]
Dimitris Andreadis commented on WFLY-4882:
------------------------------------------
This has been hanging around, see linked JBEAP issue.
Security manager's maximum-permissions setting doesn't work
-----------------------------------------------------------
Key: WFLY-4882
URL:
https://issues.jboss.org/browse/WFLY-4882
Project: WildFly
Issue Type: Bug
Components: Security Manager
Affects Versions: 10.0.0.Alpha4, 10.0.0.Alpha6
Reporter: Josef Cacek
Assignee: Stefan Guilhen
Priority: Critical
Configuration of {{maximum-permissions}} attribute in
{{/subsystem=security-manager/deployment-permissions=default}} doesn't work so the
permissions for deployments can't be restricted.
(The "_policy of the product installation_" in the words of EE specification is
not enforced).
If administrator specifies {{maximum-permissions}} in server configuration and also
{{permissions.xml}} in the deployment, all permissions from the {{permissions.xml}} are
granted even if the policies are in conflict.
The {{maximum-permissions}} configuration has following meaning:
_A set containing the maximum permission scope that can be granted to deployments or
jars_
The Java EE 7 platform specification (JSR 342) says in section EE.6.2.2.1:
_If security permissions are declared that conflict with the policy of the product
installation, the Java EE product must fail deployment of the application module._
*Expected behavior:*
* based on EE spec the deployment should fail
* deployed application should not get more permissions than specified in the
{{maximum-permissions}}