[jboss-jira] [JBoss JIRA] (WFLY-12530) doPrivileged is needed for JASPICSecurityContext AuthConfigFactory access.

Darran Lofthouse (Jira) issues at jboss.org
Tue Sep 10 11:23:02 EDT 2019 

     [ https://issues.jboss.org/browse/WFLY-12530?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated WFLY-12530:
------------------------------------
    Summary: doPrivileged is needed for JASPICSecurityContext AuthConfigFactory access.  (was: doPrivileged is needed for JASPIC logout)


> doPrivileged is needed for JASPICSecurityContext AuthConfigFactory access.
> --------------------------------------------------------------------------
>
>                 Key: WFLY-12530
>                 URL: https://issues.jboss.org/browse/WFLY-12530
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>            Reporter: Darran Lofthouse
>            Assignee: Darran Lofthouse
>            Priority: Critical
>             Fix For: 18.0.0.Final
>
>
> A doPrivileged is required for the following error: -
> {noformat}
> Permission check failed (permission "("java.security.SecurityPermission" "getProperty.authconfigprovider.factory")" in code source "(vfs:/content/some_deployment.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "somedeployment.war" from Service Module Loader")
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191)
> 	at javax.security.auth.message.config.AuthConfigFactory.checkPermission(AuthConfigFactory.java:166)
> 	at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:201)
> 	at org.wildfly.extension.undertow.security.jaspi.JASPICSecurityContext.logout(JASPICSecurityContext.java:114)
> 	at io.undertow.servlet.spec.HttpServletRequestImpl.logout(HttpServletRequestImpl.java:505)
> {noformat}
> The deployment is invoking a standard servlet API however it's ProtectionDomain is being taken into account for the inner details of implementation.
> A deployment could require these permissions if interacting with the JASPI APIs directly however it should not require these permissions to interact with the Servlet APIs and the JASPI interaction becomes an implementation detail.



--
This message was sent by Atlassian Jira
(v7.13.5#713005)

More information about the jboss-jira mailing list