[arquillian-issues] [JBoss JIRA] (ARQ-2204) wildfly security manager jboss modules permissions setup

r searls (Jira) issues at jboss.org
Thu Jul 25 10:32:01 EDT 2019 

    [ https://issues.jboss.org/browse/ARQ-2204?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13763404#comment-13763404 ] 

r searls commented on ARQ-2204:
-------------------------------

Resteasy is not tested regularly with SecurityManager.

Since the new jboss-modules design was implemented Resteasy has been tested by 
QA with the security manager once or twice a year.  Resteasy versions 3.x and 4.x
have been tested over time.  QA runs with JDK-8 as this is the oldest supported
version.  I don't know what later versions they test with. I always check against 
JDK-8 and JDK-11.  In the past QA reported issues that required the addition of 
AccessController.doPrivileged() calls in the code and the addition of select 
permission classes to some tests.  Those types of changes did not work in this
case.

The last successful test run (more or less) was Jul 2018.  There were test failures 
that were successfully addressed as described above at that time.  This issue with
ArquillianServletRunner did not exist unitl a Dec 2018 test run was made.  


> wildfly security manager jboss modules permissions setup
> --------------------------------------------------------
>
>                 Key: ARQ-2204
>                 URL: https://issues.jboss.org/browse/ARQ-2204
>             Project: Arquillian
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 1.4.0.Final
>         Environment: 	Fedora 28
> 	Apache Maven 3.3.9 
> 	Java version: 11.0.2, vendor: Oracle Corporation
> 	Resteasy: 4.1.0-SNAPSHOT
> 	wfly: wildfly-17.0.0.Beta1-SNAPSHOT
>            Reporter: r searls
>            Priority: Major
>         Attachments: List-10-ProtectionDomains.txt, xFull-stacktrace.txt, xJira-sm-debug-flag.zip
>
>
> Arquillian is not registering all the security permissions required to run resteasy tests on wildfly with
> the sercurity manager enabled.
> There are 24+ Resteasy testsuite tests failing when run with the security manager.
> These tests are running in the container (i.e. using the @RunWith(Arquillian.class) annotation.
> The @RunAsClient is not being used.)
> The exception thrown is,
> Caused by: java.lang.ClassNotFoundException: org.glassfish.jersey.client.JerseyClientBuilder from
>     [Module "javax.ws.rs.api" version 1.0.2.Final from local module loader @4b3ed2f0
>     (finder: local module finder @4fad9bb2
>     (roots: /home/rsearls/j1/wildfly/dist/target/wildfly-17.0.0.Beta1-SNAPSHOT/modules,/home/rsearls/j1/wildfly/dist/target/wildfly-17.0.0.Beta1-SNAPSHOT/modules/system/layers/base,/home/rsearls/j1/wildfly/dist/target/wildfly-17.0.0.Beta1-SNAPSHOT/modules/system/add-ons/spring))]
>     at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255)
>     at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410)
>     at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
>     at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
>     at java.base/java.lang.Class.forName0(Native Method)
>     at java.base/java.lang.Class.forName(Class.java:315)
>     at javax.ws.rs.api at 1.0.2.Final//javax.ws.rs.client.FactoryFinder.newInstance(FactoryFinder.java:119)
>     at javax.ws.rs.api at 1.0.2.Final//javax.ws.rs.client.FactoryFinder.find(FactoryFinder.java:226)
>     at javax.ws.rs.api at 1.0.2.Final//javax.ws.rs.client.ClientBuilder.newBuilder(ClientBuilder.java:96)
> This is due to a missing ProtectionDomain with ("<all permissions>" "<all actions>") for
> /home/rsearls/j1/wildfly/dist/target/wildfly-17.0.0.Beta1-SNAPSHOT/modules/system/layers/base/org/jboss/resteasy/resteasy-jaxrs/main/resteasy-client-4.1.0-SNAPSHOT.jar
> When wildfly starts up (with or without the security manager) it registers a ProtectionDomain with ("<all permissions>" 
> "<all actions>" for each jar in the wildfly-17.0.0.Beta1-SNAPSHOT/modules/system. These ProtectionDomains are active when the Resteasy container runs.  When Arquillian runs only 10 ProtectionDomains are defined (see attachment List-10-ProtectionDomains.txt).   This appears to be the cause of the problem.
> A full stacktrace is provided in the attachments.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the arquillian-issues mailing list