[JBoss JIRA] (WFCORE-1266) Incorreclty bypass the SecurityManager and call AccessControl.checkPermission() directly
7 p.m.
[
https://issues.jboss.org/browse/WFCORE-1266?page=com.atlassian.jira.plugi...
]
Jason Shepherd updated WFCORE-1266:
-----------------------------------
Steps to Reproduce:
1. Recompile jboss-modules after removing AllPermission from getAllPermissions.
{code}
Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git branch
* (HEAD detached at 1.4.4.Final)
master
Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git diff
src/main/java/org/jboss/modules/ModulesPolicy.java
diff --git a/src/main/java/org/jboss/modules/ModulesPolicy.java
b/src/main/java/org/jboss/modules/ModulesPolicy.java
index 1b8da50..0db9345 100644
--- a/src/main/java/org/jboss/modules/ModulesPolicy.java
+++ b/src/main/java/org/jboss/modules/ModulesPolicy.java
@@ -39,7 +39,7 @@ final class ModulesPolicy extends Policy {
private static Permissions getAllPermission() {
final Permissions permissions = new Permissions();
- permissions.add(ALL_PERMISSION);
+ //permissions.add(ALL_PERMISSION);
return permissions;
}
{code}
2. Remove the Throw clauses from WildflySecurityManager
{code}
Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git branch
* (HEAD detached at 1.0.2.Final)
master
Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git diff
diff --git a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java
b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java
index 379c61f..11dddff 100644
--- a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java
+++ b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java
@@ -270,7 +270,7 @@ public final class WildFlySecurityManager extends SecurityManager {
} else {
access.accessCheckFailed(perm, codeSource, classLoader,
Arrays.toString(principals));
}
- throw access.accessControlException(perm, perm, codeSource,
classLoader);
+ //throw access.accessControlException(perm, perm, codeSource,
classLoader);
}
}
} finally {
@@ -302,7 +302,7 @@ public final class WildFlySecurityManager extends SecurityManager {
} else {
access.accessCheckFailed(perm, codeSource, classLoader,
Arrays.toString(principals));
}
- throw access.accessControlException(perm, perm, codeSource,
classLoader);
+ //throw access.accessControlException(perm, perm, codeSource,
classLoader);
}
}
} finally {
@@ -1061,7 +1061,7 @@ public final class WildFlySecurityManager extends SecurityManager
{
return;
}
access.accessCheckFailed(permission, protectionDomain.getCodeSource(),
classLoader);
- throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
+ //throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
}
private static void checkEnvPropertyReadPermission(Class<?> clazz, String
propertyName) {
@@ -1082,7 +1082,7 @@ public final class WildFlySecurityManager extends SecurityManager
{
return;
}
access.accessCheckFailed(permission, protectionDomain.getCodeSource(),
classLoader);
- throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
+ //throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
}
private static void checkPropertyWritePermission(Class<?> clazz, String
propertyName) {
@@ -1103,7 +1103,7 @@ public final class WildFlySecurityManager extends SecurityManager
{
return;
}
access.accessCheckFailed(permission, protectionDomain.getCodeSource(),
classLoader);
- throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
+ //throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
}
private static void checkPDPermission(Class<?> clazz, Permission permission)
{
@@ -1120,7 +1120,7 @@ public final class WildFlySecurityManager extends SecurityManager
{
return;
}
access.accessCheckFailed(permission, protectionDomain.getCodeSource(),
classLoader);
- throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
+ //throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
}
/**
{code}
3. Start Wildfly
was:
# recompile jboss-modules after removing AllPermission from getAllPermissions.
{code}
Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git branch
* (HEAD detached at 1.4.4.Final)
master
{code}
{code}
Jasons-MacBook-Pro:jboss-modules jasonshepherd$ git diff
src/main/java/org/jboss/modules/ModulesPolicy.java
diff --git a/src/main/java/org/jboss/modules/ModulesPolicy.java
b/src/main/java/org/jboss/modules/ModulesPolicy.java
index 1b8da50..0db9345 100644
--- a/src/main/java/org/jboss/modules/ModulesPolicy.java
+++ b/src/main/java/org/jboss/modules/ModulesPolicy.java
@@ -39,7 +39,7 @@ final class ModulesPolicy extends Policy {
private static Permissions getAllPermission() {
final Permissions permissions = new Permissions();
- permissions.add(ALL_PERMISSION);
+ //permissions.add(ALL_PERMISSION);
return permissions;
}
{code}
# Remove the Throw clauses from WildflySecurityManager
{code}
Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git branch
* (HEAD detached at 1.0.2.Final)
master
{code}
{code}
Jasons-MacBook-Pro:wildfly-elytron jasonshepherd$ git diff
diff --git a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java
b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java
index 379c61f..11dddff 100644
--- a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java
+++ b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java
@@ -270,7 +270,7 @@ public final class WildFlySecurityManager extends SecurityManager {
} else {
access.accessCheckFailed(perm, codeSource, classLoader,
Arrays.toString(principals));
}
- throw access.accessControlException(perm, perm, codeSource,
classLoader);
+ //throw access.accessControlException(perm, perm, codeSource,
classLoader);
}
}
} finally {
@@ -302,7 +302,7 @@ public final class WildFlySecurityManager extends SecurityManager {
} else {
access.accessCheckFailed(perm, codeSource, classLoader,
Arrays.toString(principals));
}
- throw access.accessControlException(perm, perm, codeSource,
classLoader);
+ //throw access.accessControlException(perm, perm, codeSource,
classLoader);
}
}
} finally {
@@ -1061,7 +1061,7 @@ public final class WildFlySecurityManager extends SecurityManager
{
return;
}
access.accessCheckFailed(permission, protectionDomain.getCodeSource(),
classLoader);
- throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
+ //throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
}
private static void checkEnvPropertyReadPermission(Class<?> clazz, String
propertyName) {
@@ -1082,7 +1082,7 @@ public final class WildFlySecurityManager extends SecurityManager
{
return;
}
access.accessCheckFailed(permission, protectionDomain.getCodeSource(),
classLoader);
- throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
+ //throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
}
private static void checkPropertyWritePermission(Class<?> clazz, String
propertyName) {
@@ -1103,7 +1103,7 @@ public final class WildFlySecurityManager extends SecurityManager
{
return;
}
access.accessCheckFailed(permission, protectionDomain.getCodeSource(),
classLoader);
- throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
+ //throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
}
private static void checkPDPermission(Class<?> clazz, Permission permission)
{
@@ -1120,7 +1120,7 @@ public final class WildFlySecurityManager extends SecurityManager
{
return;
}
access.accessCheckFailed(permission, protectionDomain.getCodeSource(),
classLoader);
- throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
+ //throw access.accessControlException(permission, permission,
protectionDomain.getCodeSource(), classLoader);
}
/**
{code}
#Start Wildfly
Incorreclty bypass the SecurityManager and call
AccessControl.checkPermission() directly
----------------------------------------------------------------------------------------
Key: WFCORE-1266
URL: https://issues.jboss.org/browse/WFCORE-1266
Project: WildFly Core
Issue Type: Bug
Components: Server
Affects Versions: 2.0.5.Final
Reporter: Jason Shepherd
Assignee: Jason Shepherd
If we modify jboss-modules to remove the allPermissions by default, then change the
WildflySecurityManager to avoid throwing exceptions, we get this error when starting
Wildfly:
{code}
org.jboss.msc.service.StartException in service jboss.as: Failed to start service
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.AccessControlException: access denied
("org.jboss.as.server.security.ServerPermission"
"setCurrentServiceContainer")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at
org.jboss.as.server.CurrentServiceContainer.checkPermission(CurrentServiceContainer.java:63)
at
org.jboss.as.server.CurrentServiceContainer.setServiceContainer(CurrentServiceContainer.java:56)
at
org.jboss.as.server.ApplicationServerService.start(ApplicationServerService.java:137)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
... 3 more
{code}
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
3581
days inactive
3581
days old
0 comments
1 participants
participants (1)
-
Jason Shepherd (JIRA)