[jboss-jira] [JBoss JIRA] (ELY-1877) An EJB is able to get WildFlySecurityManager's classLoader and contextClassLoader without authorization when secman is on
Ivan Straka (Jira)
issues at jboss.org
Tue Sep 10 12:14:00 EDT 2019
Ivan Straka created ELY-1877:
--------------------------------
Summary: An EJB is able to get WildFlySecurityManager's classLoader and contextClassLoader without authorization when secman is on
Key: ELY-1877
URL: https://issues.jboss.org/browse/ELY-1877
Project: WildFly Elytron
Issue Type: Bug
Components: Security Manager
Affects Versions: 1.10.0.CR6
Reporter: Ivan Straka
I have reported WFLY-12529 recently which fails only on JDK11 (with secman). The problem is that the called bean lacks any permissions. However the test passes on JDK8 which has caught my eye.
Here is what I have found after some time of debugging.
If WildFlySecurityManager is used and the bean tries to get contextCL the SM will get [here|https://github.com/wildfly-security/wildfly-elytron/blob/1.10.0.CR6/manager/base/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java#L1257] to verify the permissions for the caller class.
However [getCallerClass|https://github.com/wildfly-security/wildfly-elytron/blob/1.10.0.CR6/manager/base/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java#L162] returns different object for JDK8 and JDK11.
JDK11: org.jboss.as.test.integration.ee.naming.defaultbindings.concurrency.DefaultConcurrencyTestCDIBean
JDK8: org.wildfly.security.manager.WildFlySecurityManager
This means the SM authorizes the request every time because it gets wrong requester. The root of this problem is in [the initialization|https://github.com/wildfly-security/wildfly-elytron/blob/1.10.0.CR6/manager/base/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java#L137]
--
This message was sent by Atlassian Jira
(v7.13.5#713005)
More information about the jboss-jira
mailing list