[jboss-jira] [JBoss JIRA] (WFLY-12526) doPrivileged needed for isUserInRole

Kabir Khan (Jira) issues at jboss.org
Wed Sep 11 13:30:00 EDT 2019 

    [ https://issues.jboss.org/browse/WFLY-12526?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13783167#comment-13783167 ] 

Kabir Khan commented on WFLY-12526:
-----------------------------------

Thanks!

> doPrivileged needed for isUserInRole
> ------------------------------------
>
>                 Key: WFLY-12526
>                 URL: https://issues.jboss.org/browse/WFLY-12526
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>            Reporter: Darran Lofthouse
>            Assignee: Darran Lofthouse
>            Priority: Blocker
>             Fix For: 18.0.0.Final
>
>
> Currently experiencing the following error: -
> {noformat}
> Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "org.jboss.security.plugins.ClassLoaderLocatorFactory.get")" in code source "(vfs:/content/mydeployment.war/ <no signer certificates>)" of "org.apache.jasper.servlet.JasperLoader at 24d700ba")
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294) [wildfly-elytron-security-manager-1.10.0.Final.jar:1.10.0.Final]
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191) [wildfly-elytron-security-manager-1.10.0.Final.jar:1.10.0.Final]
> 	at org.jboss.security.plugins.ClassLoaderLocatorFactory.get(ClassLoaderLocatorFactory.java:51) [picketbox-5.0.3.Final.jar:5.0.3.Final]
> 	at org.jboss.security.plugins.authorization.JBossAuthorizationContext.initializeModules(JBossAuthorizationContext.java:187) [picketbox-5.0.3.Final.jar:5.0.3.Final]
> 	at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:141) [picketbox-5.0.3.Final.jar:5.0.3.Final]
> 	at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:438) [picketbox-5.0.3.Final.jar:5.0.3.Final]
> 	at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:115) [picketbox-5.0.3.Final.jar:5.0.3.Final]
> 	at org.jboss.security.plugins.javaee.WebAuthorizationHelper.hasRole(WebAuthorizationHelper.java:201) [picketbox-5.0.3.Final.jar:5.0.3.Final]
> 	at org.wildfly.extension.undertow.security.JbossAuthorizationManager.isUserInRole(JbossAuthorizationManager.java:99)
> 	at io.undertow.servlet.spec.HttpServletRequestImpl.isUserInRole(HttpServletRequestImpl.java:337) [undertow-servlet-2.0.26.Final.jar:2.0.26.Final]
> 	at org.apache.jsp.secured_jsp._jspService(secured_jsp.java:109)
> 	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [jastow-2.0.7.Final.jar:2.0.7.Final]
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:590) [jboss-servlet-api_4.0_spec-2.0.0.CR2.jar:2.0.0.CR2]
> 	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:433) [jastow-2.0.7.Final.jar:2.0.7.Final]
> 	... 51 more
> {noformat}
> The reason I believe this requires a doPrivileged is the permission required is entirely internal to our implementation of isUserInRole - whilst the deployment can trigger this call the deployment can not influence how this is implemented so the deployment's ProtectionDomain should not require the permissions needed for our internal class loading so a doPrivileged call will drop the deployment's ProtectionDomain from the stack.



--
This message was sent by Atlassian Jira
(v7.13.5#713005)

More information about the jboss-jira mailing list