[
https://issues.jboss.org/browse/WFLY-10240?page=com.atlassian.jira.plugin...
]
Kabir Khan commented on WFLY-10240:
-----------------------------------
It seems that in WF11 (which effectively was 7.1.0) the wsconsume script gives no
treatment to the SECMGR environment variable and -secmgr parameter in
https://github.com/wildfly/wildfly/blob/11.0.0.Final/feature-pack/src/mai...
This support was added by [~rsearls] in
https://github.com/wildfly/wildfly/pull/10695 and
https://github.com/wildfly/wildfly/pull/10813. So this 'working' in 7.1 would
actually meant these flags have no effect and the security manager was not turned on.
For 6.3 and 6.4 we did not support Java 8. I have checked with [~darranl], and adding
doPrivileged blocks in cxf which is the part the call stack under our control would have
no effect as it is in a different ProtectionDomain from the sun.tool classes. Having gone
through this with him, he agrees this looks like a JDK bug and that a policy file is
needed.
Please downgrade this issue, file the bug, and document as a known issue.
[~rsearls] Perhaps find a policy file which grants a smaller set of permissions? As
granting AllPermissions is effectively the same running without a SM :)
Finally, I'd like to reemphasize that this are developer tools to generate code to run
in the server. If the intent is to stop people from adding 'evil' endpoints for
deployment into the server, there is nothing to stop me from opening my IDE and writing
something by hand. Securing the code generation tool is not the right level for locking
this down, that needs to happen elsewhere. However, it might keep some customers happy,
but we have a workaround with the policy file.
WS scripts throws AccessControlException when secmgr is used
------------------------------------------------------------
Key: WFLY-10240
URL:
https://issues.jboss.org/browse/WFLY-10240
Project: WildFly
Issue Type: Bug
Components: Scripts, Web Services
Reporter: Marek Kopecký
Assignee: R Searls
Priority: Blocker
Labels: blocker-WF14
WS scripts throws AccessControlException when secmgr is used
{noformat}
[mkopecky@dhcp-10-40-5-128 bin]$ java -version
openjdk version "1.8.0_162"
OpenJDK Runtime Environment (build 1.8.0_162-b12)
OpenJDK 64-Bit Server VM (build 25.162-b12, mixed mode)
[mkopecky@dhcp-10-40-5-128 bin]$ ./wsconsume.sh -secmgr
https://raw.githubusercontent.com/jbossws/jbossws-cxf/master/modules/test...
Could not find log4j.properties or log4j.xml configuration, logging to console.
Loading FrontEnd jaxws ...
Loading DataBinding jaxb ...
wsdl2java -compile -exsh false -d
/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output/tmp5146068 -verbose -classdir
/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output -allowElementReferences
https://raw.githubusercontent.com/jbossws/jbossws-cxf/master/modules/test...
wsdl2java - Apache CXF 3.2.4
[mkopecky@dhcp-10-40-5-128 bin]$ export SECMGR=true
[mkopecky@dhcp-10-40-5-128 bin]$ ./wsconsume.sh -secmgr
https://raw.githubusercontent.com/jbossws/jbossws-cxf/master/modules/test...
Could not find log4j.properties or log4j.xml configuration, logging to console.
Loading FrontEnd jaxws ...
Loading DataBinding jaxb ...
wsdl2java -compile -exsh false -d
/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output/tmp4759967 -verbose -classdir
/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output -allowElementReferences
https://raw.githubusercontent.com/jbossws/jbossws-cxf/master/modules/test...
wsdl2java - Apache CXF 3.2.4
JBWS024002: Failed to invoke org.apache.cxf.tools.wsdlto.WSDLToJava
org.apache.cxf.tools.common.ToolException: java.security.AccessControlException:
WFSM000001: Permission check failed (permission "("java.io.FilePermission"
"/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output/tmp4759967/org/openuri/_2004/_04/helloworld/EndpointInterface.java"
"read")" in code source
"(file:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc26.x86_64/lib/tools.jar
<no signer certificates>)" of
"java.net.FactoryURLClassLoader@e4d2696")
at
org.apache.cxf.tools.wsdlto.WSDLToJavaContainer.execute(WSDLToJavaContainer.java:420)
at org.apache.cxf.tools.common.toolspec.ToolRunner.runTool(ToolRunner.java:105)
at org.apache.cxf.tools.wsdlto.WSDLToJava.run(WSDLToJava.java:113)
at org.jboss.wsf.stack.cxf.tools.CXFConsumerImpl.consume(CXFConsumerImpl.java:313)
at org.jboss.ws.tools.cmd.WSConsume.importServices(WSConsume.java:298)
at org.jboss.ws.tools.cmd.WSConsume.mainInternal(WSConsume.java:108)
at org.jboss.ws.tools.cmd.WSConsume.main(WSConsume.java:96)
at org.jboss.modules.Module.runMainMethod(Module.java:348)
at org.jboss.modules.Module.run(Module.java:328)
at org.jboss.modules.Main.main(Main.java:557)
Caused by: java.security.AccessControlException: WFSM000001: Permission check failed
(permission "("java.io.FilePermission"
"/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output/tmp4759967/org/openuri/_2004/_04/helloworld/EndpointInterface.java"
"read")" in code source
"(file:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc26.x86_64/lib/tools.jar
<no signer certificates>)" of
"java.net.FactoryURLClassLoader@e4d2696")
at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
at
org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:360)
at java.io.File.isDirectory(File.java:844)
at com.sun.tools.javac.file.RegularFileObject.<init>(RegularFileObject.java:69)
at com.sun.tools.javac.file.RegularFileObject.<init>(RegularFileObject.java:64)
at
com.sun.tools.javac.file.JavacFileManager.getJavaFileObjectsFromFiles(JavacFileManager.java:785)
at
com.sun.tools.javac.file.JavacFileManager.getJavaFileObjectsFromStrings(JavacFileManager.java:185)
at org.apache.cxf.common.util.Compiler.useJava6Compiler(Compiler.java:202)
at org.apache.cxf.common.util.Compiler.compileFiles(Compiler.java:141)
at org.apache.cxf.tools.common.ClassUtils.compile(ClassUtils.java:123)
at
org.apache.cxf.tools.wsdlto.WSDLToJavaContainer.processWsdl(WSDLToJavaContainer.java:303)
at
org.apache.cxf.tools.wsdlto.WSDLToJavaContainer.execute(WSDLToJavaContainer.java:164)
at
org.apache.cxf.tools.wsdlto.WSDLToJavaContainer.execute(WSDLToJavaContainer.java:412)
... 9 more
[mkopecky@dhcp-10-40-5-128 bin]$
{noformat}
{noformat}
[mkopecky@dhcp-10-40-5-128 bin]$ java -version
openjdk version "1.8.0_162"
OpenJDK Runtime Environment (build 1.8.0_162-b12)
OpenJDK 64-Bit Server VM (build 25.162-b12, mixed mode)
[mkopecky@dhcp-10-40-5-128 bin]$ ./wsprovide.sh -k -c ~/erase13/classes -o out
org.jboss.as.testsuite.integration.scripts.test.tools.Echo1Impl
Could not find log4j.properties or log4j.xml configuration, logging to console.
java2ws -s /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -classdir
/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -d
/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -verbose -cp
/home/mkopecky/erase13/classes/: -wrapperbean -createxsdimports
org.jboss.as.testsuite.integration.scripts.test.tools.Echo1Impl
java2ws - Apache CXF 3.2.4
[mkopecky@dhcp-10-40-5-128 bin]$ export SECMGR=true
[mkopecky@dhcp-10-40-5-128 bin]$ ./wsprovide.sh -k -c ~/erase13/classes -o out
org.jboss.as.testsuite.integration.scripts.test.tools.Echo1Impl
Could not find log4j.properties or log4j.xml configuration, logging to console.
java2ws -s /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -classdir
/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -d
/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -verbose -cp
/home/mkopecky/erase13/classes/: -wrapperbean -createxsdimports
org.jboss.as.testsuite.integration.scripts.test.tools.Echo1Impl
java2ws - Apache CXF 3.2.4
java.security.AccessControlException: WFSM000001: Permission check failed (permission
"("java.io.FilePermission"
"/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out/org/jboss/as/testsuite/integration/scripts/test/tools/jaxws/EchoPlus1Response.java"
"read")" in code source
"(file:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc26.x86_64/lib/tools.jar
<no signer certificates>)" of
"java.net.FactoryURLClassLoader@29876704")
at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
at
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
at
org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:360)
at java.io.File.isDirectory(File.java:844)
at com.sun.tools.javac.file.RegularFileObject.<init>(RegularFileObject.java:69)
at com.sun.tools.javac.file.RegularFileObject.<init>(RegularFileObject.java:64)
at
com.sun.tools.javac.file.JavacFileManager.getJavaFileObjectsFromFiles(JavacFileManager.java:785)
at
com.sun.tools.javac.file.JavacFileManager.getJavaFileObjectsFromStrings(JavacFileManager.java:185)
at org.apache.cxf.common.util.Compiler.useJava6Compiler(Compiler.java:202)
at org.apache.cxf.common.util.Compiler.compileFiles(Compiler.java:141)
at
org.apache.cxf.tools.java2wsdl.generator.wsdl11.BeanGenerator.generateAndCompile(BeanGenerator.java:91)
at
org.apache.cxf.tools.java2wsdl.generator.wsdl11.BeanGenerator.generate(BeanGenerator.java:58)
at
org.apache.cxf.tools.java2wsdl.generator.wsdl11.BeanGenerator.generate(BeanGenerator.java:35)
at
org.apache.cxf.tools.java2wsdl.processor.JavaToWSDLProcessor.generate(JavaToWSDLProcessor.java:156)
at
org.apache.cxf.tools.java2wsdl.processor.JavaToWSDLProcessor.process(JavaToWSDLProcessor.java:118)
at
org.apache.cxf.tools.java2ws.JavaToWSContainer.processWSDL(JavaToWSContainer.java:110)
at org.apache.cxf.tools.java2ws.JavaToWSContainer.execute(JavaToWSContainer.java:75)
at org.apache.cxf.tools.common.toolspec.ToolRunner.runTool(ToolRunner.java:105)
at org.apache.cxf.tools.common.toolspec.ToolRunner.runTool(ToolRunner.java:45)
at org.apache.cxf.tools.java2ws.JavaToWS.run(JavaToWS.java:83)
at org.jboss.wsf.stack.cxf.tools.CXFProviderImpl.provide(CXFProviderImpl.java:200)
at org.jboss.wsf.stack.cxf.tools.CXFProviderImpl.provide(CXFProviderImpl.java:109)
at org.jboss.ws.tools.cmd.WSProvide.generate(WSProvide.java:223)
at org.jboss.ws.tools.cmd.WSProvide.main(WSProvide.java:89)
at org.jboss.modules.Module.runMainMethod(Module.java:348)
at org.jboss.modules.Module.run(Module.java:328)
at org.jboss.modules.Main.main(Main.java:557)
[mkopecky@dhcp-10-40-5-128 bin]$
{noformat}
Second example uses classes from classes.zip file attached in WFLY-10238
cc: [~jbliznak]
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)