browse/UNDERTOW-1815]
[WildFly 1|https://issues.redhat.com/browse/WFLY-14072]
[WildFly 1a, including Stacktrace|https://issues.redhat.com/browse/WFLY-14039]
[java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...]
line 2048
The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs.
Current code:
{code:java}
public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) {
ProtectionDomain deniedDomain = null;
if (domains != null) for (ProtectionDomain domain : domains) {
if (! domain.implies(permission)) {
final CodeSource codeSource = domain.getCodeSource();
final ClassLoader classLoader = domain.getClassLoader();
final Principal[] principals = domain.getPrincipals();
if (principals == null || principals.length == 0) {
access.accessCheckFailed(permission, codeSource, classLoader);
} else {
access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals));
}
if (deniedDomain == null && ! LOG_ONLY) {
deniedDomain = domain;
}
}
}
return deniedDomain;
}
{code}
was:
The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions.
Examples:
[Undertow|https://issues.redhat.com/browse/UNDERTOW-1815]
[java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...]
line 2048
The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs.
Current code:
{code:java}
public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) {
ProtectionDomain deniedDomain = null;
if (domains != null) for (ProtectionDomain domain : domains) {
if (! domain.implies(permission)) {
final CodeSource codeSource = domain.getCodeSource();
final ClassLoader classLoader = domain.getClassLoader();
final Principal[] principals = domain.getPrincipals();
if (principals == null || principals.length == 0) {
access.accessCheckFailed(permission, codeSource, classLoader);
} else {
access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals));
}
if (deniedDomain == null && ! LOG_ONLY) {
deniedDomain = domain;
}
}
}
return deniedDomain;
}
{code}
> Add trace capability to o.w.s.m.WildFlySecurityManager findAccessDenial
> -----------------------------------------------------------------------
>
> Key: ELY-2049
> URL: https://issues.redhat.com/browse/ELY-2049
> Project: WildFly Elytron
> Issue Type: Enhancement
> Components: Security Manager
> Affects Versions: 1.13.2.Final
> Reporter: Boris Unckel
> Priority: Major
>
> The current implementation is very strong for regular cases. It works fine to display missing permissions when CodeSource and/or ClassLoader are correctly set to the checked protection domain. If one of those is missing and there is no good exception handling, it is impossible to track down missing permissions.
> Examples:
> [Undertow|https://issues.redhat.com/browse/UNDERTOW-1815]
> [WildFly 1|https://issues.redhat.com/browse/WFLY-14072]
> [WildFly 1a, including Stacktrace|https://issues.redhat.com/browse/WFLY-14039]
> [java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...]
> line 2048
> The idea is to provide a yielded trace log and provide the missing permission, the full protection domain and a dummy exception to have stack trace where this occurs.
> Current code:
> {code:java}
> public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) {
> ProtectionDomain deniedDomain = null;
> if (domains != null) for (ProtectionDomain domain : domains) {
> if (! domain.implies(permission)) {
> final CodeSource codeSource = domain.getCodeSource();
> final ClassLoader classLoader = domain.getClassLoader();
> final Principal[] principals = domain.getPrincipals();
> if (principals == null || principals.length == 0) {
> access.accessCheckFailed(permission, codeSource, classLoader);
> } else {
> access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals));
> }
> if (deniedDomain == null && ! LOG_ONLY) {
> deniedDomain = domain;
> }
> }
> }
> return deniedDomain;
> }
> {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
3 years, 4 months
[Red Hat JIRA] (WFCORE-4217) ManagementAuthenticationUsersTestCase fails with Elytron profile
by Martin Choma (Jira)
[ https://issues.redhat.com/browse/WFCORE-4217?page=com.atlassian.jira.plug... ]
Martin Choma commented on WFCORE-4217:
--------------------------------------
I still see the issue in master following reproducer.
{code}
[ERROR] Failures:
[ERROR] WFLYCTL0216: Management resource '[
("core-service" => "management"),
("security-realm" => "ManagementRealm")
]' not found
[INFO]
[ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0
{code}
> ManagementAuthenticationUsersTestCase fails with Elytron profile
> ----------------------------------------------------------------
>
> Key: WFCORE-4217
> URL: https://issues.redhat.com/browse/WFCORE-4217
> Project: WildFly Core
> Issue Type: Bug
> Components: Security, Test Suite
> Affects Versions: 7.0.0.Alpha5
> Reporter: Martin Choma
> Priority: Major
>
> {noformat}
> cd testsuite/standalone/
> mvn test -Delytron -Dtest=ManagementAuthenticationUsersTestCase
> {noformat}
> {noformat}
> [INFO] Running null
> [ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.004 s <<< FAILURE! - in null
> [ERROR] Failure when constructing test Time elapsed: 0.003 s <<< FAILURE!
> java.lang.AssertionError:
> WFLYCTL0216: Management resource '[
> ("core-service" => "management"),
> ("security-realm" => "ManagementRealm")
> ]' not found
> at org.junit.Assert.fail(Assert.java:88)
> at org.jboss.as.test.integration.credential.store.ManagementAuthenticationUsersServerSetupTask.executeForSuccess(ManagementAuthenticationUsersServerSetupTask.java:113)
> at org.jboss.as.test.integration.credential.store.ManagementAuthenticationUsersServerSetupTask.setup(ManagementAuthenticationUsersServerSetupTask.java:65)
> at org.wildfly.core.testrunner.WildflyTestRunner.runSetupTasks(WildflyTestRunner.java:121)
> at org.wildfly.core.testrunner.WildflyTestRunner.run(WildflyTestRunner.java:107)
> at org.junit.runners.Suite.runChild(Suite.java:128)
> at org.junit.runners.Suite.runChild(Suite.java:27)
> at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
> at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
> at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
> at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
> at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
> at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
> at org.apache.maven.surefire.junitcore.JUnitCore.run(JUnitCore.java:55)
> at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.createRequestAndRun(JUnitCoreWrapper.java:137)
> at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.executeEager(JUnitCoreWrapper.java:107)
> at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.execute(JUnitCoreWrapper.java:83)
> at org.apache.maven.surefire.junitcore.JUnitCoreWrapper.execute(JUnitCoreWrapper.java:75)
> at org.apache.maven.surefire.junitcore.JUnitCoreProvider.invoke(JUnitCoreProvider.java:158)
> at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:383)
> at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:344)
> at org.apache.maven.surefire.booter.ForkedBooter.execute(ForkedBooter.java:125)
> at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:417)
> [INFO]
> [INFO] Results:
> [INFO]
> [ERROR] Failures:
> [ERROR] WFLYCTL0216: Management resource '[
> ("core-service" => "management"),
> ("security-realm" => "ManagementRealm")
> ]' not found
> [INFO]
> [ERROR] Tests run: 1, Failures: 1, Errors: 0, Skipped: 0
> [INFO]
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> {noformat}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
3 years, 4 months
[Red Hat JIRA] (WFLY-14025) Unable to remove the default datasource binding from the ee subsystem
by Lin Gao (Jira)
[ https://issues.redhat.com/browse/WFLY-14025?page=com.atlassian.jira.plugi... ]
Lin Gao reassigned WFLY-14025:
------------------------------
Assignee: Tomasz Adamski (was: Lin Gao)
> Unable to remove the default datasource binding from the ee subsystem
> ---------------------------------------------------------------------
>
> Key: WFLY-14025
> URL: https://issues.redhat.com/browse/WFLY-14025
> Project: WildFly
> Issue Type: Bug
> Components: EE, JCA
> Reporter: Lin Gao
> Assignee: Tomasz Adamski
> Priority: Major
> Labels: Regression, downstream_dependency
> Attachments: reproducer-spring.war, reproducer-spring2.war, reproducer2.war, standalone.xml
>
>
> EAP 7.2+ is creating a dependency on the DefaultDataSource when it should not.
> If the default datasource is removed from the ee subsystem and an application is deployed with a class that has @Resource specifying a name to inject which is not linked to the default datasource, it should NOT fail with a missing dependency.
> This was found with a Spring application, where Spring configuration is defining java:comp/env/dataSource to link to the real datasource. In EAP 7.1 the application deployed with no issue, in EAP 7.2+ JBoss is failing the deployment due to the datasource=... being removed from the default bindings in the ee subsystem.
>
> {code:java}
> @Resource(name = "dataSource")
> private DataSource dataSource; {code}
>
> {code:java}
> 18:08:15,547 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "reproducer2.war")]) - failure description: {
> "WFLYCTL0412: Required services that are not installed:" => ["jboss.naming.context.java.module.reproducer2.reproducer2.DefaultDataSource"],
> "WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.naming.context.java.module.reproducer2.reproducer2.env.non-existant is missing [jboss.naming.context.java.module.reproducer2.reproducer2.DefaultDataSource]"]
> }{code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
3 years, 4 months
[Red Hat JIRA] (WFLY-14144) Can't update WildFly to more recent version
by Jean Francois Denise (Jira)
Jean Francois Denise created WFLY-14144:
-------------------------------------------
Summary: Can't update WildFly to more recent version
Key: WFLY-14144
URL: https://issues.redhat.com/browse/WFLY-14144
Project: WildFly
Issue Type: Bug
Components: Build System
Affects Versions: 21.0.0.Final, 20.0.0.Final
Reporter: Jean Francois Denise
Assignee: Jean Francois Denise
An entry for wildfly-ee producer is needed in universe and producer.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
3 years, 4 months