Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Critical
Fix Version/s: None
Affects Version/s: 7.1.0.ER2
Component/s: Security
Labels:
None

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA
Steps to Reproduce:
Hide

1) Add user:

./add-user.sh -u admin -p pass@123 -s

2) setup http-interface:

<http-interface http-authentication-factory="management-http-authentication"> <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/> <socket-binding http="management-http"/> </http-interface>

3) setup authentication-client:

<authentication-client> <authentication-configuration name="authConfig" authentication-name="admin" host="localhost" protocol="remote+http" port="9990"> <credential-reference clear-text="pass@123"/> </authentication-configuration> <authentication-context name="authCtx"> <match-rule authentication-configuration="authConfig"/> </authentication-context> </authentication-client>

4) setup authCtx as default-authentication-context:

<subsystem xmlns="urn:wildfly:elytron:1.0" default-authentication-context="authCtx" final-providers="combined-providers" disallowed-providers="OracleUcrypto">

5) Deploy testing application see attachments

6) start application server without security manager (use ./standalone.sh -secmgr) and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 - it prints admin

7) start application server with security manager and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 - it fails with:

java.security.AccessControlException: WFSM000001: Permission check failed (permission "("org.jboss.remoting3.security.RemotingPermission" "createEndpoint")" in code source "(vfs:/content/direct-call-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.direct-call-dep.war" from Service Module Loader")

8) grant this permission for deployment in META-INF/permissions.xml (uncomment given permission), redeploy and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 again - it still fails with the same exception

9) grant AllPermission in deployment (uncomment given permission), redeploy and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 again - it works, admin is printed
Show
1) Add user: ./add-user.sh -u admin -p pass@123 -s 2) setup http-interface: <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" /> </http- interface > 3) setup authentication-client: <authentication-client> <authentication-configuration name= "authConfig" authentication-name= "admin" host= "localhost" protocol= "remote+http" port= "9990" > <credential-reference clear-text= "pass@123" /> </authentication-configuration> <authentication-context name= "authCtx" > <match-rule authentication-configuration= "authConfig" /> </authentication-context> </authentication-client> 4) setup authCtx as default-authentication-context: <subsystem xmlns= "urn:wildfly:elytron:1.0" default -authentication-context= "authCtx" final -providers= "combined-providers" disallowed-providers= "OracleUcrypto" > 5) Deploy testing application see attachments 6) start application server without security manager (use ./standalone.sh -secmgr ) and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 - it prints admin 7) start application server with security manager and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 - it fails with: java.security.AccessControlException: WFSM000001: Permission check failed (permission "(" org.jboss.remoting3.security.RemotingPermission " " createEndpoint ")" in code source "(vfs:/content/direct-call-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module " deployment.direct-call-dep.war " from Service Module Loader" ) 8) grant this permission for deployment in META-INF/permissions.xml (uncomment given permission), redeploy and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 again - it still fails with the same exception 9) grant AllPermission in deployment (uncomment given permission), redeploy and access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 again - it works, admin is printed

SFDC Cases Counter:
SFDC Cases Links:

In case when deployment which needs RemotingPermission "createEndpoint" has granted "org.jboss.remoting3.security.RemotingPermission" "createEndpoint" in META-INT/permissions.xml then it still fails with:

java.io.IOException: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("org.jboss.remoting3.security.RemotingPermission" "createEndpoint")" in code source "(vfs:/content/direct-call-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.direct-call-dep.war" from Service Module Loader")
	at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:149)
	at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:75)
	at com.redhat.eap.qe.elytron.authnctx.DirectCallServlet.doGet(DirectCallServlet.java:84)
	... 42 more
Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("org.jboss.remoting3.security.RemotingPermission" "createEndpoint")" in code source "(vfs:/content/direct-call-dep.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.direct-call-dep.war" from Service Module Loader")
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
	at org.jboss.remoting3.EndpointBuilder.build(EndpointBuilder.java:90)
	at org.jboss.as.controller.client.impl.RemotingModelControllerClient.getOrCreateChannel(RemotingModelControllerClient.java:128)
	at org.jboss.as.controller.client.impl.RemotingModelControllerClient$1.getChannel(RemotingModelControllerClient.java:60)
	at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:135)
	at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:110)
	at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeRequest(AbstractModelControllerClient.java:263)
	at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:168)
	at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:147)
	... 44 more

When java.security.AllPermission is granted to deployment (instead of RemotingPermission "createEndpoint") then it works fine. See 'Steps to Reproduce' for more details.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

direct-call-dep.war
2017/07/21 4:02 AM
6 kB
Ondrej Lukas

is cloned by

WFCORE-3084 Permission check failed for RemotingPermission "createEndpoint" even if it is granted

Closed

Assignee:: Unassigned

Reporter:: Ondrej Lukas (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2017/07/21 4:06 AM

Updated:: 2017/07/21 5:57 AM

Resolved:: 2017/07/21 5:57 AM

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates