[jboss-jira] [JBoss JIRA] (WFCORE-1732) Servlet does not have permissions to read parent resources when deployed in EAR

Ivo Studensky (JIRA) issues at jboss.org
Thu Aug 25 11:46:00 EDT 2016 

     [ https://issues.jboss.org/browse/WFCORE-1732?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ivo Studensky updated WFCORE-1732:
----------------------------------
    Git Pull Request: https://github.com/wildfly/wildfly/pull/8842, https://github.com/wildfly/wildfly-core/pull/1579, https://github.com/wildfly/wildfly-core/pull/1580, https://github.com/wildfly/wildfly-core/pull/1753  (was: https://github.com/wildfly/wildfly/pull/8842, https://github.com/wildfly/wildfly-core/pull/1579, https://github.com/wildfly/wildfly-core/pull/1580)


> Servlet does not have permissions to read parent resources when deployed in EAR
> -------------------------------------------------------------------------------
>
>                 Key: WFCORE-1732
>                 URL: https://issues.jboss.org/browse/WFCORE-1732
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Server
>            Reporter: Hynek Švábek
>            Assignee: Ivo Studensky
>
> Servlet is provided with VFS mount points to be able to read resources from any library submodule packed in an EAR, but it does not have VirtualFilePermissions to do so when running with Security Manager enabled. This leads to the situation when the parent module corresponding to the EAR deployment does have VirtualFilePermissions to read resources from libraries packed in the deployment, but web submodules cannot reach them. Web submodules are provided only with permissions to its own resources like WEB-INF/classes etc. and they are missing the parent module permissions. See the following stack trace:
> *Stacktrace*
> {code}
> ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /deployment0/EarServlet: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("org.jboss.vfs.VirtualFilePermission" "/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-integ-rhel-secman/5d904ae0/testsuite/integration/basic/target/exploded_deployments/eardeployment2.ear/lib/lib.jar/jar-info.txt" "read")" in code source "(vfs:/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-integ-rhel-secman/5d904ae0/testsuite/integration/basic/target/exploded_deployments/eardeployment2.ear/deployment0.war/WEB-INF/classes <no signer certificates>)" of "null")
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
> 	at org.jboss.vfs.VirtualFile.openStream(VirtualFile.java:253)
> 	at org.jboss.as.server.deployment.module.VFSResourceLoader$VFSEntryResource.openStream(VFSResourceLoader.java:327)
> 	at org.jboss.modules.Module.getResourceAsStream(Module.java:674)
> 	at org.jboss.modules.ModuleClassLoader.findResourceAsStream(ModuleClassLoader.java:546)
> 	at org.jboss.modules.ConcurrentClassLoader.getResourceAsStream(ConcurrentClassLoader.java:321)
> 	at org.jboss.as.test.integration.management.cli.EarServlet.doGet(EarServlet.java:19)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> 	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> 	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> 	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> 	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> 	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> 	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> 	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> 	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> 	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> 	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
> 	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> 	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> 	at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:180)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:177)
> 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> 	at java.lang.Thread.run(Thread.java:745)
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list