[jboss-jira] [JBoss JIRA] (SECURITY-864) NameNotFoundException due to policyRegistration -- service jboss.naming.context.java.policyRegistration

Martin Letenay (JIRA) issues at jboss.org
Tue Jul 25 04:56:00 EDT 2017 

    [ https://issues.jboss.org/browse/SECURITY-864?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13439696#comment-13439696 ] 

Martin Letenay commented on SECURITY-864:
-----------------------------------------

We were using custom LoginModule already before we came across this problem, so the LoginModule workaround was simple solution for us.
(We never observed locked JNDI tree as Philippe Marschall did, I don't have an explanation for that.)

Our LoginModule workaround is pretty straightforward:
{code}
public class JbossAuthenticatorLoginModule extends AuthenticatorLoginModule {

  private final static Logger LOGGER = Logger.getLogger(JbossAuthenticatorLoginModule.class.getName());

  @Override
  public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
    super.initialize(subject, callbackHandler, sharedState, options);
    performSECURITY864Workaround();
  }

  private void performSECURITY864Workaround() {
    // Workaround for JBoss/Wildfly issue SECURITY-864 [https://issues.jboss.org/browse/SECURITY-864]
    //
    // JBoss tries to perform JNDI lookup for PolicyRegistration during each EJB invocation authorization phase,
    // however such policy is not registered in the JNDI tree, since the policy is used only in specific situations
    // where an application is using additional XACML security policies.
    // In most of the cases there's no XACML present/needed so the PolicyRegistration is not created and registered.
    // However the Picketbox security framework tries to load it always and it results in exception during JNDI lookup.
    // This process is harmless from execution point of view (the exception is catched and just logged at DEBUG level),
    // however it has quite negative effect on performance of any EJB execution.
    //
    // A workaround is to manually register the default PolicyRegistration into JNDI (which is not used anywhere)
    // to avoid the lookup/exception upon each EJB method invocation.

    String policyRegistrationJndiName = "java:/policyRegistration";

    try {
      new InitialContext().lookup(policyRegistrationJndiName);
      LOGGER.fine("PolicyRegistration instance already present at " + policyRegistrationJndiName + " , skipping workaround.");
      return;
    } catch (NamingException e) {
      LOGGER.fine("PolicyRegistration instance not present at " + policyRegistrationJndiName + " , going to apply workaround.");
    }

    String policyRegistrationClassName = "org.jboss.security.plugins.JBossPolicyRegistration";
    Class<?> policyRegistrationClass = null;
    try {
      policyRegistrationClass = Class.forName(policyRegistrationClassName);
    } catch (ClassNotFoundException e) {
      LOGGER.fine("Class not found " + policyRegistrationClassName);
      try {
        policyRegistrationClass = Thread.currentThread().getContextClassLoader().loadClass(policyRegistrationClassName);
      } catch (ClassNotFoundException e2) {
        LOGGER.fine("Class not found " + policyRegistrationClassName);
      }
    } catch (NoClassDefFoundError e) {
      LOGGER.fine("Could not load authenticator (NCDF) " + policyRegistrationClass);
    }

    if (policyRegistrationClass != null) {
      try {
        Object policyRegistration = policyRegistrationClass.newInstance();
        try {
          new InitialContext().bind(policyRegistrationJndiName, policyRegistration);
        } catch (NamingException e) {
          LOGGER.info("Cannot register PolicyRegistration instance into " + policyRegistrationJndiName);
        }
      } catch (InstantiationException | IllegalAccessException e) {
        LOGGER.info("Could not instantiate  " + policyRegistrationClassName);
      }
    }
  }
...
{code}

> NameNotFoundException due to policyRegistration -- service jboss.naming.context.java.policyRegistration
> -------------------------------------------------------------------------------------------------------
>
>                 Key: SECURITY-864
>                 URL: https://issues.jboss.org/browse/SECURITY-864
>             Project: PicketBox 
>          Issue Type: Bug
>          Components: PicketBox
>            Reporter: Chao Wang
>            Assignee: Stefan Guilhen
>
> "NameNotFoundException due to policyRegistration -- service jboss.naming.context.java.policyRegistration" is recorded in server.log during quickstart example run by changing log level: 
> {noformat}
>             <logger category="org.jboss.as.security">
>                 <level name="TRACE"/>
>             </logger>
>             <logger category="org.jboss.security">
>                 <level name="TRACE"/>
>             </logger>
> {noformat}
> See detailed description in community discussion [#907134|https://developer.jboss.org/message/907134]
> I choose Jira component picketbox since the exception is titled as "PBOX000293: Exception caught: javax.naming.NameNotFoundException"



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list