[jboss-jira] [JBoss JIRA] (WFLY-5771) IIOP operations need SerializablePermission("enableSubclassImplementation")

Ivo Studensky (JIRA) issues at jboss.org
Thu Dec 3 10:25:00 EST 2015 

    [ https://issues.jboss.org/browse/WFLY-5771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13136737#comment-13136737 ] 

Ivo Studensky commented on WFLY-5771:
-------------------------------------

stacktrace:
{noformat}
	  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:271)
	  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
	  at org.omg.CORBA_2_3.portable.InputStream.checkPermission(InputStream.java:67)
	  at org.omg.CORBA_2_3.portable.InputStream.<init>(InputStream.java:84)
	  at com.sun.corba.se.impl.encoding.CDRInputStream.<init>(CDRInputStream.java:116)
	  at com.sun.corba.se.impl.encoding.EncapsInputStream.<init>(EncapsInputStream.java:66)
	  at com.sun.corba.se.impl.encoding.EncapsInputStream.<init>(EncapsInputStream.java:120)
	  at com.sun.corba.se.impl.encoding.EncapsInputStream.<init>(EncapsInputStream.java:98)
	  at org.wildfly.iiop.openjdk.csiv2.CSIV2IORToSocketInfo.readCompoundSecMechList(CSIV2IORToSocketInfo.java:146)
	  at org.wildfly.iiop.openjdk.csiv2.CSIV2IORToSocketInfo.selectSSLTransportAddress(CSIV2IORToSocketInfo.java:117)
	  at org.wildfly.iiop.openjdk.csiv2.CSIV2IORToSocketInfo.getSocketInfo(CSIV2IORToSocketInfo.java:99)
	  at com.sun.corba.se.impl.transport.CorbaContactInfoListImpl.addRemoteContactInfos(CorbaContactInfoListImpl.java:189)
	  at com.sun.corba.se.impl.transport.CorbaContactInfoListImpl.createContactInfoList(CorbaContactInfoListImpl.java:178)
	  at com.sun.corba.se.impl.transport.CorbaContactInfoListImpl.iterator(CorbaContactInfoListImpl.java:80)
	  - locked <0x359a> (a com.sun.corba.se.impl.transport.CorbaContactInfoListImpl)
	  at com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.request(CorbaClientDelegateImpl.java:122)
	  at org.omg.CORBA.portable.ObjectImpl._request(ObjectImpl.java:449)
	  at org.jboss.as.ejb3.iiop.stub.DynamicIIOPStub.invoke(DynamicIIOPStub.java:123)
	  at interface org.jboss.as.test.iiop.transaction.IIOPTransactionalStatefulRemote_Stub.sameTransaction(Unknown Source:-1)
	  at org.jboss.as.test.iiop.transaction.ClientEjb.testSynchronization(ClientEjb.java:61)

{noformat}

> IIOP operations need SerializablePermission("enableSubclassImplementation")
> ---------------------------------------------------------------------------
>
>                 Key: WFLY-5771
>                 URL: https://issues.jboss.org/browse/WFLY-5771
>             Project: WildFly
>          Issue Type: Bug
>          Components: IIOP, Transactions
>    Affects Versions: 10.0.0.CR4
>            Reporter: Ivo Studensky
>            Assignee: Ivo Studensky
>
> Since JDK 7u25 version {{org.omg.CORBA_2_3.portable.Output/InputStream}} classes need extra permissions if Security Manager is enabled. Because of a previous vulnerability, it now checks {{SerializablePermission("enableSubclassImplementation")}}. There is a property flag to allow subclass instantiations without the security check (jdk.corba.allowOutputStreamSubclass=true), but this system property is subject to removal in the future Java releases, according to my findings. 
> At the moment, our IIOP code fails (can be seen in iiop tests of WildFly testsuite) when running with SM enabled.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list