[jboss-jira] [JBoss JIRA] (SECURITY-864) NameNotFoundException due to policyRegistration -- service jboss.naming.context.java.policyRegistration

[ https://issues.jboss.org/browse/SECURITY-864?page=com.atlassian.jira.plug... ] Martin Letenay commented on SECURITY-864: ----------------------------------------- We were using custom LoginModule already before we came across this problem, so the LoginModule workaround was simple solution for us. (We never observed locked JNDI tree as Philippe Marschall did, I don't have an explanation for that.) Our LoginModule workaround is pretty straightforward: {code} public class JbossAuthenticatorLoginModule extends AuthenticatorLoginModule { private final static Logger LOGGER = Logger.getLogger(JbossAuthenticatorLoginModule.class.getName()); @Override public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) { super.initialize(subject, callbackHandler, sharedState, options); performSECURITY864Workaround(); } private void performSECURITY864Workaround() { // Workaround for JBoss/Wildfly issue SECURITY-864 [https://issues.jboss.org/browse/SECURITY-864] // // JBoss tries to perform JNDI lookup for PolicyRegistration during each EJB invocation authorization phase, // however such policy is not registered in the JNDI tree, since the policy is used only in specific situations // where an application is using additional XACML security policies. // In most of the cases there's no XACML present/needed so the PolicyRegistration is not created and registered. // However the Picketbox security framework tries to load it always and it results in exception during JNDI lookup. // This process is harmless from execution point of view (the exception is catched and just logged at DEBUG level), // however it has quite negative effect on performance of any EJB execution. // // A workaround is to manually register the default PolicyRegistration into JNDI (which is not used anywhere) // to avoid the lookup/exception upon each EJB method invocation. String policyRegistrationJndiName = "java:/policyRegistration"; try { new InitialContext().lookup(policyRegistrationJndiName); LOGGER.fine("PolicyRegistration instance already present at " + policyRegistrationJndiName + " , skipping workaround."); return; } catch (NamingException e) { LOGGER.fine("PolicyRegistration instance not present at " + policyRegistrationJndiName + " , going to apply workaround."); } String policyRegistrationClassName = "org.jboss.security.plugins.JBossPolicyRegistration"; Class<?> policyRegistrationClass = null; try { policyRegistrationClass = Class.forName(policyRegistrationClassName); } catch (ClassNotFoundException e) { LOGGER.fine("Class not found " + policyRegistrationClassName); try { policyRegistrationClass = Thread.currentThread().getContextClassLoader().loadClass(policyRegistrationClassName); } catch (ClassNotFoundException e2) { LOGGER.fine("Class not found " + policyRegistrationClassName); } } catch (NoClassDefFoundError e) { LOGGER.fine("Could not load authenticator (NCDF) " + policyRegistrationClass); } if (policyRegistrationClass != null) { try { Object policyRegistration = policyRegistrationClass.newInstance(); try { new InitialContext().bind(policyRegistrationJndiName, policyRegistration); } catch (NamingException e) { LOGGER.info("Cannot register PolicyRegistration instance into " + policyRegistrationJndiName); } } catch (InstantiationException | IllegalAccessException e) { LOGGER.info("Could not instantiate " + policyRegistrationClassName); } } } ... {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)