[jboss-jira] [JBoss JIRA] (ELY-1558) WildFlyElytronProvider is not initialized with appropriate privileges

Fri Apr 6 09:31:03 EDT 2018

David Lloyd created ELY-1558:
--------------------------------

             Summary: WildFlyElytronProvider is not initialized with appropriate privileges
                 Key: ELY-1558
                 URL: https://issues.jboss.org/browse/ELY-1558
             Project: WildFly Elytron
          Issue Type: Bug
          Components: Authentication Client
            Reporter: David Lloyd

Initialization of the Elytron provider from the authentication client configuration is not privileged, resulting in exception traces like this one:

{noformat}
java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.security.SecurityPermission" "putProviderProperty.WildFlyElytron")" in code source "(vfs:/content/client-txt-propag-async.jar <no signer certificates>)" of "ModuleClassLoader for Module "deployment.client-txt-propag-async.jar" from Service Module Loader")
        at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
        at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
        at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1759)
        at org.wildfly.security.manager.WildFlySecurityManager.checkSecurityAccess(WildFlySecurityManager.java:581)
        at java.security.Provider.check(Provider.java:658)
        at java.security.Provider.putService(Provider.java:1120)
        at org.wildfly.security.WildFlyElytronProvider.putHttpAuthenticationMechanismImplementations(WildFlyElytronProvider.java:232)
        at org.wildfly.security.WildFlyElytronProvider.<init>(WildFlyElytronProvider.java:142)
        at org.wildfly.security.auth.client.AuthenticationConfiguration.lambda$static$0(AuthenticationConfiguration.java:169)
        at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:159)
        at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:147)
        at org.wildfly.security.sasl.util.SecurityProviderSaslClientFactory.createSaslClient(SecurityProviderSaslClientFactory.java:85)
        at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
        at org.wildfly.security.sasl.util.ProtocolSaslClientFactory.createSaslClient(ProtocolSaslClientFactory.java:50)
        at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
        at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
        at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
        at org.wildfly.security.sasl.util.PropertiesSaslClientFactory.createSaslClient(PropertiesSaslClientFactory.java:54)
        at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
        at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
        at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
        at org.wildfly.security.sasl.util.ProtocolSaslClientFactory.createSaslClient(ProtocolSaslClientFactory.java:50)
        at org.wildfly.security.sasl.util.FilterMechanismSaslClientFactory.createSaslClient(FilterMechanismSaslClientFactory.java:102)
        at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
        at org.wildfly.security.sasl.util.LocalPrincipalSaslClientFactory.createSaslClient(LocalPrincipalSaslClientFactory.java:76)
        at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.lambda$createSaslClient$0(PrivilegedSaslClientFactory.java:64)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.createSaslClient(PrivilegedSaslClientFactory.java:64)
        at org.wildfly.security.auth.client.AuthenticationConfiguration.createSaslClient(AuthenticationConfiguration.java:1348)
        at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.createSaslClient(AuthenticationContextConfigurationClient.java:395)
        ...
{noformat}

Note that the {{doPrivileged}} in this stack trace is deceptive in that it is simply re-establishing the caller permission by way of {{PrivilegedSaslClientFactory}}.

The fix is probably to put the provider-creating lambda in {{AuthenticationConfiguration}} inside a privileged block.

--
This message was sent by Atlassian JIRA
(v7.5.0#75005)