[jboss-jira] [JBoss JIRA] (WFLY-12530) doPrivileged is needed for JASPIC logout

[Darran Lofthouse (Jira)]

Darran Lofthouse created WFLY-12530:
---------------------------------------

             Summary: doPrivileged is needed for JASPIC logout
                 Key: WFLY-12530
                 URL: https://issues.jboss.org/browse/WFLY-12530
             Project: WildFly
          Issue Type: Bug
          Components: Web (Undertow)
            Reporter: Darran Lofthouse
            Assignee: Darran Lofthouse
             Fix For: 18.0.0.Final


A doPrivileged is required for the following error: -

{noformat}
Permission check failed (permission "("java.security.SecurityPermission" "getProperty.authconfigprovider.factory")" in code source "(vfs:/content/some_deployment.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "somedeployment.war" from Service Module Loader")
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294)
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191)
	at javax.security.auth.message.config.AuthConfigFactory.checkPermission(AuthConfigFactory.java:166)
	at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:201)
	at org.wildfly.extension.undertow.security.jaspi.JASPICSecurityContext.logout(JASPICSecurityContext.java:114)
	at io.undertow.servlet.spec.HttpServletRequestImpl.logout(HttpServletRequestImpl.java:505)
{noformat}

The deployment is invoking a standard servlet API however it's ProtectionDomain is being taken into account for the inner details of implementation.

A deployment could require these permissions if interacting with the JASPI APIs directly however it should not require these permissions to interact with the Servlet APIs and the JASPI interaction becomes an implementation detail.




--
This message was sent by Atlassian Jira
(v7.13.5#713005)