[jboss-user] [Security & JAAS/JBoss] - Problem turning on security manager with JBoss 4.0.4
osganian
do-not-reply at jboss.com
Thu Sep 25 20:33:44 EDT 2008
I'm running jboss with the following system props turned on:
| -Djboss.home.dir=%JBOSS_HOME% -Djboss.server.home.dir=%JBOSS_HOME%/server/default -Djava.security.manager -Djava.security.policy=%JBOSS_HOME%/server/default/conf/security/server.policy
|
My server.policy file looks like:
| /** Java 2 Access Control Policy for the Application **/
|
| // The Java2 security policy for the securitymgr tests
| // Install with -Djava.security.policy==server.policy
| // and -Djboss.home.dir=path_to_jboss_distribution
| // and -Djboss.server.home.dir=path_to_jboss_server_home
|
| // Trusted core Java code
| grant codeBase "file:${java.home}/lib/ext/-" {
| permission java.security.AllPermission;
| };
|
| grant codeBase "file:${java.home}/lib/*" {
| permission java.security.AllPermission;
| };
|
| // For java.home pointing to the JDK jre directory
| grant codeBase "file:${java.home}/../lib/*" {
| permission java.security.AllPermission;
| };
|
| // Trusted core JBoss code
| grant codeBase "file:${jboss.home.dir}/bin/-" {
| permission java.security.AllPermission;
| };
|
| grant codeBase "file:${jboss.home.dir}/lib/-" {
| permission java.security.AllPermission;
| };
|
| grant codeBase "file:${jboss.server.home.dir}/lib/-" {
| permission java.security.AllPermission;
| };
|
| grant codeBase "file:${jboss.server.home.dir}/deploy/-" {
| permission java.security.AllPermission;
| };
|
| grant codeBase "file:${jboss.server.home.dir}/work/-" {
| permission java.security.AllPermission;
| };
|
| // Minimal permissions are allowed to everyone to run the system.
| grant {
| // Permissions I had to add for everything to work.
| permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
| permission java.io.SerializablePermission "enableSubstitution";
| permission java.io.SerializablePermission "enableSubclassImplementation";
| permission java.lang.RuntimePermission "accessClassInPackage.*";
| permission java.lang.RuntimePermission "defineClassInPackage.*";
| permission java.lang.RuntimePermission "accessDeclaredMembers";
| permission java.lang.RuntimePermission "createClassLoader";
| permission java.lang.RuntimePermission "getClassLoader";
| permission java.lang.RuntimePermission "getProtectionDomain";
| permission java.lang.RuntimePermission "getStackTrace";
| permission java.lang.RuntimePermission "preferences";
| permission java.lang.RuntimePermission "queuePrintJob";
| permission java.lang.RuntimePermission "reflectionFactoryAccess";
| permission java.lang.RuntimePermission "readFileDescriptor";
| permission java.lang.RuntimePermission "writeFileDescriptor";
| permission java.lang.RuntimePermission "setContextClassLoader";
| permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
| permission java.net.SocketPermission "*", "connect";
| permission java.security.SecurityPermission "getPolicy";
| permission java.util.PropertyPermission "*", "read,write";
| permission java.util.logging.LoggingPermission "control", "";
|
| permission javax.security.auth.AuthPermission "createLoginContext.*";
| permission javax.security.auth.AuthPermission "doAs";
| permission javax.security.auth.AuthPermission "doAsPrivileged";
| permission javax.security.auth.AuthPermission "getSubject";
| permission javax.security.auth.AuthPermission "getSubjectFromDomainCombiner";
| permission javax.security.auth.AuthPermission "getLoginConfiguration";
| permission javax.security.auth.AuthPermission "getPolicy";
|
| // JBoss permissions
| permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.*";
| permission javax.management.MBeanServerPermission "findMBeanServer";
| permission javax.management.MBeanPermission "org.jboss.mx.modelmbean.XMBean#*[JMImplementation:type=MBeanRegistry]", "*";
| };
|
| // Special permissions based on principal.
| grant principal org.jboss.security.SimplePrincipal "test" {
| permission javax.security.auth.AuthPermission "testPerm";
| };
|
| grant principal org.jboss.security.SimpleGroup "Roles" {
| permission javax.security.auth.AuthPermission "rolePerm";
| };
|
JBoss starts up fine and everything seems to work until I try and see if I have the "testPerm" permission. I login as user test and I have a simple JSP page that does:
| <%
| boolean ok = false;
|
| javax.security.auth.Subject subject =
| (javax.security.auth.Subject) session.getAttribute("subject");
| if (subject != null) {
| try {
| System.err.println("*** 1");
| final javax.security.auth.AuthPermission perm =
| new javax.security.auth.AuthPermission("testPerm");
| System.err.println("*** 2");
|
| try {
| java.security.PrivilegedExceptionAction action =
| new java.security.PrivilegedExceptionAction() {
| public Object run() {
| System.err.println("*** A");
| try {
| java.security.AccessController.checkPermission(perm);
| System.err.println("*** A2");
|
| return Boolean.TRUE;
| } catch (Throwable ex) {
| // User doesn't have the required permission.
| System.err.println("*** B");
| ex.printStackTrace();
| }
|
| return Boolean.FALSE;
| }
| };
|
| System.err.println("*** SUB: " + subject);
| ok = ((Boolean)javax.security.auth.Subject.doAsPrivileged(subject, action, null)).booleanValue();
| System.err.println("*** OK: " + ok);
| } catch (java.security.PrivilegedActionException e) {
| // User doesn't have the required permission.
| System.err.println("*** C");
| e.printStackTrace();
| }
| } catch (Throwable t) {
| System.err.println("*** WOW");
| t.printStackTrace();
| }
| }
| %>
|
| <html>
| <body>
| yo <%=ok%>
| </body>
| </html>
|
Printing out the principals in the subject returns:
| *** Principals
| *** Name: test
| *** Class: org.jboss.security.SimplePrincipal
| *** Name: Roles
| *** Class: org.jboss.security.SimpleGroup
|
But I get this exception:
| java.lang.LinkageError: org/jboss/security/SimplePrincipal
| at java.lang.Class.forName0(Native Method)
| at java.lang.Class.forName(Class.java:242)
| at sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1403)
| at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1307)
| at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1270)
| at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1211)
| at sun.security.provider.PolicyFile.implies(PolicyFile.java:1166)
| at java.security.ProtectionDomain.implies(ProtectionDomain.java:195)
| at java.security.AccessControlContext.checkPermission(AccessControlContext.java:249)
| at java.security.AccessController.checkPermission(AccessController.java:427)
| at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
| at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
| at java.io.File.exists(File.java:700)
| at org.apache.naming.resources.FileDirContext.file(FileDirContext.java:827)
| ...
|
Does anybody have any idea what I am doing wrong?
Thanks for any help,
Mike
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4178944#4178944
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4178944
More information about the jboss-user
mailing list