[jboss-dev] Security Dependency Mismatch Was: Where are allowable methods configured?

Scott Stark sstark at redhat.com
Wed Jul 1 12:30:17 EDT 2009 

I would create a https://jira.jboss.org/jira/browse/SECURITY issue since 
it appears that the older sun jacc api implementation has different 
behavior from the org.jboss.javaee:jboss-jacc-api version and are not 
testing these in the security project.

Andrew Lee Rubinger wrote:
> Looks to me like another case of mismatched dependencies.
>
> From AS Branch_5_x "build" module:
> [INFO] [dependency:tree]
> [INFO] org.jboss.jbossas:jboss-as-build:pom:5.2.0-SNAPSHOT
> [INFO] \- org.jboss.jbossas:jboss-as-aspects:jar:5.2.0-SNAPSHOT:compile
> [INFO]    \- 
> org.jboss.aspects:jboss-security-aspects:jar:1.0.0.GA:compile
> [INFO]       \- javax.security:jacc:jar:1.0:compile
>
> However I don't see the jacc JAR anywhere in the distribution (hence 
> not available at runtime):
>
> JBOSS_HOME $> find . -name '*jacc*' > Nothing
>
> Instead, we've got org.jboss.javaee:jboss-javaee declared by the 
> thirdparty module and placed into $JBOSS_HOME/common/lib.  This JAR is 
> incorrectly *not* a dependency of the build module:
>
> build $> mvn dependency:tree -Dincludes=org.jboss.javaee:jboss-javaee 
> > Nothing
>
> So some fancy excludes on javax.security:jacc and an explicit 
> additional dependency upon org.jboss.javaee:jboss-javaee within 
> Embedded yield an error-free AS boot in the "default" config. :D
>
> I'll add this to my list of tasks to revisit when looking at the AS 
> dependency chain.
>
> S,
> ALR
>
> On 06/30/2009 06:31 PM, Andrew Lee Rubinger wrote:
>> Booting Embedded I've got a fun exception informing me that methods
>> "!GET,POST" are not allowed while creating a WebResourcePermission.
>> These are the identical parameters passed in while running AS in
>> Standalone. Where are the allowed HTTP methods configured? Does this
>> ring any bells to anyone?
>>
>> Thx. :)
>>
>> 17:25:01,895 ERROR [AbstractKernelController] Error installing to Real:
>> name=vfsfile:/home/alrubinger/business/jboss/wc/jbossas/branches/Branch_5_x/build/output/jboss-5.2.0.Beta/server/default/deploy/http-invoker.sar/ 
>>
>> state=PreReal mode=Manual requiredState=Real
>> org.jboss.deployers.spi.DeploymentException: Error deploying:
>> jboss.jacc:service=jacc,id="vfsfile:/home/alrubinger/business/jboss/wc/jbossas/branches/Branch_5_x/build/output/jboss-5.2.0.Beta/server/default/deploy/http-invoker.sar/invoker.war/",parent="http-invoker.sar" 
>>
>>
>> at
>> org.jboss.deployers.spi.DeploymentException.rethrowAsDeploymentException(DeploymentException.java:49) 
>>
>>
>> at ...
>> Caused by: java.lang.IllegalArgumentException: Could not create resource
>> permission with pattern "/restricted/*" and methods: !GET,POST
>> at
>> org.jboss.web.WebPermissionMapping.createPermissions(WebPermissionMapping.java:229) 
>>
>>
>> at
>> org.jboss.deployment.security.WarJaccPolicy.createPermissions(WarJaccPolicy.java:55) 
>>
>>
>> at
>> org.jboss.deployment.security.WarJaccPolicy.createPermissions(WarJaccPolicy.java:38) 
>>
>>
>> at org.jboss.deployment.security.JaccPolicy.create(JaccPolicy.java:94)
>> ...
>> Caused by: java.lang.IllegalArgumentException: illegal HTTP method
>> at
>> javax.security.jacc.HttpMethodSpec.makeMethodSet(HttpMethodSpec.java:100) 
>>
>> at 
>> javax.security.jacc.HttpMethodSpec.getMethodSet(HttpMethodSpec.java:74)
>> at
>> javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:137) 
>>
>>
>> at
>> org.jboss.web.WebPermissionMapping.createPermissions(WebPermissionMapping.java:225) 
>>
>>
>>
>> S,
>> ALR
>

More information about the jboss-development mailing list