[jboss-jira] [JBoss JIRA] (WFLY-12526) doPrivileged needed for isUserInRole

Darran Lofthouse (Jira) issues at jboss.org
Tue Sep 10 07:38:01 EDT 2019 

Darran Lofthouse created WFLY-12526:
---------------------------------------

             Summary: doPrivileged needed for isUserInRole
                 Key: WFLY-12526
                 URL: https://issues.jboss.org/browse/WFLY-12526
             Project: WildFly
          Issue Type: Bug
          Components: Web (Undertow)
            Reporter: Darran Lofthouse
            Assignee: Darran Lofthouse
             Fix For: 18.0.0.Final


Currently experiencing the following error: -

{noformat}
Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "org.jboss.security.plugins.ClassLoaderLocatorFactory.get")" in code source "(vfs:/content/mydeployment.war/ <no signer certificates>)" of "org.apache.jasper.servlet.JasperLoader at 24d700ba")
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294) [wildfly-elytron-security-manager-1.10.0.Final.jar:1.10.0.Final]
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191) [wildfly-elytron-security-manager-1.10.0.Final.jar:1.10.0.Final]
	at org.jboss.security.plugins.ClassLoaderLocatorFactory.get(ClassLoaderLocatorFactory.java:51) [picketbox-5.0.3.Final.jar:5.0.3.Final]
	at org.jboss.security.plugins.authorization.JBossAuthorizationContext.initializeModules(JBossAuthorizationContext.java:187) [picketbox-5.0.3.Final.jar:5.0.3.Final]
	at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:141) [picketbox-5.0.3.Final.jar:5.0.3.Final]
	at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:438) [picketbox-5.0.3.Final.jar:5.0.3.Final]
	at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:115) [picketbox-5.0.3.Final.jar:5.0.3.Final]
	at org.jboss.security.plugins.javaee.WebAuthorizationHelper.hasRole(WebAuthorizationHelper.java:201) [picketbox-5.0.3.Final.jar:5.0.3.Final]
	at org.wildfly.extension.undertow.security.JbossAuthorizationManager.isUserInRole(JbossAuthorizationManager.java:99)
	at io.undertow.servlet.spec.HttpServletRequestImpl.isUserInRole(HttpServletRequestImpl.java:337) [undertow-servlet-2.0.26.Final.jar:2.0.26.Final]
	at org.apache.jsp.secured_jsp._jspService(secured_jsp.java:109)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [jastow-2.0.7.Final.jar:2.0.7.Final]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:590) [jboss-servlet-api_4.0_spec-2.0.0.CR2.jar:2.0.0.CR2]
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:433) [jastow-2.0.7.Final.jar:2.0.7.Final]
	... 51 more
{noformat}

The reason I believe this requires a doPrivileged is the permission required is entirely internal to our implementation of isUserInRole - whilst the deployment can trigger this call the deployment can not influence how this is implemented so the deployment's ProtectionDomain should not require the permissions needed for our internal class loading so a doPrivileged call will drop the deployment's ProtectionDomain from the stack.



--
This message was sent by Atlassian Jira
(v7.13.5#713005)

More information about the jboss-jira mailing list