[jboss-jira] [JBoss JIRA] (WFCORE-1351) FilePermission for XNIO and Marshalling modules are required for Remoting to run with security manager

[Lin Gao (JIRA)]

     [ https://issues.jboss.org/browse/WFCORE-1351?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lin Gao updated WFCORE-1351:
----------------------------
    Attachment: 5-no-suppressAccessChecks-permission.stracktrace
                4-no-accessDeclaredMembers-permission.stractrace
                3-no-addConnectionProvider-permission.stacktrace
                2-no-createXnioWorker-permission.stacktrace
                1-no-createEndpoint-permission.stacktrace


Based on the permission sets in [NestedRemoteContextTestCase|https://github.com/wildfly/wildfly/blob/master/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/naming/remote/multiple/NestedRemoteContextTestCase.java#L55-L59], I added the permissions in the following order and get different stack trace:

# no more permissions added -> [^1-no-createEndpoint-permission.stacktrace]
# new RemotingPermission("createEndpoint")  ->  [^2-no-createXnioWorker-permission.stacktrace]
# new RuntimePermission("createXnioWorker") ->  [^3-no-addConnectionProvider-permission.stacktrace]
# new RemotingPermission("addConnectionProvider") -> [^4-no-accessDeclaredMembers-permission.stractrace]
# new RuntimePermission("accessDeclaredMembers") -> [^5-no-suppressAccessChecks-permission.stracktrace]
# new java.lang.reflect.ReflectPermission("suppressAccessChecks") -> Test Pass


> FilePermission for XNIO and Marshalling modules are required for Remoting to run with security manager
> ------------------------------------------------------------------------------------------------------
>
>                 Key: WFCORE-1351
>                 URL: https://issues.jboss.org/browse/WFCORE-1351
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Remoting, Security
>            Reporter: Ondrej Kotek
>            Assignee: David Lloyd
>            Priority: Critical
>             Fix For: 3.0.0.Alpha8
>
>         Attachments: 1-no-createEndpoint-permission.stacktrace, 2-no-createXnioWorker-permission.stacktrace, 3-no-addConnectionProvider-permission.stacktrace, 4-no-accessDeclaredMembers-permission.stractrace, 5-no-suppressAccessChecks-permission.stracktrace
>
>
> # Running _NestedRemoteContextTestCase_ (from WildFly _testsuite/integration/basic_) with security manager, like
> {noformat}
> ./integration-tests.sh -Dts.basic -Dts.noSmoke -Dtest=NestedRemoteContextTestCase -Dsecurity.manager
> {noformat}
> results in exception:
> {noformat}
> java.io.IOException: java.lang.IllegalArgumentException: XNIO001001: No XNIO provider found
> {noformat}
> To make it work, permissions like following need to be added to _permissions.xml_ of  _ejb.ear_:
> {noformat}
> new FilePermission("/home/okotek/git/wildfly/dist/target/wildfly-10.0.0.CR5-SNAPSHOT/modules/system/layers/base/org/jboss/xnio/nio/main/*", "read"),
> new FilePermission("/home/okotek/git/wildfly/dist/target/wildfly-10.0.0.CR5-SNAPSHOT/modules/system/layers/base/org/jboss/marshalling/river/main/*", "read"),
> new RemotingPermission("createEndpoint"),
> new RuntimePermission("createXnioWorker"),
> new RemotingPermission("addConnectionProvider"),
> new RuntimePermission("modifyThread"),
> new RuntimePermission("accessDeclaredMembers"),
> new ReflectPermission("suppressAccessChecks")
> {noformat}
> which is very confusing.
> Why do I need add seemingly unrelated permissions, like _FilePermission_ for XNIO and marshalling or _RuntimePermission_ for createXnioWorker? Such behavior should be fixed or properly documented.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)