[jboss-jira] [JBoss JIRA] (JBJCA-1304) Subject.doAs should be invoked inside of doPrivileged block

Ivo Studensky (JIRA) issues at jboss.org
Tue Nov 24 06:21:00 EST 2015 

     [ https://issues.jboss.org/browse/JBJCA-1304?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ivo Studensky resolved JBJCA-1304.
----------------------------------
    Fix Version/s: WildFly/IronJacamar 1.3.2.Final
                   1.2.7.Final
       Resolution: Done


> Subject.doAs should be invoked inside of doPrivileged block
> -----------------------------------------------------------
>
>                 Key: JBJCA-1304
>                 URL: https://issues.jboss.org/browse/JBJCA-1304
>             Project: IronJacamar
>          Issue Type: Bug
>          Components: JDBC
>    Affects Versions: WildFly/IronJacamar 1.3.1.Final, 1.2.6.Final
>            Reporter: Ivo Studensky
>            Assignee: Ivo Studensky
>             Fix For: WildFly/IronJacamar 1.3.2.Final, 1.2.7.Final
>
>
> If the server is running with Security Manager enabled and a deployment invokes {{getConnection()}} method a DataSource, it fails with the following exception:
> {noformat}
> &amp#27;[0m&amp#27;[33m15:08:52,138 WARN  [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject] (pool-2-thread-1) IJ000604: Throwable while attempting to get a new connection: null: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("javax.security.auth.AuthPermission" "doAs")" in code source "(vfs:/content/test.ear/lib/single.jar <no signer certificates>)" of "null")
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
> 	at javax.security.auth.Subject.doAs(Subject.java:410)
> 	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:243)
> 	at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1336)
> 	at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:501)
> 	at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:633)
> 	at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:605)
> 	at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:603)
> 	at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430)
> 	at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:761)
> 	at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)
> 	at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:66)
> 	at org.jboss.as.test.integration.jca.security.DsWithSecurityDomainTestCase.deploymentTest(DsWithSecurityDomainTestCase.java:101)
> {noformat}
> {{LocalManagedConnectionFactory#createManagedConnection(Subject, ConnectionRequestInfo)}} invokes {{Subject.doAs()}} without {{doPrivileged}} block. Hence, the deployment needs to have doAs permissions. 
> {{Subject.doAs}} should be invoked within {{doPrivileged}}.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list