[jboss-jira] [JBoss JIRA] (ELY-1349) Incorrect doPrivileged usage causes AccessControlException (FilePermission) in Elytron's ServiceLoaderSupplier

Darran Lofthouse (JIRA) issues at jboss.org
Tue Sep 5 13:46:00 EDT 2017 

     [ https://issues.jboss.org/browse/ELY-1349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated ELY-1349:
----------------------------------
    Fix Version/s: 1.1.2.CR1
                   1.2.0.Beta2


> Incorrect doPrivileged usage causes AccessControlException (FilePermission) in Elytron's ServiceLoaderSupplier
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: ELY-1349
>                 URL: https://issues.jboss.org/browse/ELY-1349
>             Project: WildFly Elytron
>          Issue Type: Bug
>    Affects Versions: 1.1.1.Final
>            Reporter: Ondrej Lukas
>            Assignee: Jan Kalina
>            Priority: Critical
>             Fix For: 1.1.2.CR1, 1.2.0.Beta2
>
>
> When application server is running with Security Manager then using Elytron API (ElytronXmlParser.parseAuthenticationClientConfiguration()) from deployment leads to AccessControlException. The ServiceLoaderSupplier incorrectly uses doPrivileged, so the FilePermission check during accessing Elytron JAR fails.
> Workaround could be adding this FilePermission to each such deployment, but this is neither safe nor practical as the JAR name and location can change (e.g. version upgrade with patches applied).
> It seems the problem is caused by passing AccessControlContext as second parameter of {{doPrivileged}} method [1]. {{ServiceLoaderSupplier}} does not require this permission when second paramater is removed from {{doPrivileged}} method. This privileged block has been added as fix of JBEAP-12111 - {{doPrivileged}} call has been added into {{org.wildfly.security.util.ServiceLoaderSupplier}}.
> For example this is stacktrace for calling {{ElytronXmlParser.parseAuthenticationClientConfiguration}} method from Servlet in war application:
> {code}
> java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/user/jboss-eap-7.1/modules/system/layers/base/org/wildfly/security/elytron-private/main/wildfly-elytron-1.1.1.Final-redhat-1.jar" "read")" in code source "(vfs:/content/wildfly-config-xml-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.wildfly-config-xml-dep.war" from Service Module Loader")
>         at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
>         at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
>         at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
>         at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:350)
>         at sun.net.www.protocol.jar.JarFileFactory.getCachedJarFile(JarFileFactory.java:137)
>         at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:81)
>         at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
>         at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150)
>         at java.net.URL.openStream(URL.java:1038)
>         at java.util.ServiceLoader.parse(ServiceLoader.java:304)
>         at java.util.ServiceLoader.access$200(ServiceLoader.java:185)
>         at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357)
>         at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323)
>         at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396)
>         at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398)
>         at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
>         at org.wildfly.security.util.ServiceLoaderSupplier.loadServices(ServiceLoaderSupplier.java:73)
>         at org.wildfly.security.util.ServiceLoaderSupplier.lambda$get$0(ServiceLoaderSupplier.java:58)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at org.wildfly.security.util.ServiceLoaderSupplier.get(ServiceLoaderSupplier.java:58)
>         at org.wildfly.security.util.ServiceLoaderSupplier.get(ServiceLoaderSupplier.java:39)
>         at org.wildfly.security.auth.client.ElytronXmlParser$DeferredSupplier.get(ElytronXmlParser.java:2433)
>         at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:115)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseClearPassword$40(ElytronXmlParser.java:2001)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$27(ElytronXmlParser.java:918)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseCredentialsType$33(ElytronXmlParser.java:953)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$18(ElytronXmlParser.java:691)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$andThenOp$23(ElytronXmlParser.java:895)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationConfigurationType$22(ElytronXmlParser.java:739)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseAuthenticationRuleType$7(ElytronXmlParser.java:575)
>         at org.wildfly.security.auth.client.ElytronXmlParser.lambda$parseRulesType$8(ElytronXmlParser.java:599)
>         at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:299)
>         at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:176)
>         at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:137)
>     ...
> {code}
> [1] https://github.com/wildfly-security/wildfly-elytron/blob/8c033958d78fcb1c4756a7d6c878855b0c099bbe/src/main/java/org/wildfly/security/util/ServiceLoaderSupplier.java#L58



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list