[jboss-jira] [JBoss JIRA] (WFCORE-4805) WildFly Security Manager does not act for javaagents

[Boris Unckel (Jira)]

    [ https://issues.redhat.com/browse/WFCORE-4805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13990586#comment-13990586 ] 

Boris Unckel commented on WFCORE-4805:
--------------------------------------

I have backported the JBoss Module Loader javaagent feature. It did not work for both InspectIt and AppDyn because both use their own proprietary way (separate threads with homegrown classloaders) to load themselves. This part can be solved by the conventional JSM policy file. 

The generated code to measure code execution, follow transactions,... is the problem. They use bytecode modification causing parts of the run code to be without valid codesource (location is null). Therefor you can't assign any permission by configuration.

> WildFly Security Manager does not act for javaagents
> ----------------------------------------------------
>
>                 Key: WFCORE-4805
>                 URL: https://issues.redhat.com/browse/WFCORE-4805
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>            Reporter: Boris Unckel
>            Assignee: Darran Lofthouse
>            Priority: Major
>
> The WildFly Core Security Manager cares for modules and deployed artifacts. It offers a JavaEE 7 compliant solution to permissions.xml in META-INF of EARs/WARs.
> Unfortunately it does not take care of javaagents, specified in
> https://docs.oracle.com/javase/8/docs/api/java/lang/instrument/package-summary.html
> OpenSource:
> https://inspectit.github.io/inspectit-ocelot/docs/getting-started/quick-start
> java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "setContextClassLoader")" in code source "(file:/opt/inspectit/inspectit-ocelot-agent-0.6.jar <no signer certificates>)" of "sun.misc.Launcher$AppClassLoader at 18b4aac2")
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:295)
> 	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:192)
> 	at java.lang.Thread.setContextClassLoader(Thread.java:1474)
> 	at rocks.inspectit.ocelot.bootstrap.AgentManager.startOrReplaceInspectitCore(AgentManager.java:49)
> 	at rocks.inspectit.ocelot.agent.AgentMain.startAgent(AgentMain.java:78)
> 	at rocks.inspectit.ocelot.agent.AgentMain.lambda$premain$0(AgentMain.java:67)
> 	at java.lang.Thread.run(Thread.java:748)
> The specified JARs need AllPermission Config in the same way as container modules.
> Other Examples for JavaAgents - closed source:
> https://docs.appdynamics.com/display/PRO45/Java+Agent
> https://docs.appdynamics.com/display/PRO45/JBoss+and+Wildfly+Startup+Settings
> https://docs.appdynamics.com/display/PRO45/Java+Security+Manager+Configuration



--
This message was sent by Atlassian Jira
(v7.13.8#713008)