[jboss-jira] [JBoss JIRA] (SECURITY-861) org.jboss.security.client.SecurityClient#login() requires unusual permissions

David Lloyd created SECURITY-861: ------------------------------------ Summary: org.jboss.security.client.SecurityClient#login() requires unusual permissions Key: SECURITY-861 URL: https://issues.jboss.org/browse/SECURITY-861 Project: PicketBox Issue Type: Bug Affects Versions: PicketBox_4_0_21_Beta3 Reporter: David Lloyd Assignee: Stefan Guilhen In order to do a security client login, the caller needs to have (at least) the permission {{java.lang.RuntimePermission "org.jboss.security.getSecurityContext"}}. Leaving aside that RuntimePermission should not be used for things like this, the point of having a login method is to abstract the security context manipulation away. Surely if some permission check is needed, the permission should be something specific to logging in (though in my opinion, no permission should be necessary here). The exact example stack trace is: {noformat} 15:09:20,307 SEVERE [org.jboss.arquillian.protocol.jmx.JMXTestRunner] (pool-1-thread-1) Failed: org.jboss.as.test.integration.ejb.security.RunAsPrincipalTestCase.testAnonymous: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "org.jboss.security.getSecurityContext")" in code source "(vfs:/content/runasprincipal-test.war/WEB-INF/classes <no signer certificates>)" of "null") at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:264) [wildfly-security-manager-1.0.2.Final-SNAPSHOT.jar:1.0.2.Final-SNAPSHOT] at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:169) [wildfly-security-manager-1.0.2.Final-SNAPSHOT.jar:1.0.2.Final-SNAPSHOT] at org.jboss.security.SecurityContextAssociation.getSecurityContext(SecurityContextAssociation.java:145) [picketbox-4.0.21.Beta3.jar:4.0.21.Beta3] at org.jboss.security.client.JBossSecurityClient.performSimpleLogin(JBossSecurityClient.java:77) [picketbox-4.0.21.Beta3.jar:4.0.21.Beta3] at org.jboss.security.client.SecurityClient.login(SecurityClient.java:74) [picketbox-4.0.21.Beta3.jar:4.0.21.Beta3] at org.jboss.as.test.integration.ejb.security.RunAsPrincipalTestCase.testAnonymous(RunAsPrincipalTestCase.java:173) [classes:] {noformat} Here's the {{testAnonymous}} method: {code} @Test public void testAnonymous() throws Exception { SecurityClient client = SecurityClientFactory.getSecurityClient(); client.setSimple("user1", "password1"); client.login(); // this is line 173 try { WhoAmI bean = lookupCaller(); String actual = bean.getCallerPrincipal(); Assert.assertEquals("anonymous", actual); } finally { client.logout(); } } {code} -- This message was sent by Atlassian JIRA (v6.3.1#6329)