[jboss-jira] [JBoss JIRA] (WFLY-12465) Security manager failures persisting timers

Flavia Rainone (Jira) issues at jboss.org
Wed Sep 4 15:21:00 EDT 2019 

    [ https://issues.jboss.org/browse/WFLY-12465?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13779425#comment-13779425 ] 

Flavia Rainone commented on WFLY-12465:
---------------------------------------

[~maeste] Has this sort of failure come up before? To me, it would surprise me this is the first time we hear about this sort of error? Unless it is not very common to run WF with security manager enabled, which could also be an explanation.

[~dlofthouse] If we add a coarser permission, like DatasourcePermission("create"), it would be an RFE, because it would be news to users that they have to grant that permission to their apps, right?

There is one point, though. The callers of this are all applications that are using jdbc to connect to a driver that uses java Sockets to connect to the database, which should occur with a very high frequency. AFAIK, IronJacamar requires currently no special permissions to connect to external systems whatsoever (and please [~maeste] and [~dlofthouse], correct me if I'm mistaken here), so if we review this design decision, we would have to review it from a broader perspective for all connection related operations inside IronJacamar, including rars and jdbc.

> Security manager failures persisting timers
> -------------------------------------------
>
>                 Key: WFLY-12465
>                 URL: https://issues.jboss.org/browse/WFLY-12465
>             Project: WildFly
>          Issue Type: Bug
>          Components: EJB, JCA
>            Reporter: Brian Stansberry
>            Assignee: Cheng Fang
>            Priority: Major
>
> There are intermittent failures in the security manager enabled CI jobs for DatabaseTimerServiceMultiNodeExecutionDisabledTestCase.
> For example: https://ci.wildfly.org/viewLog.html?buildId=164790&buildTypeId=WF_PullRequest_LinuxSm
> {code}
> javax.ejb.EJBException: java.lang.RuntimeException: java.lang.RuntimeException: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/TimeDs_disabled
> 	at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:246)
> 	at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:362)
> 	at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:144)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
> 	at org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:81)
> 	at org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.as.ejb3.deployment.processors.EjbSuspendInterceptor.processInvocation(EjbSuspendInterceptor.java:57)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
> 	at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:618)
> 	at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
> 	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
> 	at org.wildfly.security.auth.server.SecurityIdentity.runAsFunctionEx(SecurityIdentity.java:406)
> 	at org.jboss.as.ejb3.remote.AssociationImpl.invokeWithIdentity(AssociationImpl.java:591)
> 	at org.jboss.as.ejb3.remote.AssociationImpl.invokeMethod(AssociationImpl.java:572)
> 	at org.jboss.as.ejb3.remote.AssociationImpl.lambda$receiveInvocationRequest$0(AssociationImpl.java:205)
> 	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> 	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1348)
> 	at java.lang.Thread.run(Thread.java:748)
> Caused by: java.lang.RuntimeException: java.lang.RuntimeException: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/TimeDs_disabled
> 	at org.jboss.as.ejb3.timerservice.TimerServiceImpl.persistTimer(TimerServiceImpl.java:626)
> 	at org.jboss.as.ejb3.timerservice.TimerServiceImpl.createTimer(TimerServiceImpl.java:480)
> 	at org.jboss.as.ejb3.timerservice.TimerServiceImpl.createSingleActionTimer(TimerServiceImpl.java:305)
> 	at org.jboss.as.test.multinode.ejb.timer.database.TimedObjectTimerServiceBean.scheduleTimer(TimedObjectTimerServiceBean.java:57)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:498)
> 	at org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
> 	at org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.delegateInterception(Jsr299BindingsInterceptor.java:80)
> 	at org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:90)
> 	at org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:107)
> 	at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
> 	at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:52)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)
> 	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> 	at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:237)
> 	... 40 more
> Caused by: java.lang.RuntimeException: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/TimeDs_disabled
> 	at org.jboss.as.ejb3.timerservice.persistence.database.DatabaseTimerPersistence.addTimer(DatabaseTimerPersistence.java:343)
> 	at org.jboss.as.ejb3.timerservice.TimerServiceImpl.persistTimer(TimerServiceImpl.java:607)
> 	... 71 more
> Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/TimeDs_disabled
> 	at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:159)
> 	at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64)
> 	at org.jboss.as.ejb3.timerservice.persistence.database.DatabaseTimerPersistence.addTimer(DatabaseTimerPersistence.java:338)
> 	... 72 more
> Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/TimeDs_disabled
> 	at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:690)
> 	at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:440)
> 	at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789)
> 	at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:151)
> 	... 74 more
> Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection
> 	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345)
> 	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352)
> 	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:287)
> 	at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1328)
> 	at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:499)
> 	at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getTransactionNewConnection(AbstractPool.java:714)
> 	at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:613)
> 	at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:624)
> 	... 77 more
> Caused by: org.h2.jdbc.JdbcSQLException: General error: "java.security.AccessControlException: WFSM000001: Permission check failed (permission ""(""java.net.SocketPermission"" ""127.0.1.1:9092"" ""connect,resolve"")"" in code source ""(vfs:/content/testTimerServiceSimple.war/WEB-INF/classes <no signer certificates>)"" of ""ModuleClassLoader for Module ""deployment.testTimerServiceSimple.war"" from Service Module Loader"")" [50000-193]
> 	at org.h2.message.DbException.getJdbcSQLException(DbException.java:345)
> 	at org.h2.message.DbException.get(DbException.java:168)
> 	at org.h2.message.DbException.convert(DbException.java:295)
> 	at org.h2.message.DbException.toSQLException(DbException.java:268)
> 	at org.h2.message.TraceObject.logAndConvert(TraceObject.java:352)
> 	at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:129)
> 	at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:99)
> 	at org.h2.Driver.connect(Driver.java:69)
> 	at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)
> 	... 84 more
> Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.net.SocketPermission" "127.0.1.1:9092" "connect,resolve")" in code source "(vfs:/content/testTimerServiceSimple.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.testTimerServiceSimple.war" from Service Module Loader")
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191)
> 	at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkConnect(WildFlySecurityManager.java:389)
> 	at java.net.Socket.connect(Socket.java:584)
> 	at org.h2.util.NetUtils.createSocket(NetUtils.java:122)
> 	at org.h2.util.NetUtils.createSocket(NetUtils.java:102)
> 	at org.h2.engine.SessionRemote.initTransfer(SessionRemote.java:114)
> 	at org.h2.engine.SessionRemote.connectServer(SessionRemote.java:448)
> 	at org.h2.engine.SessionRemote.connectEmbeddedOrServer(SessionRemote.java:329)
> 	at org.h2.jdbc.JdbcConnection.<init>(JdbcConnection.java:115)
> 	... 87 more
> {code}
> My instinct is this does not look like a case where the test deployment is missing some permission, as the persistence of the timer seems like a container concern, not something the app should need to worry about.
> It's a bit odd that this is an intermittent failure, but perhaps that's just a matter of the timer persistence typically being able to fetch a connection from the pool, one opened by some other code, and it only fails if this call stack needs to create the connection.



--
This message was sent by Atlassian Jira
(v7.13.5#713005)

More information about the jboss-jira mailing list