[JBoss JIRA] (WFLY-8760) get method of ModuleClassLoaderLocator requires createClassLoader permission

Thursday, 1 June 2017

    [
https://issues.jboss.org/browse/WFLY-8760?page=com.atlassian.jira.plugin....
] 

Ondrej Lukas commented on WFLY-8760:
------------------------------------

[~gaol] I am able reproduce it with Servlet which calls:
{code}
import org.jboss.security.mapping.MappingContext;
import org.jboss.security.mapping.MappingManager;
import org.jboss.security.mapping.MappingType;
import org.picketbox.factories.SecurityFactory;
...
MappingManager mm = SecurityFactory.getMappingManager(securityDomainName);
MappingContext<Object> mc = mm.getMappingContext(MappingType.ATTRIBUTE.name());
...
{code}

Then following AccessControlException is thrown:
{code}
ERROR [io.undertow.request] (default task-9) UT005023: Exception handling request to
/844252ce-02ae-4a7a-b414-4be69116984f/protected/LdapAttributeMappingProviderServlet:
java.security.AccessControlException: WFSM000001: Permission check failed (permission
"("java.lang.RuntimePermission" "createClassLoader")" in
code source "(vfs:/content/844252ce-02ae-4a7a-b414-4be69116984f.war/WEB-INF/classes
<no signer certificates>)" of "ModuleClassLoader for Module
"deployment.844252ce-02ae-4a7a-b414-4be69116984f.war" from Service Module
Loader")
	at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
	at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
	at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:611)
	at
org.wildfly.security.manager.WildFlySecurityManager.checkCreateClassLoader(WildFlySecurityManager.java:308)
	at java.lang.ClassLoader.checkCreateClassLoader(ClassLoader.java:274)
	at java.lang.ClassLoader.<init>(ClassLoader.java:335)
	at java.security.SecureClassLoader.<init>(SecureClassLoader.java:99)
	at
org.jboss.as.security.plugins.ModuleClassLoaderLocator$CombinedClassLoader.<init>(ModuleClassLoaderLocator.java:82)
	at
org.jboss.as.security.plugins.ModuleClassLoaderLocator.get(ModuleClassLoaderLocator.java:72)
	at
org.jboss.security.plugins.mapping.JBossMappingManager.generateMappingContext(JBossMappingManager.java:111)
	at
org.jboss.security.plugins.mapping.JBossMappingManager.getMappingContext(JBossMappingManager.java:74)
        ...
{code}

...
 get method of ModuleClassLoaderLocator requires createClassLoader
permission
 ----------------------------------------------------------------------------

                 Key: WFLY-8760
                 URL: https://issues.jboss.org/browse/WFLY-8760
             Project: WildFly
          Issue Type: Bug
          Components: Security
            Reporter: Ondrej Lukas
            Assignee: Lin Gao
            Priority: Critical

 There is missing doPriviliged block in ModuleClassLoaderLocator. Fix of WFLY-7412 for
ModuleClassLoaderLocator introduces new CombinedClassLoader innner class which extends
SecureClassLoader. Initialization of this class needs to createClassLoader
RuntimePermission.
 That means:
 * All deployment which uses API which internally uses ModuleClassLoaderLocator needs
createClassLoader RuntimePermission (which is new in EAP 7.1, the same deployments in EAP
7.0 does not need this permission)
 ** i.e. getMappingContext(String mappingType) in
org.jboss.security.plugins.mapping.JBossMappingManager works internally with
ModuleClassLoaderLocator.
 * setting createClassLoader RuntimePermission for deployment can be dangerous and it
should probably use own permission 

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006