[jboss-jira] [JBoss JIRA] (ELY-1558) WildFlyElytronProvider is not initialized with appropriate privileges

Jan Kalina (JIRA) issues at jboss.org
Thu Apr 12 10:01:02 EDT 2018 

     [ https://issues.jboss.org/browse/ELY-1558?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kalina updated ELY-1558:
----------------------------
    Steps to Reproduce: 
{code}
cd testsuite/integration/multinode
mvn install -Dtest=TransactionPropagationTestCase -Dsecurity.manager
{code}


> WildFlyElytronProvider is not initialized with appropriate privileges
> ---------------------------------------------------------------------
>
>                 Key: ELY-1558
>                 URL: https://issues.jboss.org/browse/ELY-1558
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Authentication Client
>            Reporter: David Lloyd
>            Assignee: Jan Kalina
>              Labels: security-manager
>
> Initialization of the Elytron provider from the authentication client configuration is not privileged, resulting in exception traces like this one:
> {noformat}
> java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.security.SecurityPermission" "putProviderProperty.WildFlyElytron")" in code source "(vfs:/content/client-txt-propag-async.jar <no signer certificates>)" of "ModuleClassLoader for Module "deployment.client-txt-propag-async.jar" from Service Module Loader")
>         at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
>         at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
>         at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1759)
>         at org.wildfly.security.manager.WildFlySecurityManager.checkSecurityAccess(WildFlySecurityManager.java:581)
>         at java.security.Provider.check(Provider.java:658)
>         at java.security.Provider.putService(Provider.java:1120)
>         at org.wildfly.security.WildFlyElytronProvider.putHttpAuthenticationMechanismImplementations(WildFlyElytronProvider.java:232)
>         at org.wildfly.security.WildFlyElytronProvider.<init>(WildFlyElytronProvider.java:142)
>         at org.wildfly.security.auth.client.AuthenticationConfiguration.lambda$static$0(AuthenticationConfiguration.java:169)
>         at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:159)
>         at org.wildfly.security.util.ProviderUtil$1.get(ProviderUtil.java:147)
>         at org.wildfly.security.sasl.util.SecurityProviderSaslClientFactory.createSaslClient(SecurityProviderSaslClientFactory.java:85)
>         at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
>         at org.wildfly.security.sasl.util.ProtocolSaslClientFactory.createSaslClient(ProtocolSaslClientFactory.java:50)
>         at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
>         at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
>         at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
>         at org.wildfly.security.sasl.util.PropertiesSaslClientFactory.createSaslClient(PropertiesSaslClientFactory.java:54)
>         at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
>         at org.wildfly.security.sasl.util.ServerNameSaslClientFactory.createSaslClient(ServerNameSaslClientFactory.java:50)
>         at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
>         at org.wildfly.security.sasl.util.ProtocolSaslClientFactory.createSaslClient(ProtocolSaslClientFactory.java:50)
>         at org.wildfly.security.sasl.util.FilterMechanismSaslClientFactory.createSaslClient(FilterMechanismSaslClientFactory.java:102)
>         at org.wildfly.security.sasl.util.AbstractDelegatingSaslClientFactory.createSaslClient(AbstractDelegatingSaslClientFactory.java:66)
>         at org.wildfly.security.sasl.util.LocalPrincipalSaslClientFactory.createSaslClient(LocalPrincipalSaslClientFactory.java:76)
>         at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.lambda$createSaslClient$0(PrivilegedSaslClientFactory.java:64)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at org.wildfly.security.sasl.util.PrivilegedSaslClientFactory.createSaslClient(PrivilegedSaslClientFactory.java:64)
>         at org.wildfly.security.auth.client.AuthenticationConfiguration.createSaslClient(AuthenticationConfiguration.java:1348)
>         at org.wildfly.security.auth.client.AuthenticationContextConfigurationClient.createSaslClient(AuthenticationContextConfigurationClient.java:395)
>         ...
> {noformat}
> Note that the {{doPrivileged}} in this stack trace is deceptive in that it is simply re-establishing the caller permission by way of {{PrivilegedSaslClientFactory}}.
> The fix is probably to put the provider-creating lambda in {{AuthenticationConfiguration}} inside a privileged block.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list