[jboss-jira] [JBoss JIRA] Commented: (JBAS-7882) Wrong provider code base for security provider included in packed ear

Petr H (JIRA) jira-events at lists.jboss.org
Fri May 7 05:40:06 EDT 2010 

    [ https://jira.jboss.org/jira/browse/JBAS-7882?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12529556#action_12529556 ] 

Petr H commented on JBAS-7882:
------------------------------

Actually I didn't try that with OpenJDK at all, but yes I expect it to work there for the reason you mentioned.
It's pretty sad that nobody has looked at this issue so far, it hasn't even been assigned to anyone yet.
Not only because of this issue but also because as I mentioned at the end of issue description there's something similar on another front which should be taken care of.
The following example points us to incorrect location similarly as for the provider code base case:
          final ClassLoader loader = SomeOurStuff.class.getClassLoader();
          URL configFile = loader.getResource(fileName);
          File file = new File(configFile.getFile());
          InputStream is = new FileInputStream(file);
          return new InputSource(is);

this points us into the packed ear/war structure inside the deploy directory as well (instead of the VFS temporary location) which is incorrect I think. We had to modify such stuff to get it working with JBossAS 5 VFS if packed ear/war stuff is used.
And again pretty much the same workarounds apply for this case.

> Wrong provider code base for security provider included in packed ear
> ---------------------------------------------------------------------
>
>                 Key: JBAS-7882
>                 URL: https://jira.jboss.org/jira/browse/JBAS-7882
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: VFS
>    Affects Versions: JBossAS-5.1.0.GA, 6.0.0.M2
>         Environment: Any OS, JDK 5 and 6, JBoss AS 5.1.0 and 6.0.0.M2
>            Reporter: Petr H
>         Attachments: IAIKTest.ear, server-default.log, server-forceVfsJar.log
>
>
> We've got applications which use the IAIK JCE provider (http://jce.iaik.tugraz.at/sic/Products/Core-Crypto-Toolkits/JCA-JCE) whose library is included directly in our application.
> On JBoss AS 5 and later, we can't use this provider as usually.
> The new VFS mechanism seems to break the path determination to the IAIK provider library (needed to determine provider code base) - it still points into the ear/war structure inside the server deploy directory but as all this is packed into one ear file, the provider verification.fails because of unsigned ear/war and thus the following exception is thrown:
> 2010-04-01 15:04:20,034 INFO  [STDOUT] (http-0.0.0.0-8180-1) Provider code base: jar:file:/opt/jboss-5.1.0.GA/server/test1/deploy/IAIKTest.ear!/IAIKTestWeb.war
> ...
> 2010-04-01 15:04:20,890 ERROR [STDERR] (http-0.0.0.0-8180-1) java.lang.SecurityException: JCE cannot authenticate the provider IAIK
> 2010-04-01 15:04:20,893 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at javax.crypto.Cipher.getInstance(DashoA13*..)
> 2010-04-01 15:04:20,893 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at javax.crypto.Cipher.getInstance(DashoA13*..)
> 2010-04-01 15:04:20,893 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at iaik.test.ControllerServlet.service(ControllerServlet.java:123)
> 2010-04-01 15:04:20,893 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> 2010-04-01 15:04:20,893 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> 2010-04-01 15:04:20,893 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 2010-04-01 15:04:20,893 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
> 2010-04-01 15:04:20,893 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> 2010-04-01 15:04:20,893 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> 2010-04-01 15:04:20,893 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
> 2010-04-01 15:04:20,894 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> 2010-04-01 15:04:20,894 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
> 2010-04-01 15:04:20,894 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
> 2010-04-01 15:04:20,894 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
> 2010-04-01 15:04:20,894 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
> 2010-04-01 15:04:20,894 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> 2010-04-01 15:04:20,894 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> 2010-04-01 15:04:20,894 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
> 2010-04-01 15:04:20,894 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> 2010-04-01 15:04:20,894 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
> 2010-04-01 15:04:20,894 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:905)
> 2010-04-01 15:04:20,894 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:592)
> 2010-04-01 15:04:20,894 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:2036)
> 2010-04-01 15:04:20,894 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at java.lang.Thread.run(Thread.java:619)
> 2010-04-01 15:04:20,895 ERROR [STDERR] (http-0.0.0.0-8180-1) Caused by: java.util.jar.JarException: Cannot parse jar:file:/opt/jboss-5.1.0.GA/server/test1/deploy/IAIKTest.ear!/IAIKTestWeb.war
> 2010-04-01 15:04:20,895 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at javax.crypto.SunJCE_c.a(DashoA13*..)
> 2010-04-01 15:04:20,895 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at javax.crypto.SunJCE_b.b(DashoA13*..)
> 2010-04-01 15:04:20,895 ERROR [STDERR] (http-0.0.0.0-8180-1) 	at javax.crypto.SunJCE_b.a(DashoA13*..)
> 2010-04-01 15:04:20,895 ERROR [STDERR] (http-0.0.0.0-8180-1) 	... 24 more
> This works when one of tho three mentioned workarounds is used.
> The most interesting of course is the third workaround for which the code base corectly points to the temporary IAIK library instance in the java.io.tmpdir:
> 2010-04-01 15:09:51,291 INFO  [STDOUT] (http-0.0.0.0-8180-1) Provider code base: file:/tmp/nestedjar2481829661547119990.tmp
> I'll attach a simple testcase ear (IAIKTest.ear) which contains an evaluation version of IAIK provider library (thanks for permission to the IAIK authors) and a simple servlet (including source) which demonstrates the problem.
> All you need to do is to have the unrestricted JCE policy files installed in your JRE and then just put the IAIKTest.ear into the deploy directory, start the JBoss instance and access the test servlet URL in browser, for example: http://localhost:8080/IAIKTestWeb/ControllerServlet
> On init (which happens on start) it will register the IAIK provider
> On service (after you access it in browser) it will attempt to get some cipher instance and here it fails.
> I'll also attach two log files covering the problem:
> - server-default.log with default server setup where the issue occurs 
> - server-forceVfsJar.log with jboss.vfs.forceVfsJar=true where the issue doesn't occur
> Also I think this is more generic problem because we had similar issues, where some jar or resource location was pointing to the packed ear/war structure inside the deploy directory instead of those VFS temporary locations, with our own code (when attemting to obtain full path) and had to perform some modifications in order to make it working. The same set of workarounds could resolve these issues as well.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list