Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-9464

Some XACML tests fail with security manager

XMLWordPrintable

    • Hide

      cd wildfly/testsuite/integration/basic
      mvn clean test -Dtest=EjbXACMLAuthorizationModuleTestCase,JBossPDPInteroperabilityTestCase,JBossPDPServletInitializationTestCase,WebXACMLAuthorizationModuleTestCase -Dsecurity.manager

      Show
      cd wildfly/testsuite/integration/basic mvn clean test -Dtest=EjbXACMLAuthorizationModuleTestCase,JBossPDPInteroperabilityTestCase,JBossPDPServletInitializationTestCase,WebXACMLAuthorizationModuleTestCase -Dsecurity.manager

      Some XACML tests fail with security manager, mostly because of missing permission "("java.io.FilePermission" "/home/okotek/git/wildfly/dist/target/wildfly-11.0.0.Final-SNAPSHOT/modules/system/layers/base/com/sun/xml/bind/main/jaxb-runtime-2.2.11.jbossorg-1.jar" "read")":

      ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /custom-xacml-web-test/secured: java.lang.ExceptionInInitializerError
      	at org.jboss.as.test.integration.security.xacml.CustomXACMLAuthorizationModule.<init>(CustomXACMLAuthorizationModule.java:68)
      	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
      	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
      	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
      	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
      	at java.lang.Class.newInstance(Class.java:442)
      	at org.jboss.security.plugins.authorization.JBossAuthorizationContext.instantiateModule(JBossAuthorizationContext.java:329)
      	at org.jboss.security.plugins.authorization.JBossAuthorizationContext.initializeModules(JBossAuthorizationContext.java:205)
      	at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:141)
      	at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:438)
      	at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:115)
      	at org.jboss.security.plugins.javaee.WebAuthorizationHelper.checkResourcePermission(WebAuthorizationHelper.java:119)
      	at org.wildfly.extension.undertow.security.JbossAuthorizationManager.canAccessResource(JbossAuthorizationManager.java:160)
      	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:55)
      	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
      	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
      	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
      	at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
      	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      	at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
      	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
      	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
      	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
      	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
      	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
      	at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
      	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
      	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
      	at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
      	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
      	at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:110)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:107)
      	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
      	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/okotek/git/wildfly/dist/target/wildfly-11.0.0.Final-SNAPSHOT/modules/system/layers/base/com/sun/xml/bind/main/jaxb-runtime-2.2.11.jbossorg-1.jar" "read")" in code source "(vfs:/content/custom-xacml-web-test.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.custom-xacml-web-test.war" from Service Module Loader")
      	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
      	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
      	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
      	at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:350)
      	at java.util.zip.ZipFile.<init>(ZipFile.java:216)
      	at java.util.zip.ZipFile.<init>(ZipFile.java:155)
      	at java.util.jar.JarFile.<init>(JarFile.java:166)
      	at java.util.jar.JarFile.<init>(JarFile.java:103)
      	at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:93)
      	at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:69)
      	at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:84)
      	at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
      	at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150)
      	at java.net.URL.openStream(URL.java:1045)
      	at javax.xml.bind.ContextFinder.find(ContextFinder.java:292)
      	at javax.xml.bind.JAXBContext.newInstance(JAXBContext.java:412)
      	at javax.xml.bind.JAXBContext.newInstance(JAXBContext.java:375)
      	at org.jboss.security.xacml.core.JBossPDP.<clinit>(JBossPDP.java:126)
      	... 55 more
      

      Looks like a privileged block is missing. Hence Critical.

      After adding such permission, there are another permissions missing:

      • WebXACMLAuthorizationModuleTestCaseRuntimePermission("accessDeclaredMembers"), ReflectPermission("suppressAccessChecks"), RuntimePermission("getClassLoader")
      • JBossPDPServletInitializationTestCaseRuntimePermission("accessDeclaredMembers")
      • JBossPDPInteroperabilityTestCase – additional file permissions, RuntimePermission("accessDeclaredMembers"), RuntimePermission("getClassLoader"), ReflectPermission("suppressAccessChecks"), PropertyPermission("user.dir", "read")
      • EjbXACMLAuthorizationModuleTestCaseRuntimePermission("accessDeclaredMembers"), RuntimePermission("getClassLoader"), ReflectPermission("suppressAccessChecks"), ElytronPermission("getSecurityDomain")

            yborgess1@redhat.com Yeray Borges Santana
            okotek@redhat.com Ondrej Kotek
            Ondrej Kotek Ondrej Kotek
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: