[jboss-jira] [JBoss JIRA] (ELY-1349) Incorrect doPrivileged usage causes AccessControlException (FilePermission) in Elytron's ServiceLoaderSupplier

Thu Aug 31 08:54:01 EDT 2017

     [ https://issues.jboss.org/browse/ELY-1349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kalina reassigned ELY-1349:
-------------------------------

    Assignee: Jan Kalina  (was: Darran Lofthouse)


> Incorrect doPrivileged usage causes AccessControlException (FilePermission) in Elytron's ServiceLoaderSupplier
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: ELY-1349
>                 URL: https://issues.jboss.org/browse/ELY-1349
>             Project: WildFly Elytron
>          Issue Type: Bug
>    Affects Versions: 1.1.1.Final
>            Reporter: Ondrej Lukas
>            Assignee: Jan Kalina
>            Priority: Critical
>
> When application server is running with Security Manager then using Elytron API (ElytronXmlParser.parseAuthenticationClientConfiguration()) from deployment leads to AccessControlException. The ServiceLoaderSupplier incorrectly uses doPrivileged, so the FilePermission check during accessing Elytron JAR fails.
> Workaround could be adding this FilePermission to each such deployment, but this is neither safe nor practical as the JAR name and location can change (e.g. version upgrade with patches applied).
> It seems the problem is caused by passing AccessControlContext as second parameter of {{doPrivileged}} method [1]. {{ServiceLoaderSupplier}} does not require this permission when second paramater is removed from {{doPrivileged}} method. This privileged block has been added as fix of JBEAP-12111 - {{doPrivileged}} call has been added into {{org.wildfly.security.util.ServiceLoaderSupplier}}.
> For example this is stacktrace for calling {{ElytronXmlParser.parseAuthenticationClientConfiguration}} method from Servlet in war application:
> {code}
> java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/user/jboss-eap-7.1/modules/system/layers/base/org/wildfly/security/elytron-private/main/wildfly-elytron-1.1.1.Final-redhat-1.jar" "read")" in code source "(vfs:/content/wildfly-config-xml-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.wildfly-config-xml-dep.war" from Service Module Loader")
>         at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
>         at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
>         at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
>         at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:350)
>         at sun.net.www.protocol.jar.JarFileFactory.getCachedJarFile(JarFileFactory.java:137)
>         at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:81)
>         at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
>         at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150)
>         at java.net.URL.openStream(URL.java:1038)
>         at java.util.ServiceLoader.parse(ServiceLoader.java:304)
>         at java.util.ServiceLoader.access$200(ServiceLoader.java:185)
>         at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357)
>         at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323)
>         at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396)
>         at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398)
>         at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
>         at org.wildfly.security.util.ServiceLoaderSupplier.loadServices(ServiceLoaderSupplier.java:73)
>         at org.wildfly.security.util.ServiceLoaderSupplier.lambda$get$0(ServiceLoaderSupplier.java:58)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at org.wildfly.security.util.ServiceLoaderSupplier.get(ServiceLoaderSupplier.java:58)
>         at org.wildfly.security.util.ServiceLoaderSupplier.get(ServiceLoaderSupplier.java:39)
>         at org.wildfly.security.auth.client.ElytronXmlParser$DeferredSupplier.get(ElytronXmlParser.java:2433)
>         at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:115)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseClearPassword$40(ElytronXmlParser.java:2001)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$27(ElytronXmlParser.java:918)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$33(ElytronXmlParser.java:953)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$18(ElytronXmlParser.java:691)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$22(ElytronXmlParser.java:739)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationRuleType$7(ElytronXmlParser.java:575)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseRulesType$8(ElytronXmlParser.java:599)
>         at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:299)
>         at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:176)
>         at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:137)
>     ...
> {code}
> [1] https://github.com/wildfly-security/wildfly-elytron/blob/8c033958d78fcb1c4756a7d6c878855b0c099bbe/src/main/java/org/wildfly/security/util/ServiceLoaderSupplier.java#L58


--
This message was sent by Atlassian JIRA
(v7.2.3#72005)