]
Lin Gao commented on WFCORE-1351:
---------------------------------
I tried to use privileged action to create Endpoint using commit at:
.
The first 4 Permission check exceptions are gone, however, the last 2 permission check
exceptions are still there:
1. new RuntimePermission("accessDeclaredMembers") ->
[^5-no-suppressAccessChecks-permission.stracktrace]
2. new java.lang.reflect.ReflectPermission("suppressAccessChecks") -> Test
Pass
FilePermission for XNIO and Marshalling modules are required for
Remoting to run with security manager
------------------------------------------------------------------------------------------------------
Key: WFCORE-1351
URL:
https://issues.jboss.org/browse/WFCORE-1351
Project: WildFly Core
Issue Type: Bug
Components: Remoting, Security
Reporter: Ondrej Kotek
Assignee: David Lloyd
Priority: Critical
Fix For: 3.0.0.Alpha10
Attachments: 1-no-createEndpoint-permission.stacktrace,
2-no-createXnioWorker-permission.stacktrace,
3-no-addConnectionProvider-permission.stacktrace,
4-no-accessDeclaredMembers-permission.stractrace,
5-no-suppressAccessChecks-permission.stracktrace
# Running _NestedRemoteContextTestCase_ (from WildFly _testsuite/integration/basic_) with
security manager, like
{noformat}
./integration-tests.sh -Dts.basic -Dts.noSmoke -Dtest=NestedRemoteContextTestCase
-Dsecurity.manager
{noformat}
results in exception:
{noformat}
java.io.IOException: java.lang.IllegalArgumentException: XNIO001001: No XNIO provider
found
{noformat}
To make it work, permissions like following need to be added to _permissions.xml_ of
_ejb.ear_:
{noformat}
new
FilePermission("/home/okotek/git/wildfly/dist/target/wildfly-10.0.0.CR5-SNAPSHOT/modules/system/layers/base/org/jboss/xnio/nio/main/*",
"read"),
new
FilePermission("/home/okotek/git/wildfly/dist/target/wildfly-10.0.0.CR5-SNAPSHOT/modules/system/layers/base/org/jboss/marshalling/river/main/*",
"read"),
new RemotingPermission("createEndpoint"),
new RuntimePermission("createXnioWorker"),
new RemotingPermission("addConnectionProvider"),
new RuntimePermission("modifyThread"),
new RuntimePermission("accessDeclaredMembers"),
new ReflectPermission("suppressAccessChecks")
{noformat}
which is very confusing.
Why do I need add seemingly unrelated permissions, like _FilePermission_ for XNIO and
marshalling or _RuntimePermission_ for createXnioWorker? Such behavior should be fixed or
properly documented.