[
https://issues.redhat.com/browse/ELY-2049?page=com.atlassian.jira.plugin....
]
Boris Unckel updated ELY-2049:
------------------------------
Description:
The current implementation is very strong for regular cases. It works fine to display
missing permissions when CodeSource and/or ClassLoader are correctly set to the checked
protection domain. If one of those is missing and there is no good exception handling, it
is impossible to track down missing permissions.
Examples:
[
Undertow|https://issues.redhat.com/browse/UNDERTOW-1815]
[WildFly
1|https://issues.redhat.com/browse/WFLY-14072]
[WildFly 1a, including
Stacktrace|https://issues.redhat.com/browse/WFLY-14039]
[
java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...]
line 2048
The idea is to provide a yielded trace log and provide the missing permission, the full
protection domain and a dummy exception to have stack trace where this occurs.
Current code:
{code:java}
public static ProtectionDomain findAccessDenial(final Permission permission, final
ProtectionDomain... domains) {
ProtectionDomain deniedDomain = null;
if (domains != null) for (ProtectionDomain domain : domains) {
if (! domain.implies(permission)) {
final CodeSource codeSource = domain.getCodeSource();
final ClassLoader classLoader = domain.getClassLoader();
final Principal[] principals = domain.getPrincipals();
if (principals == null || principals.length == 0) {
access.accessCheckFailed(permission, codeSource, classLoader);
} else {
access.accessCheckFailed(permission, codeSource, classLoader,
Arrays.toString(principals));
}
if (deniedDomain == null && ! LOG_ONLY) {
deniedDomain = domain;
}
}
}
return deniedDomain;
}
{code}
was:
The current implementation is very strong for regular cases. It works fine to display
missing permissions when CodeSource and/or ClassLoader are correctly set to the checked
protection domain. If one of those is missing and there is no good exception handling, it
is impossible to track down missing permissions.
Examples:
[
Undertow|https://issues.redhat.com/browse/UNDERTOW-1815]
[
java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...]
line 2048
The idea is to provide a yielded trace log and provide the missing permission, the full
protection domain and a dummy exception to have stack trace where this occurs.
Current code:
{code:java}
public static ProtectionDomain findAccessDenial(final Permission permission, final
ProtectionDomain... domains) {
ProtectionDomain deniedDomain = null;
if (domains != null) for (ProtectionDomain domain : domains) {
if (! domain.implies(permission)) {
final CodeSource codeSource = domain.getCodeSource();
final ClassLoader classLoader = domain.getClassLoader();
final Principal[] principals = domain.getPrincipals();
if (principals == null || principals.length == 0) {
access.accessCheckFailed(permission, codeSource, classLoader);
} else {
access.accessCheckFailed(permission, codeSource, classLoader,
Arrays.toString(principals));
}
if (deniedDomain == null && ! LOG_ONLY) {
deniedDomain = domain;
}
}
}
return deniedDomain;
}
{code}
Add trace capability to o.w.s.m.WildFlySecurityManager
findAccessDenial
-----------------------------------------------------------------------
Key: ELY-2049
URL:
https://issues.redhat.com/browse/ELY-2049
Project: WildFly Elytron
Issue Type: Enhancement
Components: Security Manager
Affects Versions: 1.13.2.Final
Reporter: Boris Unckel
Priority: Major
The current implementation is very strong for regular cases. It works fine to display
missing permissions when CodeSource and/or ClassLoader are correctly set to the checked
protection domain. If one of those is missing and there is no good exception handling, it
is impossible to track down missing permissions.
Examples:
[
Undertow|https://issues.redhat.com/browse/UNDERTOW-1815]
[WildFly
1|https://issues.redhat.com/browse/WFLY-14072]
[WildFly 1a, including
Stacktrace|https://issues.redhat.com/browse/WFLY-14039]
[
java.io.File|https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.bas...]
line 2048
The idea is to provide a yielded trace log and provide the missing permission, the full
protection domain and a dummy exception to have stack trace where this occurs.
Current code:
{code:java}
public static ProtectionDomain findAccessDenial(final Permission permission, final
ProtectionDomain... domains) {
ProtectionDomain deniedDomain = null;
if (domains != null) for (ProtectionDomain domain : domains) {
if (! domain.implies(permission)) {
final CodeSource codeSource = domain.getCodeSource();
final ClassLoader classLoader = domain.getClassLoader();
final Principal[] principals = domain.getPrincipals();
if (principals == null || principals.length == 0) {
access.accessCheckFailed(permission, codeSource, classLoader);
} else {
access.accessCheckFailed(permission, codeSource, classLoader,
Arrays.toString(principals));
}
if (deniedDomain == null && ! LOG_ONLY) {
deniedDomain = domain;
}
}
}
return deniedDomain;
}
{code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)