Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12262

Permission check failed for RemotingPermission "createEndpoint" even if it is granted

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Critical
    • None
    • 7.1.0.ER2
    • Security
    • None
    • Hide

      1) Add user:

      ./add-user.sh -u admin -p pass@123 -s

      2) setup http-interface:

      <http-interface http-authentication-factory="management-http-authentication">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http"/>
</http-interface>

      3) setup authentication-client:

      <authentication-client>
    <authentication-configuration name="authConfig" authentication-name="admin" host="localhost" protocol="remote+http" port="9990">
        <credential-reference clear-text="pass@123"/>
    </authentication-configuration>
    <authentication-context name="authCtx">
        <match-rule authentication-configuration="authConfig"/>
    </authentication-context>
</authentication-client>

      4) setup authCtx as default-authentication-context:

      <subsystem xmlns="urn:wildfly:elytron:1.0" default-authentication-context="authCtx" final-providers="combined-providers" disallowed-providers="OracleUcrypto">

      5) Deploy testing application see attachments

      6) start application server without security manager (use ./standalone.sh -secmgr) and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 - it prints admin

      7) start application server with security manager and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 - it fails with:

      java.security.AccessControlException: WFSM000001: Permission check failed (permission "("org.jboss.remoting3.security.RemotingPermission" "createEndpoint")" in code source "(vfs:/content/direct-call-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.direct-call-dep.war" from Service Module Loader")

      8) grant this permission for deployment in META-INF/permissions.xml (uncomment given permission), redeploy and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 again - it still fails with the same exception

      9) grant AllPermission in deployment (uncomment given permission), redeploy and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 again - it works, admin is printed

      Show
      1) Add user: ./add-user.sh -u admin -p pass@123 -s 2) setup http-interface: <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" /> </http- interface > 3) setup authentication-client: <authentication-client> <authentication-configuration name= "authConfig" authentication-name= "admin" host= "localhost" protocol= "remote+http" port= "9990" > <credential-reference clear-text= "pass@123" /> </authentication-configuration> <authentication-context name= "authCtx" > <match-rule authentication-configuration= "authConfig" /> </authentication-context> </authentication-client> 4) setup authCtx as default-authentication-context: <subsystem xmlns= "urn:wildfly:elytron:1.0" default -authentication-context= "authCtx" final -providers= "combined-providers" disallowed-providers= "OracleUcrypto" > 5) Deploy testing application see attachments 6) start application server without security manager (use ./standalone.sh -secmgr ) and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 - it prints admin 7) start application server with security manager and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 - it fails with: java.security.AccessControlException: WFSM000001: Permission check failed (permission "(" org.jboss.remoting3.security.RemotingPermission " " createEndpoint ")" in code source "(vfs:/content/direct-call-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module " deployment.direct-call-dep.war " from Service Module Loader" ) 8) grant this permission for deployment in META-INF/permissions.xml (uncomment given permission), redeploy and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 again - it still fails with the same exception 9) grant AllPermission in deployment (uncomment given permission), redeploy and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 again - it works, admin is printed

    Description

      In case when deployment which needs RemotingPermission "createEndpoint" has granted "org.jboss.remoting3.security.RemotingPermission" "createEndpoint" in META-INT/permissions.xml then it still fails with:

      java.io.IOException: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("org.jboss.remoting3.security.RemotingPermission" "createEndpoint")" in code source "(vfs:/content/direct-call-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.direct-call-dep.war" from Service Module Loader")
	at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:149)
	at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:75)
	at com.redhat.eap.qe.elytron.authnctx.DirectCallServlet.doGet(DirectCallServlet.java:84)
	... 42 more
Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("org.jboss.remoting3.security.RemotingPermission" "createEndpoint")" in code source "(vfs:/content/direct-call-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.direct-call-dep.war" from Service Module Loader")
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
	at org.jboss.remoting3.EndpointBuilder.build(EndpointBuilder.java:90)
	at org.jboss.as.controller.client.impl.RemotingModelControllerClient.getOrCreateChannel(RemotingModelControllerClient.java:128)
	at org.jboss.as.controller.client.impl.RemotingModelControllerClient$1.getChannel(RemotingModelControllerClient.java:60)
	at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:135)
	at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:110)
	at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeRequest(AbstractModelControllerClient.java:263)
	at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:168)
	at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:147)
	... 44 more

      When java.security.AllPermission is granted to deployment (instead of RemotingPermission "createEndpoint") then it works fine. See 'Steps to Reproduce' for more details.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-3084 Permission check failed for RemotingPermission "createEndpoint" even if it is granted

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              Unassigned Unassigned
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: