[jboss-jira] [JBoss JIRA] (WFLY-8760) get method of ModuleClassLoaderLocator requires createClassLoader permission

Ondrej Lukas (JIRA) issues at jboss.org
Thu Jun 1 01:32:00 EDT 2017 

    [ https://issues.jboss.org/browse/WFLY-8760?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13414679#comment-13414679 ] 

Ondrej Lukas commented on WFLY-8760:
------------------------------------

[~gaol] I am able reproduce it with Servlet which calls:
{code}
import org.jboss.security.mapping.MappingContext;
import org.jboss.security.mapping.MappingManager;
import org.jboss.security.mapping.MappingType;
import org.picketbox.factories.SecurityFactory;
...
MappingManager mm = SecurityFactory.getMappingManager(securityDomainName);
MappingContext<Object> mc = mm.getMappingContext(MappingType.ATTRIBUTE.name());
...
{code}

Then following AccessControlException is thrown:
{code}
ERROR [io.undertow.request] (default task-9) UT005023: Exception handling request to /844252ce-02ae-4a7a-b414-4be69116984f/protected/LdapAttributeMappingProviderServlet: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "createClassLoader")" in code source "(vfs:/content/844252ce-02ae-4a7a-b414-4be69116984f.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.844252ce-02ae-4a7a-b414-4be69116984f.war" from Service Module Loader")
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
	at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:611)
	at org.wildfly.security.manager.WildFlySecurityManager.checkCreateClassLoader(WildFlySecurityManager.java:308)
	at java.lang.ClassLoader.checkCreateClassLoader(ClassLoader.java:274)
	at java.lang.ClassLoader.<init>(ClassLoader.java:335)
	at java.security.SecureClassLoader.<init>(SecureClassLoader.java:99)
	at org.jboss.as.security.plugins.ModuleClassLoaderLocator$CombinedClassLoader.<init>(ModuleClassLoaderLocator.java:82)
	at org.jboss.as.security.plugins.ModuleClassLoaderLocator.get(ModuleClassLoaderLocator.java:72)
	at org.jboss.security.plugins.mapping.JBossMappingManager.generateMappingContext(JBossMappingManager.java:111)
	at org.jboss.security.plugins.mapping.JBossMappingManager.getMappingContext(JBossMappingManager.java:74)
        ...
{code}

> get method of ModuleClassLoaderLocator requires createClassLoader permission
> ----------------------------------------------------------------------------
>
>                 Key: WFLY-8760
>                 URL: https://issues.jboss.org/browse/WFLY-8760
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>            Reporter: Ondrej Lukas
>            Assignee: Lin Gao
>            Priority: Critical
>
> There is missing doPriviliged block in ModuleClassLoaderLocator. Fix of WFLY-7412 for ModuleClassLoaderLocator introduces new CombinedClassLoader innner class which extends SecureClassLoader. Initialization of this class needs to createClassLoader RuntimePermission.
> That means:
> * All deployment which uses API which internally uses ModuleClassLoaderLocator needs createClassLoader RuntimePermission (which is new in EAP 7.1, the same deployments in EAP 7.0 does not need this permission)
> ** i.e. getMappingContext(String mappingType) in org.jboss.security.plugins.mapping.JBossMappingManager works internally with ModuleClassLoaderLocator.
> * setting createClassLoader RuntimePermission for deployment can be dangerous and it should probably use own permission



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list