[jboss-jira] [JBoss JIRA] (WFLY-8648) HttpSession.invalidate() requires additional permissions if Security Manager is enabled
Stuart Douglas (JIRA)
issues at jboss.org
Wed Apr 26 17:26:00 EDT 2017
[ https://issues.jboss.org/browse/WFLY-8648?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stuart Douglas moved UNDERTOW-1058 to WFLY-8648:
------------------------------------------------
Project: WildFly (was: Undertow)
Key: WFLY-8648 (was: UNDERTOW-1058)
Component/s: Web (Undertow)
(was: Servlet)
Affects Version/s: (was: 1.4.12.Final)
> HttpSession.invalidate() requires additional permissions if Security Manager is enabled
> ---------------------------------------------------------------------------------------
>
> Key: WFLY-8648
> URL: https://issues.jboss.org/browse/WFLY-8648
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Reporter: Ivo Studensky
> Assignee: Ivo Studensky
>
> If Security Manager is enforced and a Servlet invokes {{request.getSession(false).invalidate()}}, it fails due to insufficient permissions as follows:
> {noformat}
> 15:04:55,001 ERROR [io.undertow.request] (default task-4) UT005023: Exception handling request to /form-auth/Logout: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "io.undertow.servlet.GET_CURRENT_REQUEST")" in code source "(vfs:/content/form-auth.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.form-auth.war" from Service Module Loader")
> at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
> at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
> at io.undertow.servlet.handlers.ServletRequestContext.current(ServletRequestContext.java:92)
> at org.wildfly.extension.undertow.deployment.LogoutSessionListener.sessionDestroyed(LogoutSessionListener.java:66)
> at io.undertow.servlet.core.ApplicationListeners.sessionDestroyed(ApplicationListeners.java:315)
> at io.undertow.servlet.core.SessionListenerBridge.doDestroy(SessionListenerBridge.java:98)
> at io.undertow.servlet.core.SessionListenerBridge.sessionDestroyed(SessionListenerBridge.java:78)
> at io.undertow.server.session.SessionListeners.sessionDestroyed(SessionListeners.java:61)
> at io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:551)
> at io.undertow.server.session.InMemorySessionManager$SessionImpl.invalidate(InMemorySessionManager.java:529)
> at io.undertow.servlet.spec.HttpSessionImpl.invalidate(HttpSessionImpl.java:198)
> at org.jboss.as.test.integration.web.formauth.LogoutServlet.processRequest(LogoutServlet.java:45)
> at org.jboss.as.test.integration.web.formauth.LogoutServlet.doGet(LogoutServlet.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
> {noformat}
> The {{io.undertow.servlet.spec.HttpSessionImpl.invalidate()}} method requires {{RuntimePermission("io.undertow.servlet.GET_CURRENT_REQUEST")}} and also {{RuntimePermission("io.undertow.servlet.spec.UNWRAP_HTTP_SESSION")}}, see
> https://github.com/wildfly/wildfly/blob/master/undertow/src/main/java/org/wildfly/extension/undertow/deployment/LogoutSessionListener.java#L66
> https://github.com/wildfly/wildfly/blob/master/undertow/src/main/java/org/wildfly/extension/undertow/deployment/LogoutSessionListener.java#L81
> From the stacktrace above, I would opt for adding a privileged block into {{io.undertow.servlet.core.SessionListenerBridge#doDestroy(Session)}} as that's a private method. That's the reason why I filed Undertow issue for this.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list