[jboss-jira] [JBoss JIRA] (WFLY-4882) Security manager's maximum-permissions setting doesn't work
Josef Cacek (JIRA)
issues at jboss.org
Mon Jul 27 04:06:02 EDT 2015
[ https://issues.jboss.org/browse/WFLY-4882?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Josef Cacek updated WFLY-4882:
------------------------------
Summary: Security manager's maximum-permissions setting doesn't work (was: Maximum-set permission configuration doesn't work)
Description:
Configuration of {{maximum-permissions}} attribute in {{/subsystem=security-manager/deployment-permissions=default}} doesn't work so the permissions for deployments can't be restricted.
(The "_policy of the product installation_" in the words of EE specification is not enforced).
If administrator specifies {{maximum-permissions}} in server configuration and also {{permissions.xml}} in the deployment, all permissions from the {{permissions.xml}} are granted even if the policies are in conflict.
The {{maximum-permissions}} configuration has following meaning:
_A set containing the maximum permission scope that can be granted to deployments or jars_
The Java EE 7 platform specification (JSR 342) says in section EE.6.2.2.1:
_If security permissions are declared that conflict with the policy of the product installation, the Java EE product must fail deployment of the application module._
*Expected behavior:*
* based on EE spec the deployment should fail
* deployed application should not get more permissions than specified in the {{maximum-permissions}}
was:
Configuration of {{deployment-permissions/maximum-set}} doesn't work in {{security-manager}} subsystem so the customer is not able to specify the "_policy of the product installation_".
If I specify {{maximum-set}} permissions in server configuration and also {{permissions.xml}} in the deployment, all permissions from the {{permissions.xml}} are granted even if the policies are in conflict.
The {{maximum-set}} configuration has following meaning:
_A set containing the maximum permission scope that can be granted to deployments or jars_
The Java EE 7 platform specification (JSR 342) says in section EE.6.2.2.1:
_If security permissions are declared that conflict with the policy of the product installation, the Java EE product must fail deployment of the application module._
*Expected behavior:*
* based on EE spec the deployment should fail
* deployed application should not get more permissions than specified in the {{maximum-set}}
> Security manager's maximum-permissions setting doesn't work
> -----------------------------------------------------------
>
> Key: WFLY-4882
> URL: https://issues.jboss.org/browse/WFLY-4882
> Project: WildFly
> Issue Type: Bug
> Components: Security Manager
> Affects Versions: 10.0.0.Alpha4
> Reporter: Josef Cacek
> Assignee: Darran Lofthouse
> Priority: Critical
>
> Configuration of {{maximum-permissions}} attribute in {{/subsystem=security-manager/deployment-permissions=default}} doesn't work so the permissions for deployments can't be restricted.
> (The "_policy of the product installation_" in the words of EE specification is not enforced).
> If administrator specifies {{maximum-permissions}} in server configuration and also {{permissions.xml}} in the deployment, all permissions from the {{permissions.xml}} are granted even if the policies are in conflict.
> The {{maximum-permissions}} configuration has following meaning:
> _A set containing the maximum permission scope that can be granted to deployments or jars_
> The Java EE 7 platform specification (JSR 342) says in section EE.6.2.2.1:
> _If security permissions are declared that conflict with the policy of the product installation, the Java EE product must fail deployment of the application module._
> *Expected behavior:*
> * based on EE spec the deployment should fail
> * deployed application should not get more permissions than specified in the {{maximum-permissions}}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
More information about the jboss-jira
mailing list