[JBoss JIRA] (ELY-1349) Incorrect doPrivileged usage causes AccessControlException (FilePermission) in Elytron's ServiceLoaderSupplier
2:26 a.m.
Ondrej Lukas created ELY-1349:
---------------------------------
Summary: Incorrect doPrivileged usage causes AccessControlException
(FilePermission) in Elytron's ServiceLoaderSupplier
Key: ELY-1349
URL: https://issues.jboss.org/browse/ELY-1349
Project: WildFly Elytron
Issue Type: Bug
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Priority: Critical
When application server is running with Security Manager then using Elytron API
(ElytronXmlParser.parseAuthenticationClientConfiguration()) from deployment leads to
AccessControlException. The ServiceLoaderSupplier incorrectly uses doPrivileged, so the
FilePermission check during accessing Elytron JAR fails.
Workaround could be adding this FilePermission to each such deployment, but this is
neither safe nor practical as the JAR name and location can change (e.g. version upgrade
with patches applied).
It seems the problem is caused by passing AccessControlContext as second parameter of
{{doPrivileged}} method [1]. {{ServiceLoaderSupplier}} does not require this permission
when second paramater is removed from {{doPrivileged}} method. This privileged block has
been added as fix of JBEAP-12111 - {{doPrivileged}} call has been added into
{{org.wildfly.security.util.ServiceLoaderSupplier}}.
For example this is stacktrace for calling
{{ElytronXmlParser.parseAuthenticationClientConfiguration}} method from Servlet in war
application:
{code}
java.security.AccessControlException: WFSM000001: Permission check failed (permission
"("java.io.FilePermission"
"/home/user/jboss-eap-7.1/modules/system/layers/base/org/wildfly/security/elytron-private/main/wildfly-elytron-1.1.1.Final-redhat-1.jar"
"read")" in code source
"(vfs:/content/wildfly-config-xml-dep.war/WEB-INF/classes <no signer
certificates>)" of "ModuleClassLoader for Module
"deployment.wildfly-config-xml-dep.war" from Service Module Loader")
at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
at
org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:350)
at
sun.net.www.protocol.jar.JarFileFactory.getCachedJarFile(JarFileFactory.java:137)
at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:81)
at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
at
sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150)
at java.net.URL.openStream(URL.java:1038)
at java.util.ServiceLoader.parse(ServiceLoader.java:304)
at java.util.ServiceLoader.access$200(ServiceLoader.java:185)
at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357)
at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323)
at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396)
at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395)
at java.security.AccessController.doPrivileged(Native Method)
at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398)
at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
at
org.wildfly.security.util.ServiceLoaderSupplier.loadServices(ServiceLoaderSupplier.java:73)
at
org.wildfly.security.util.ServiceLoaderSupplier.lambda$get$0(ServiceLoaderSupplier.java:58)
at java.security.AccessController.doPrivileged(Native Method)
at
org.wildfly.security.util.ServiceLoaderSupplier.get(ServiceLoaderSupplier.java:58)
at
org.wildfly.security.util.ServiceLoaderSupplier.get(ServiceLoaderSupplier.java:39)
at
org.wildfly.security.auth.client.ElytronXmlParser$DeferredSupplier.get(ElytronXmlParser.java:2433)
at
org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:115)
at
org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseClearPassword$40(ElytronXmlParser.java:2001)
at
org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$27(ElytronXmlParser.java:918)
at
org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895)
at
org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$33(ElytronXmlParser.java:953)
at
org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$18(ElytronXmlParser.java:691)
at
org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895)
at
org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895)
at
org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$22(ElytronXmlParser.java:739)
at
org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationRuleType$7(ElytronXmlParser.java:575)
at
org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseRulesType$8(ElytronXmlParser.java:599)
at
org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:299)
at
org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:176)
at
org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:137)
...
{code}
[1]
https://github.com/wildfly-security/wildfly-elytron/blob/8c033958d78fcb1c...
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
2676
days inactive
2676
days old
0 comments
1 participants
participants (1)
-
Ondrej Lukas (JIRA)