[jboss-jira] [JBoss JIRA] (WFCORE-4805) WildFly Security Manager does not act for javaagents

Boris Unckel (Jira) issues at jboss.org
Thu Mar 5 15:18:52 EST 2020 

    [ https://issues.redhat.com/browse/WFCORE-4805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13990553#comment-13990553 ] 

Boris Unckel commented on WFCORE-4805:
--------------------------------------

The solution is easy for initial setup: One has to conventionally configure the JRE with -Djava.security.policy=/pathToPolicy/security.policy

Afterwards its still hard: The instrumentation of the javaAgents causes code without proper codeSource. I have written a dirty workaround - code with CodeSource.getLocation == null && classloader.contains("com.singularity") will not throw a security exception.

I would be happy to get other suggestions - [~dmlloyd] ?

> WildFly Security Manager does not act for javaagents
> ----------------------------------------------------
>
>                 Key: WFCORE-4805
>                 URL: https://issues.redhat.com/browse/WFCORE-4805
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>            Reporter: Boris Unckel
>            Assignee: Darran Lofthouse
>            Priority: Major
>
> The WildFly Core Security Manager cares for modules and deployed artifacts. It offers a JavaEE 7 compliant solution to permissions.xml in META-INF of EARs/WARs.
> Unfortunately it does not take care of javaagents, specified in
> https://docs.oracle.com/javase/8/docs/api/java/lang/instrument/package-summary.html
> OpenSource:
> https://inspectit.github.io/inspectit-ocelot/docs/getting-started/quick-start
> java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "setContextClassLoader")" in code source "(file:/opt/inspectit/inspectit-ocelot-agent-0.6.jar <no signer certificates>)" of "sun.misc.Launcher$AppClassLoader at 18b4aac2")
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
> 	at java.lang.Thread.setContextClassLoader(Thread.java:1474)
> 	at rocks.inspectit.ocelot.bootstrap.AgentManager.startOrReplaceInspectitCore(AgentManager.java:49)
> 	at rocks.inspectit.ocelot.agent.AgentMain.startAgent(AgentMain.java:78)
> 	at rocks.inspectit.ocelot.agent.AgentMain.lambda$premain$0(AgentMain.java:67)
> 	at java.lang.Thread.run(Thread.java:748)
> The specified JARs need AllPermission Config in the same way as container modules.
> Other Examples for JavaAgents - closed source:
> https://docs.appdynamics.com/display/PRO45/Java+Agent
> https://docs.appdynamics.com/display/PRO45/JBoss+and+Wildfly+Startup+Settings
> https://docs.appdynamics.com/display/PRO45/Java+Security+Manager+Configuration



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list