[jboss-jira] [JBoss JIRA] (WFLY-7474) AccessControlException in OpenSSL initialization

Josef Cacek (JIRA) issues at jboss.org
Fri Nov 4 04:30:01 EDT 2016 

Josef Cacek created WFLY-7474:
---------------------------------

             Summary: AccessControlException in OpenSSL initialization
                 Key: WFLY-7474
                 URL: https://issues.jboss.org/browse/WFLY-7474
             Project: WildFly
          Issue Type: Bug
          Components: Web (Undertow)
            Reporter: Josef Cacek
            Assignee: Stuart Douglas
            Priority: Critical


*Issue description*
When starting server with security manager (i.e. with {{-secmgr}} argument), then OpenSSL initialization fails with 

{code}
java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.wildfly.openssl.SSL.init(SSL.java:73)
	at org.wildfly.openssl.SSL.getInstance(SSL.java:49)
	at org.wildfly.openssl.OpenSSLEngine.<clinit>(OpenSSLEngine.java:59)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:348)
	at io.undertow.protocols.alpn.OpenSSLAlpnProvider$1.run(OpenSSLAlpnProvider.java:47)
	at io.undertow.protocols.alpn.OpenSSLAlpnProvider$1.run(OpenSSLAlpnProvider.java:43)
	at java.security.AccessController.doPrivileged(Native Method)
	at io.undertow.protocols.alpn.OpenSSLAlpnProvider.<clinit>(OpenSSLAlpnProvider.java:43)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at java.lang.Class.newInstance(Class.java:442)
	at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380)
	at java.util.ServiceLoader$LazyIterator.access$700(ServiceLoader.java:323)
	at java.util.ServiceLoader$LazyIterator$2.run(ServiceLoader.java:407)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:409)
	at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
	at io.undertow.protocols.alpn.ALPNManager.<init>(ALPNManager.java:40)
	at io.undertow.protocols.alpn.ALPNManager.<clinit>(ALPNManager.java:35)
	at io.undertow.server.protocol.http.AlpnOpenListener.<init>(AlpnOpenListener.java:64)
	at io.undertow.server.protocol.http.AlpnOpenListener.<init>(AlpnOpenListener.java:83)
	at io.undertow.server.protocol.http.AlpnOpenListener.<init>(AlpnOpenListener.java:75)
	at org.wildfly.extension.undertow.HttpsListenerService.createAlpnOpenListener(HttpsListenerService.java:101)
	at org.wildfly.extension.undertow.HttpsListenerService.createOpenListener(HttpsListenerService.java:86)
	at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:158)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1963)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1896)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "loadLibrary.wfssl")" in code source "(null <no signer certificates>)" of "org.wildfly.openssl.SSL$LibraryClassLoader at 37072772")
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
	at java.lang.SecurityManager.checkLink(SecurityManager.java:835)
	at org.wildfly.security.manager.WildFlySecurityManager.checkLink(WildFlySecurityManager.java:338)
	at java.lang.Runtime.loadLibrary0(Runtime.java:864)
	at java.lang.System.loadLibrary(System.java:1122)
	at org.wildfly.openssl.SSL$LibraryLoader.load(SSL.java:180)
	... 37 more
{code}

There could be a wrong class-loader used or {{doPrivileged()}} block missing, so the initializing code doesn't get the {{AllPermission}} (which is assigned to server modules).

*Suggested improvement*
* check and fix OpenSSL initialization, so it gets correct permissions



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list