[jboss-jira] [JBoss JIRA] (WFCORE-3796) Incorrect Elytron permission class-name or module should throw exception

Ilia Vassilev (Jira) issues at jboss.org
Thu Nov 8 16:04:00 EST 2018 

    [ https://issues.jboss.org/browse/WFCORE-3796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13659226#comment-13659226 ] 

Ilia Vassilev commented on WFCORE-3796:
---------------------------------------

Requirement [1] was introduced with https://issues.jboss.org/browse/WFWIP-9 which has been implemented in https://issues.jboss.org/browse/WFCORE-3596 (commit [2]). In result of that change when non-existent class-name is added an exception will be thrown at runtime. I've verified that when the following is added to Elytron configuration, exception [3] occurs.

{code}
                <constant-permission-mapper name="cpm">
                    <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
                    <permission class-name="WrongName"/>
                </constant-permission-mapper>
{code}

Same exception occurs for permission-sets

{code}
<permission-sets>
                <permission-set name="login-permission">
                    <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
                </permission-set>
                <permission-set name="default-permissions">
                    <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
                    <permission class-name="org.wildfly.transaction.client.RemoteTransactionPermission" module="org.wildfly.transaction.client"/>
                    <permission class-name="org.jboss.ejb.client.RemoteEJBPermission" module="org.jboss.ejb-client"/>
                    <permission class-name="WrongName"/>
                </permission-set>
            </permission-sets>
{code}

[1]
"When non-existent class-name or module (e.g. when there is a typo) is added to any Elytron permission mapper (constant-permission-mapper or simple-permission-mapper) then exception should be thrown. Otherwise it can result to situation when due to a typo some permission is granted to any identity instead of denying it - when permission in used on 'deny' side."
[2] https://github.com/wildfly/wildfly-core/commit/1266d9aec57abb409a7c5dce3faf2b780bffb01b

[3]
{code}
17:19:39,939 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5) MSC000001: Failed to start service org.wildfly.security.permission-set.default-permissions: org.jboss.msc.service.StartException in service org.wildfly.security.permission-set.default-permissions: WFLYELY00038: Could not load permission class 'WrongName'
	at org.wildfly.extension.elytron.PermissionMapperDefinitions.createPermission(PermissionMapperDefinitions.java:432)
	at org.wildfly.extension.elytron.PermissionMapperDefinitions.createPermissions(PermissionMapperDefinitions.java:410)
	at org.wildfly.extension.elytron.PermissionSetDefinition$1.lambda$getValueSupplier$0(PermissionSetDefinition.java:75)
	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700)
	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1364)
	at java.lang.Thread.run(Thread.java:748)

17:19:39,975 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "elytron"),
    ("permission-set" => "default-permissions")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.permission-set.default-permissions" => "WFLYELY00038: Could not load permission class 'WrongName'"}}

{code}

> Incorrect Elytron permission class-name or module should throw exception
> ------------------------------------------------------------------------
>
>                 Key: WFCORE-3796
>                 URL: https://issues.jboss.org/browse/WFCORE-3796
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 5.0.0.Alpha4
>            Reporter: Ondrej Lukas
>            Assignee: Ilia Vassilev
>            Priority: Major
>
> When non-existent class-name or module (e.g. when there is a typo) is added to any Elytron permission mapper (constant-permission-mapper or simple-permission-mapper) then exception should be thrown. Otherwise it can result to situation when due to a typo some permission is granted to any identity instead of denying it - when permission in used on 'deny' side.



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list