[jboss-jira] [JBoss JIRA] (SECURITY-861) org.jboss.security.client.SecurityClient#login() requires unusual permissions

[David Lloyd (JIRA)]

David Lloyd created SECURITY-861:
------------------------------------

             Summary: org.jboss.security.client.SecurityClient#login() requires unusual permissions
                 Key: SECURITY-861
                 URL: https://issues.jboss.org/browse/SECURITY-861
             Project: PicketBox 
          Issue Type: Bug
    Affects Versions: PicketBox_4_0_21_Beta3
            Reporter: David Lloyd
            Assignee: Stefan Guilhen


In order to do a security client login, the caller needs to have (at least) the permission {{java.lang.RuntimePermission "org.jboss.security.getSecurityContext"}}.

Leaving aside that RuntimePermission should not be used for things like this, the point of having a login method is to abstract the security context manipulation away.  Surely if some permission check is needed, the permission should be something specific to logging in (though in my opinion, no permission should be necessary here).

The exact example stack trace is:

{noformat}
15:09:20,307 SEVERE [org.jboss.arquillian.protocol.jmx.JMXTestRunner] (pool-1-thread-1) Failed: org.jboss.as.test.integration.ejb.security.RunAsPrincipalTestCase.testAnonymous: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "org.jboss.security.getSecurityContext")" in code source "(vfs:/content/runasprincipal-test.war/WEB-INF/classes <no signer certificates>)" of "null")
        at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:264) [wildfly-security-manager-1.0.2.Final-SNAPSHOT.jar:1.0.2.Final-SNAPSHOT]
        at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:169) [wildfly-security-manager-1.0.2.Final-SNAPSHOT.jar:1.0.2.Final-SNAPSHOT]
        at org.jboss.security.SecurityContextAssociation.getSecurityContext(SecurityContextAssociation.java:145) [picketbox-4.0.21.Beta3.jar:4.0.21.Beta3]
        at org.jboss.security.client.JBossSecurityClient.performSimpleLogin(JBossSecurityClient.java:77) [picketbox-4.0.21.Beta3.jar:4.0.21.Beta3]
        at org.jboss.security.client.SecurityClient.login(SecurityClient.java:74) [picketbox-4.0.21.Beta3.jar:4.0.21.Beta3]
        at org.jboss.as.test.integration.ejb.security.RunAsPrincipalTestCase.testAnonymous(RunAsPrincipalTestCase.java:173) [classes:]
{noformat}

Here's the {{testAnonymous}} method:
{code}
    @Test
    public void testAnonymous() throws Exception {
        SecurityClient client = SecurityClientFactory.getSecurityClient();
        client.setSimple("user1", "password1");
        client.login(); // this is line 173
        try {
            WhoAmI bean = lookupCaller();
            String actual = bean.getCallerPrincipal();
            Assert.assertEquals("anonymous", actual);
        } finally {
            client.logout();
        }
    }
{code}



--
This message was sent by Atlassian JIRA
(v6.3.1#6329)