[jboss-jira] [JBoss JIRA] (WFLY-10240) WS scripts throws AccessControlException when secmgr is used

Kabir Khan (JIRA) issues at jboss.org
Sat Aug 25 04:18:01 EDT 2018 

    [ https://issues.jboss.org/browse/WFLY-10240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13624120#comment-13624120 ] 

Kabir Khan edited comment on WFLY-10240 at 8/25/18 4:17 AM:
------------------------------------------------------------

It seems that in WF11 (which effectively was 7.1.0) the wsconsume script gives no treatment to the SECMGR environment variable and -secmgr parameter in 
https://github.com/wildfly/wildfly/blob/11.0.0.Final/feature-pack/src/main/resources/content/bin/wsconsume.sh

This support was added by [~rsearls] in https://github.com/wildfly/wildfly/pull/10695 and https://github.com/wildfly/wildfly/pull/10813. So this 'working' in 7.1 would actually meant these flags have no effect and the security manager was not turned on.

For 6.3 and 6.4 we did not support Java 8. I have checked with [~darranl], and adding doPrivileged blocks in cxf which is the part the call stack under our control would have no effect as it is in a different ProtectionDomain from the sun.tool classes. Having gone through this with him, he agrees this looks like a JDK bug and that a policy file is needed. 

Please downgrade this issue, file the Jira bug, and document as a known issue. 
[~rsearls] Perhaps find a policy file which grants a smaller set of permissions for the documentation? As granting AllPermissions is effectively the same as running without a SM :)

Finally, I'd like to reemphasize that these are developer tools to generate code to run in the server. If the intent is to stop people from adding 'evil' endpoints for deployment into the server, there is nothing to stop me from opening my IDE and writing something by hand. Securing the code generation tool is not the right level for locking this down, that needs to happen elsewhere. However, it might keep some customers happy, but we have a workaround with the policy file.



was (Author: kabirkhan):
It seems that in WF11 (which effectively was 7.1.0) the wsconsume script gives no treatment to the SECMGR environment variable and -secmgr parameter in 
https://github.com/wildfly/wildfly/blob/11.0.0.Final/feature-pack/src/main/resources/content/bin/wsconsume.sh

This support was added by [~rsearls] in https://github.com/wildfly/wildfly/pull/10695 and https://github.com/wildfly/wildfly/pull/10813. So this 'working' in 7.1 would actually meant these flags have no effect and the security manager was not turned on.

For 6.3 and 6.4 we did not support Java 8. I have checked with [~darranl], and adding doPrivileged blocks in cxf which is the part the call stack under our control would have no effect as it is in a different ProtectionDomain from the sun.tool classes. Having gone through this with him, he agrees this looks like a JDK bug and that a policy file is needed. 

Please downgrade this issue, file the Jira bug, and document as a known issue. 
[~rsearls] Perhaps find a policy file which grants a smaller set of permissions for the documentation? As granting AllPermissions is effectively the same as running without a SM :)

Finally, I'd like to reemphasize that this are developer tools to generate code to run in the server. If the intent is to stop people from adding 'evil' endpoints for deployment into the server, there is nothing to stop me from opening my IDE and writing something by hand. Securing the code generation tool is not the right level for locking this down, that needs to happen elsewhere. However, it might keep some customers happy, but we have a workaround with the policy file.


> WS scripts throws AccessControlException when secmgr is used
> ------------------------------------------------------------
>
>                 Key: WFLY-10240
>                 URL: https://issues.jboss.org/browse/WFLY-10240
>             Project: WildFly
>          Issue Type: Bug
>          Components: Scripts, Web Services
>            Reporter: Marek Kopecký
>            Assignee: R Searls
>            Priority: Blocker
>              Labels: blocker-WF14
>
> WS scripts throws AccessControlException when secmgr is used
> {noformat}
> [mkopecky at dhcp-10-40-5-128 bin]$ java -version
> openjdk version "1.8.0_162"
> OpenJDK Runtime Environment (build 1.8.0_162-b12)
> OpenJDK 64-Bit Server VM (build 25.162-b12, mixed mode)
> [mkopecky at dhcp-10-40-5-128 bin]$ ./wsconsume.sh -secmgr https://raw.githubusercontent.com/jbossws/jbossws-cxf/master/modules/testsuite/shared-tests/src/test/resources/jaxws/smoke/tools/wsdl/TestServiceSoap12.wsdl
> Could not find log4j.properties or log4j.xml configuration, logging to console.
> Loading FrontEnd jaxws ...
> Loading DataBinding jaxb ...
> wsdl2java -compile -exsh false -d /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output/tmp5146068 -verbose -classdir /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output -allowElementReferences https://raw.githubusercontent.com/jbossws/jbossws-cxf/master/modules/testsuite/shared-tests/src/test/resources/jaxws/smoke/tools/wsdl/TestServiceSoap12.wsdl
> wsdl2java - Apache CXF 3.2.4
> [mkopecky at dhcp-10-40-5-128 bin]$ export SECMGR=true
> [mkopecky at dhcp-10-40-5-128 bin]$ ./wsconsume.sh -secmgr https://raw.githubusercontent.com/jbossws/jbossws-cxf/master/modules/testsuite/shared-tests/src/test/resources/jaxws/smoke/tools/wsdl/TestServiceSoap12.wsdl
> Could not find log4j.properties or log4j.xml configuration, logging to console.
> Loading FrontEnd jaxws ...
> Loading DataBinding jaxb ...
> wsdl2java -compile -exsh false -d /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output/tmp4759967 -verbose -classdir /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output -allowElementReferences https://raw.githubusercontent.com/jbossws/jbossws-cxf/master/modules/testsuite/shared-tests/src/test/resources/jaxws/smoke/tools/wsdl/TestServiceSoap12.wsdl
> wsdl2java - Apache CXF 3.2.4
> JBWS024002: Failed to invoke org.apache.cxf.tools.wsdlto.WSDLToJava
> org.apache.cxf.tools.common.ToolException: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output/tmp4759967/org/openuri/_2004/_04/helloworld/EndpointInterface.java" "read")" in code source "(file:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc26.x86_64/lib/tools.jar <no signer certificates>)" of "java.net.FactoryURLClassLoader at e4d2696")
> 	at org.apache.cxf.tools.wsdlto.WSDLToJavaContainer.execute(WSDLToJavaContainer.java:420)
> 	at org.apache.cxf.tools.common.toolspec.ToolRunner.runTool(ToolRunner.java:105)
> 	at org.apache.cxf.tools.wsdlto.WSDLToJava.run(WSDLToJava.java:113)
> 	at org.jboss.wsf.stack.cxf.tools.CXFConsumerImpl.consume(CXFConsumerImpl.java:313)
> 	at org.jboss.ws.tools.cmd.WSConsume.importServices(WSConsume.java:298)
> 	at org.jboss.ws.tools.cmd.WSConsume.mainInternal(WSConsume.java:108)
> 	at org.jboss.ws.tools.cmd.WSConsume.main(WSConsume.java:96)
> 	at org.jboss.modules.Module.runMainMethod(Module.java:348)
> 	at org.jboss.modules.Module.run(Module.java:328)
> 	at org.jboss.modules.Main.main(Main.java:557)
> Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/output/tmp4759967/org/openuri/_2004/_04/helloworld/EndpointInterface.java" "read")" in code source "(file:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc26.x86_64/lib/tools.jar <no signer certificates>)" of "java.net.FactoryURLClassLoader at e4d2696")
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
> 	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:360)
> 	at java.io.File.isDirectory(File.java:844)
> 	at com.sun.tools.javac.file.RegularFileObject.<init>(RegularFileObject.java:69)
> 	at com.sun.tools.javac.file.RegularFileObject.<init>(RegularFileObject.java:64)
> 	at com.sun.tools.javac.file.JavacFileManager.getJavaFileObjectsFromFiles(JavacFileManager.java:785)
> 	at com.sun.tools.javac.file.JavacFileManager.getJavaFileObjectsFromStrings(JavacFileManager.java:185)
> 	at org.apache.cxf.common.util.Compiler.useJava6Compiler(Compiler.java:202)
> 	at org.apache.cxf.common.util.Compiler.compileFiles(Compiler.java:141)
> 	at org.apache.cxf.tools.common.ClassUtils.compile(ClassUtils.java:123)
> 	at org.apache.cxf.tools.wsdlto.WSDLToJavaContainer.processWsdl(WSDLToJavaContainer.java:303)
> 	at org.apache.cxf.tools.wsdlto.WSDLToJavaContainer.execute(WSDLToJavaContainer.java:164)
> 	at org.apache.cxf.tools.wsdlto.WSDLToJavaContainer.execute(WSDLToJavaContainer.java:412)
> 	... 9 more
> [mkopecky at dhcp-10-40-5-128 bin]$ 
> {noformat}
> {noformat}
> [mkopecky at dhcp-10-40-5-128 bin]$ java -version
> openjdk version "1.8.0_162"
> OpenJDK Runtime Environment (build 1.8.0_162-b12)
> OpenJDK 64-Bit Server VM (build 25.162-b12, mixed mode)
> [mkopecky at dhcp-10-40-5-128 bin]$ ./wsprovide.sh -k -c ~/erase13/classes -o out  org.jboss.as.testsuite.integration.scripts.test.tools.Echo1Impl
> Could not find log4j.properties or log4j.xml configuration, logging to console.
> java2ws -s /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -classdir /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -d /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -verbose -cp /home/mkopecky/erase13/classes/: -wrapperbean -createxsdimports org.jboss.as.testsuite.integration.scripts.test.tools.Echo1Impl
> java2ws - Apache CXF 3.2.4
> [mkopecky at dhcp-10-40-5-128 bin]$ export SECMGR=true
> [mkopecky at dhcp-10-40-5-128 bin]$ ./wsprovide.sh -k -c ~/erase13/classes -o out  org.jboss.as.testsuite.integration.scripts.test.tools.Echo1Impl
> Could not find log4j.properties or log4j.xml configuration, logging to console.
> java2ws -s /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -classdir /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -d /home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out -verbose -cp /home/mkopecky/erase13/classes/: -wrapperbean -createxsdimports org.jboss.as.testsuite.integration.scripts.test.tools.Echo1Impl
> java2ws - Apache CXF 3.2.4
> java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/mkopecky/playground/wf/wfly.23/wfly.23/bin/out/org/jboss/as/testsuite/integration/scripts/test/tools/jaxws/EchoPlus1Response.java" "read")" in code source "(file:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.162-3.b12.fc26.x86_64/lib/tools.jar <no signer certificates>)" of "java.net.FactoryURLClassLoader at 29876704")
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
> 	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:360)
> 	at java.io.File.isDirectory(File.java:844)
> 	at com.sun.tools.javac.file.RegularFileObject.<init>(RegularFileObject.java:69)
> 	at com.sun.tools.javac.file.RegularFileObject.<init>(RegularFileObject.java:64)
> 	at com.sun.tools.javac.file.JavacFileManager.getJavaFileObjectsFromFiles(JavacFileManager.java:785)
> 	at com.sun.tools.javac.file.JavacFileManager.getJavaFileObjectsFromStrings(JavacFileManager.java:185)
> 	at org.apache.cxf.common.util.Compiler.useJava6Compiler(Compiler.java:202)
> 	at org.apache.cxf.common.util.Compiler.compileFiles(Compiler.java:141)
> 	at org.apache.cxf.tools.java2wsdl.generator.wsdl11.BeanGenerator.generateAndCompile(BeanGenerator.java:91)
> 	at org.apache.cxf.tools.java2wsdl.generator.wsdl11.BeanGenerator.generate(BeanGenerator.java:58)
> 	at org.apache.cxf.tools.java2wsdl.generator.wsdl11.BeanGenerator.generate(BeanGenerator.java:35)
> 	at org.apache.cxf.tools.java2wsdl.processor.JavaToWSDLProcessor.generate(JavaToWSDLProcessor.java:156)
> 	at org.apache.cxf.tools.java2wsdl.processor.JavaToWSDLProcessor.process(JavaToWSDLProcessor.java:118)
> 	at org.apache.cxf.tools.java2ws.JavaToWSContainer.processWSDL(JavaToWSContainer.java:110)
> 	at org.apache.cxf.tools.java2ws.JavaToWSContainer.execute(JavaToWSContainer.java:75)
> 	at org.apache.cxf.tools.common.toolspec.ToolRunner.runTool(ToolRunner.java:105)
> 	at org.apache.cxf.tools.common.toolspec.ToolRunner.runTool(ToolRunner.java:45)
> 	at org.apache.cxf.tools.java2ws.JavaToWS.run(JavaToWS.java:83)
> 	at org.jboss.wsf.stack.cxf.tools.CXFProviderImpl.provide(CXFProviderImpl.java:200)
> 	at org.jboss.wsf.stack.cxf.tools.CXFProviderImpl.provide(CXFProviderImpl.java:109)
> 	at org.jboss.ws.tools.cmd.WSProvide.generate(WSProvide.java:223)
> 	at org.jboss.ws.tools.cmd.WSProvide.main(WSProvide.java:89)
> 	at org.jboss.modules.Module.runMainMethod(Module.java:348)
> 	at org.jboss.modules.Module.run(Module.java:328)
> 	at org.jboss.modules.Main.main(Main.java:557)
> [mkopecky at dhcp-10-40-5-128 bin]$ 
> {noformat}
> Second example uses classes from classes.zip file attached in WFLY-10238
> cc: [~jbliznak]



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list