[jboss-jira] [JBoss JIRA] (SECURITY-861) org.jboss.security.client.SecurityClient#login() requires unusual permissions

Fri Nov 20 07:35:00 EST 2015

     [ https://issues.jboss.org/browse/SECURITY-861?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Peter Skopek resolved SECURITY-861.
-----------------------------------
    Resolution: Done


> org.jboss.security.client.SecurityClient#login() requires unusual permissions
> -----------------------------------------------------------------------------
>
>                 Key: SECURITY-861
>                 URL: https://issues.jboss.org/browse/SECURITY-861
>             Project: PicketBox 
>          Issue Type: Bug
>    Affects Versions: PicketBox_4_0_21_Beta3
>            Reporter: David Lloyd
>            Assignee: Stefan Guilhen
>
> In order to do a security client login, the caller needs to have (at least) the permission {{java.lang.RuntimePermission "org.jboss.security.getSecurityContext"}}.
> Leaving aside that RuntimePermission should not be used for things like this, the point of having a login method is to abstract the security context manipulation away.  Surely if some permission check is needed, the permission should be something specific to logging in (though in my opinion, no permission should be necessary here).
> The exact example stack trace is:
> {noformat}
> 15:09:20,307 SEVERE [org.jboss.arquillian.protocol.jmx.JMXTestRunner] (pool-1-thread-1) Failed: org.jboss.as.test.integration.ejb.security.RunAsPrincipalTestCase.testAnonymous: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "org.jboss.security.getSecurityContext")" in code source "(vfs:/content/runasprincipal-test.war/WEB-INF/classes <no signer certificates>)" of "null")
>         at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:264) [wildfly-security-manager-1.0.2.Final-SNAPSHOT.jar:1.0.2.Final-SNAPSHOT]
>         at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:169) [wildfly-security-manager-1.0.2.Final-SNAPSHOT.jar:1.0.2.Final-SNAPSHOT]
>         at org.jboss.security.SecurityContextAssociation.getSecurityContext(SecurityContextAssociation.java:145) [picketbox-4.0.21.Beta3.jar:4.0.21.Beta3]
>         at org.jboss.security.client.JBossSecurityClient.performSimpleLogin(JBossSecurityClient.java:77) [picketbox-4.0.21.Beta3.jar:4.0.21.Beta3]
>         at org.jboss.security.client.SecurityClient.login(SecurityClient.java:74) [picketbox-4.0.21.Beta3.jar:4.0.21.Beta3]
>         at org.jboss.as.test.integration.ejb.security.RunAsPrincipalTestCase.testAnonymous(RunAsPrincipalTestCase.java:173) [classes:]
> {noformat}
> Here's the {{testAnonymous}} method:
> {code}
>     @Test
>     public void testAnonymous() throws Exception {
>         SecurityClient client = SecurityClientFactory.getSecurityClient();
>         client.setSimple("user1", "password1");
>         client.login(); // this is line 173
>         try {
>             WhoAmI bean = lookupCaller();
>             String actual = bean.getCallerPrincipal();
>             Assert.assertEquals("anonymous", actual);
>         } finally {
>             client.logout();
>         }
>     }
> {code}


--
This message was sent by Atlassian JIRA
(v6.4.11#64026)