[jboss-jira] [JBoss JIRA] (WFLY-11365) Test JSONBTestCase fails with security manager

Brian Stansberry (Jira) issues at jboss.org
Thu Jan 3 16:26:00 EST 2019 

    [ https://issues.jboss.org/browse/WFLY-11365?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13678164#comment-13678164 ] 

Brian Stansberry commented on WFLY-11365:
-----------------------------------------

Yes, adding the permissions isn't a wonderful workaround. I just think this kind of thing should be fixed upstream and WildFly shouldn't be maintaining forks.

There may be some pushback in upstream projects about doing things in a privileged block. A hopefully helpful way to look at things is to determine whether a given call path is something required by EE8 (the overall spec, not just the project specific spec.)  If some call path that's required doesn't work, fixing that's a different request from asking for support for something like a user wanting to use a class generally meant for external client use inside a container (e.g. javax.ws.rs.client.ClientBuilder).

So, for JSON-B, JSR 366, EE.6.16 says:

{quote}In a full Java EE product, all Java EE application client containers, web
containers, and EJB containers are required to support the JSON-B API.{quote}

Now that doesn't say much, but the only way I can interpret it is the web and ejb containers have to expose the API to deployments. Which reasonably means the API jar is part of the container codebase.  And then AFAIK the only way to use the API is with 'Jsonb jsonb = JsonbBuilder.create();'  Which will fail in any container running with a security manager where the container gives its own code permissions but is restrictive for the deployment; i.e. in any normal container. So, the expected EE 8 use case will not work.

> Test JSONBTestCase fails with security manager
> ----------------------------------------------
>
>                 Key: WFLY-11365
>                 URL: https://issues.jboss.org/browse/WFLY-11365
>             Project: WildFly
>          Issue Type: Bug
>          Components: EE, Test Suite
>    Affects Versions: 15.0.0.Beta1
>            Reporter: Martin Choma
>            Assignee: Bartosz Baranowski
>            Priority: Major
>              Labels: security-manager
>         Attachments: sm-fix.patch
>
>
> {noformat}
> org.jboss.as.test.integration.json (1)
>     JSONBTestCase.testJsonbServlet
> {noformat}
> {noformat}
> java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/store/repository/org/eclipse/yasson/1.0.2/yasson-1.0.2.jar" "read")" in code source "(vfs:/content/jsonb10-test.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.jsonb10-test.war" from Service Module Loader")
>  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294)
>  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191)
>  at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
>  at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:359)
>  at java.util.zip.ZipFile.<init>(ZipFile.java:216)
>  at java.util.zip.ZipFile.<init>(ZipFile.java:155)
>  at java.util.jar.JarFile.<init>(JarFile.java:166)
>  at java.util.jar.JarFile.<init>(JarFile.java:103)
>  at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:93)
>  at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:69)
>  at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99)
>  at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
>  at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:152)
>  at java.net.URL.openStream(URL.java:1045)
>  at java.util.ServiceLoader.parse(ServiceLoader.java:304)
>  at java.util.ServiceLoader.access$200(ServiceLoader.java:185)
>  at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357)
>  at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323)
>  at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396)
>  at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395)
>  at java.security.AccessController.doPrivileged(Native Method)
>  at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398)
>  at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
>  at javax.json.bind.spi.JsonbProvider.provider(JsonbProvider.java:112)
>  at javax.json.bind.JsonbBuilder.create(JsonbBuilder.java:108)
>  at org.jboss.as.test.integration.json.JSONBServlet.doGet(JSONBServlet.java:46)	...
> {noformat}
> Looks to me similar to WFLY-11337
> [1] https://ci.wildfly.org/viewLog.html?buildId=128138&buildTypeId=WF_MasterSecurityManager



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list