[jboss-jira] [JBoss JIRA] (WFLY-10240) WS scripts throws AccessControlException when secmgr is used

R Searls (JIRA) issues at jboss.org
Tue Apr 17 13:23:00 EDT 2018 

    [ https://issues.jboss.org/browse/WFLY-10240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13562610#comment-13562610 ] 

R Searls commented on WFLY-10240:
---------------------------------

This permissions failure when using -secmgr and JDK-8 is a known issue.
I had an email discussion about this with David L. on Feb 20.  
David wrote .......

{code:java}
OK it looks like it's the JDK itself which lacks security manager
permissions, which is interesting: we can't really control that
directly.

The CXF "Compiler" class uses
javax.tools.ToolProvider.getSystemJavaCompiler() to get an instance of
Compiler.  This instance comes from a URL class loader which is
constructed on the spot by the JDK to load classes from its tools.jar.
The class loader created by the JDK does not grant any static
permssions to the loaded classes, causing the tool to fail.

The workaround is to create a security policy which grants
AllPermission to "file:/usr/java/jdk1.8.0_72/lib/tools.jar".  I'm not
sure we can come up with a "proper" fix in the JDK before Java 9
(where the tools are included in the main runtime).

CXF could probably come up with an "improper" fix where the compiler
is located using ServiceLoader (which will work cleanly on Java 9 but
will require support from JBoss Modules in Java 8).

I think we'll have to live with the workaround for now otherwise.
{code}

The workaround is to provide a security.policy file via the -Djava.security.policy option.
I've attached an example security.policy file. You would add it to your JAVA_OPTS
env var

{code:java}
export JAVA_OPTS="-Djava.security.policy=<PATH_TO>/Echo1-security.policy";
{code}

The contents of Echo1-security.policy would be 

{code:java}
grant {
    permission java.security.AllPermission;
};
{code}


> WS scripts throws AccessControlException when secmgr is used
> ------------------------------------------------------------
>
>                 Key: WFLY-10240
>                 URL: https://issues.jboss.org/browse/WFLY-10240
>             Project: WildFly
>          Issue Type: Bug
>          Components: Scripts, Web Services
>            Reporter: Marek Kopecký
>            Assignee: R Searls
>            Priority: Blocker
>
> WS scripts throws AccessControlException when secmgr is used
> {noformat}
> [mkopecky at dhcp-10-40-5-128 bin]$ java -version
> openjdk version "1.8.0_162"
> OpenJDK Runtime Environment (build 1.8.0_162-b12)
> OpenJDK 64-Bit Server VM (build 25.162-b12, mixed mode)
> [mkopecky at dhcp-10-40-5-128 bin]$ ./wsconsume.sh -secmgr https://raw.githubusercontent.com/jbossws/jbossws-cxf/master/modules/testsuite/shared-tests/src/test/resources/jaxws/smoke/tools/wsdl/TestServiceSoap12.wsdl
> Could not find log4j.properties or log4j.xml configuration, logging to console.
> Loading FrontEnd jaxws ...
> Loading DataBinding jaxb ...
> wsdl2java -compile -exsh false -d /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output/tmp5146068 -verbose -classdir /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output -allowElementReferences https://raw.githubusercontent.com/jbossws/jbossws-cxf/master/modules/testsuite/shared-tests/src/test/resources/jaxws/smoke/tools/wsdl/TestServiceSoap12.wsdl
> wsdl2java - Apache CXF 3.2.4
> [mkopecky at dhcp-10-40-5-128 bin]$ export SECMGR=true
> [mkopecky at dhcp-10-40-5-128 bin]$ ./wsconsume.sh -secmgr https://raw.githubusercontent.com/jbossws/jbossws-cxf/master/modules/testsuite/shared-tests/src/test/resources/jaxws/smoke/tools/wsdl/TestServiceSoap12.wsdl
> Could not find log4j.properties or log4j.xml configuration, logging to console.
> Loading FrontEnd jaxws ...
> Loading DataBinding jaxb ...
> wsdl2java -compile -exsh false -d /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output/tmp4759967 -verbose -classdir /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output -allowElementReferences https://raw.githubusercontent.com/jbossws/jbossws-cxf/master/modules/testsuite/shared-tests/src/test/resources/jaxws/smoke/tools/wsdl/TestServiceSoap12.wsdl
> wsdl2java - Apache CXF 3.2.4
> JBWS024002: Failed to invoke org.apache.cxf.tools.wsdlto.WSDLToJava
> org.apache.cxf.tools.common.ToolException: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output/tmp4759967/org/openuri/_2004/_04/helloworld/EndpointInterface.java" "read")" in code source "(file:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc26.x86_64/lib/tools.jar <no signer certificates>)" of "java.net.FactoryURLClassLoader at e4d2696")
> 	at org.apache.cxf.tools.wsdlto.WSDLToJavaContainer.execute(WSDLToJavaContainer.java:420)
> 	at org.apache.cxf.tools.common.toolspec.ToolRunner.runTool(ToolRunner.java:105)
> 	at org.apache.cxf.tools.wsdlto.WSDLToJava.run(WSDLToJava.java:113)
> 	at org.jboss.wsf.stack.cxf.tools.CXFConsumerImpl.consume(CXFConsumerImpl.java:313)
> 	at org.jboss.ws.tools.cmd.WSConsume.importServices(WSConsume.java:298)
> 	at org.jboss.ws.tools.cmd.WSConsume.mainInternal(WSConsume.java:108)
> 	at org.jboss.ws.tools.cmd.WSConsume.main(WSConsume.java:96)
> 	at org.jboss.modules.Module.runMainMethod(Module.java:348)
> 	at org.jboss.modules.Module.run(Module.java:328)
> 	at org.jboss.modules.Main.main(Main.java:557)
> Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output/tmp4759967/org/openuri/_2004/_04/helloworld/EndpointInterface.java" "read")" in code source "(file:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc26.x86_64/lib/tools.jar <no signer certificates>)" of "java.net.FactoryURLClassLoader at e4d2696")
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
> 	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:360)
> 	at java.io.File.isDirectory(File.java:844)
> 	at com.sun.tools.javac.file.RegularFileObject.<init>(RegularFileObject.java:69)
> 	at com.sun.tools.javac.file.RegularFileObject.<init>(RegularFileObject.java:64)
> 	at com.sun.tools.javac.file.JavacFileManager.getJavaFileObjectsFromFiles(JavacFileManager.java:785)
> 	at com.sun.tools.javac.file.JavacFileManager.getJavaFileObjectsFromStrings(JavacFileManager.java:185)
> 	at org.apache.cxf.common.util.Compiler.useJava6Compiler(Compiler.java:202)
> 	at org.apache.cxf.common.util.Compiler.compileFiles(Compiler.java:141)
> 	at org.apache.cxf.tools.common.ClassUtils.compile(ClassUtils.java:123)
> 	at org.apache.cxf.tools.wsdlto.WSDLToJavaContainer.processWsdl(WSDLToJavaContainer.java:303)
> 	at org.apache.cxf.tools.wsdlto.WSDLToJavaContainer.execute(WSDLToJavaContainer.java:164)
> 	at org.apache.cxf.tools.wsdlto.WSDLToJavaContainer.execute(WSDLToJavaContainer.java:412)
> 	... 9 more
> [mkopecky at dhcp-10-40-5-128 bin]$ 
> {noformat}
> {noformat}
> [mkopecky at dhcp-10-40-5-128 bin]$ java -version
> openjdk version "1.8.0_162"
> OpenJDK Runtime Environment (build 1.8.0_162-b12)
> OpenJDK 64-Bit Server VM (build 25.162-b12, mixed mode)
> [mkopecky at dhcp-10-40-5-128 bin]$ ./wsprovide.sh -k -c ~/erase13/classes -o out  org.jboss.as.testsuite.integration.scripts.test.tools.Echo1Impl
> Could not find log4j.properties or log4j.xml configuration, logging to console.
> java2ws -s /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -classdir /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -d /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -verbose -cp /home/mkopecky/erase13/classes/: -wrapperbean -createxsdimports org.jboss.as.testsuite.integration.scripts.test.tools.Echo1Impl
> java2ws - Apache CXF 3.2.4
> [mkopecky at dhcp-10-40-5-128 bin]$ export SECMGR=true
> [mkopecky at dhcp-10-40-5-128 bin]$ ./wsprovide.sh -k -c ~/erase13/classes -o out  org.jboss.as.testsuite.integration.scripts.test.tools.Echo1Impl
> Could not find log4j.properties or log4j.xml configuration, logging to console.
> java2ws -s /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -classdir /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -d /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -verbose -cp /home/mkopecky/erase13/classes/: -wrapperbean -createxsdimports org.jboss.as.testsuite.integration.scripts.test.tools.Echo1Impl
> java2ws - Apache CXF 3.2.4
> java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out/org/jboss/as/testsuite/integration/scripts/test/tools/jaxws/EchoPlus1Response.java" "read")" in code source "(file:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc26.x86_64/lib/tools.jar <no signer certificates>)" of "java.net.FactoryURLClassLoader at 29876704")
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
> 	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:360)
> 	at java.io.File.isDirectory(File.java:844)
> 	at com.sun.tools.javac.file.RegularFileObject.<init>(RegularFileObject.java:69)
> 	at com.sun.tools.javac.file.RegularFileObject.<init>(RegularFileObject.java:64)
> 	at com.sun.tools.javac.file.JavacFileManager.getJavaFileObjectsFromFiles(JavacFileManager.java:785)
> 	at com.sun.tools.javac.file.JavacFileManager.getJavaFileObjectsFromStrings(JavacFileManager.java:185)
> 	at org.apache.cxf.common.util.Compiler.useJava6Compiler(Compiler.java:202)
> 	at org.apache.cxf.common.util.Compiler.compileFiles(Compiler.java:141)
> 	at org.apache.cxf.tools.java2wsdl.generator.wsdl11.BeanGenerator.generateAndCompile(BeanGenerator.java:91)
> 	at org.apache.cxf.tools.java2wsdl.generator.wsdl11.BeanGenerator.generate(BeanGenerator.java:58)
> 	at org.apache.cxf.tools.java2wsdl.generator.wsdl11.BeanGenerator.generate(BeanGenerator.java:35)
> 	at org.apache.cxf.tools.java2wsdl.processor.JavaToWSDLProcessor.generate(JavaToWSDLProcessor.java:156)
> 	at org.apache.cxf.tools.java2wsdl.processor.JavaToWSDLProcessor.process(JavaToWSDLProcessor.java:118)
> 	at org.apache.cxf.tools.java2ws.JavaToWSContainer.processWSDL(JavaToWSContainer.java:110)
> 	at org.apache.cxf.tools.java2ws.JavaToWSContainer.execute(JavaToWSContainer.java:75)
> 	at org.apache.cxf.tools.common.toolspec.ToolRunner.runTool(ToolRunner.java:105)
> 	at org.apache.cxf.tools.common.toolspec.ToolRunner.runTool(ToolRunner.java:45)
> 	at org.apache.cxf.tools.java2ws.JavaToWS.run(JavaToWS.java:83)
> 	at org.jboss.wsf.stack.cxf.tools.CXFProviderImpl.provide(CXFProviderImpl.java:200)
> 	at org.jboss.wsf.stack.cxf.tools.CXFProviderImpl.provide(CXFProviderImpl.java:109)
> 	at org.jboss.ws.tools.cmd.WSProvide.generate(WSProvide.java:223)
> 	at org.jboss.ws.tools.cmd.WSProvide.main(WSProvide.java:89)
> 	at org.jboss.modules.Module.runMainMethod(Module.java:348)
> 	at org.jboss.modules.Module.run(Module.java:328)
> 	at org.jboss.modules.Main.main(Main.java:557)
> [mkopecky at dhcp-10-40-5-128 bin]$ 
> {noformat}
> Second example uses classes from classes.zip file attached in WFLY-10238
> cc: [~jbliznak]



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list