Darran Lofthouse created WFLY-12526:
---------------------------------------
Summary: doPrivileged needed for isUserInRole
Key: WFLY-12526
URL:
https://issues.jboss.org/browse/WFLY-12526
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: 18.0.0.Final
Currently experiencing the following error: -
{noformat}
Caused by: java.security.AccessControlException: WFSM000001: Permission check failed
(permission "("java.lang.RuntimePermission"
"org.jboss.security.plugins.ClassLoaderLocatorFactory.get")" in code source
"(vfs:/content/mydeployment.war/ <no signer certificates>)" of
"org.apache.jasper.servlet.JasperLoader@24d700ba")
at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294)
[wildfly-elytron-security-manager-1.10.0.Final.jar:1.10.0.Final]
at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191)
[wildfly-elytron-security-manager-1.10.0.Final.jar:1.10.0.Final]
at
org.jboss.security.plugins.ClassLoaderLocatorFactory.get(ClassLoaderLocatorFactory.java:51)
[picketbox-5.0.3.Final.jar:5.0.3.Final]
at
org.jboss.security.plugins.authorization.JBossAuthorizationContext.initializeModules(JBossAuthorizationContext.java:187)
[picketbox-5.0.3.Final.jar:5.0.3.Final]
at
org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:141)
[picketbox-5.0.3.Final.jar:5.0.3.Final]
at
org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:438)
[picketbox-5.0.3.Final.jar:5.0.3.Final]
at
org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:115)
[picketbox-5.0.3.Final.jar:5.0.3.Final]
at
org.jboss.security.plugins.javaee.WebAuthorizationHelper.hasRole(WebAuthorizationHelper.java:201)
[picketbox-5.0.3.Final.jar:5.0.3.Final]
at
org.wildfly.extension.undertow.security.JbossAuthorizationManager.isUserInRole(JbossAuthorizationManager.java:99)
at
io.undertow.servlet.spec.HttpServletRequestImpl.isUserInRole(HttpServletRequestImpl.java:337)
[undertow-servlet-2.0.26.Final.jar:2.0.26.Final]
at org.apache.jsp.secured_jsp._jspService(secured_jsp.java:109)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
[jastow-2.0.7.Final.jar:2.0.7.Final]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
[jboss-servlet-api_4.0_spec-2.0.0.CR2.jar:2.0.0.CR2]
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:433)
[jastow-2.0.7.Final.jar:2.0.7.Final]
... 51 more
{noformat}
The reason I believe this requires a doPrivileged is the permission required is entirely
internal to our implementation of isUserInRole - whilst the deployment can trigger this
call the deployment can not influence how this is implemented so the deployment's
ProtectionDomain should not require the permissions needed for our internal class loading
so a doPrivileged call will drop the deployment's ProtectionDomain from the stack.
--
This message was sent by Atlassian Jira
(v7.13.5#713005)