Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-13392

WFSM000001: Permission check failed ... FilePermission when Security Manager enabled and Web App tries to forward to jsp

XMLWordPrintable

    • Hide

      Deploy the war
      Hit: http://localhost:8080/JBEAP-19256/Servlet
      expected:

      This is the Forward Servlet doPost for /forward

remoteHost: 127.0.0.1
queryString: null
servletPath: /forward
getRequestURL: http://localhost:8080/JBEAP-19256/forward

      Hit: http://localhost:8080/JBEAP-19256/Servlet?forward=forward.jsp
      expected:

      This is the Forward Servlet doPost for /forward

      Enable security manager:

      • in bin/standalone.conf , uncomment SECMGR="true"
      • add to standalone.xml : 
                <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
            <deployment-permissions>
                <minimum-set>
                    <permission class="java.io.FilePermission" name="${jboss.server.temp.dir}/-" actions="read"/>
                    <permission class="java.util.PropertyPermission" name="*" actions="read"/>
                </minimum-set>
                <maximum-set>
                    <permission class="java.security.AllPermission"/>
                </maximum-set>
            </deployment-permissions>
        </subsystem>

      Hit: http://localhost:8080/JBEAP-19256/Servlet
      expected:

      This is the Forward Servlet doPost for /forward

remoteHost: 127.0.0.1
queryString: null
servletPath: /forward
getRequestURL: http://localhost:8080/JBEAP-19256/forward

      Hit: http://localhost:8080/JBEAP-19256/Servlet?forward=forward.jsp
      expected:

      This is the Forward Servlet doPost for /forward
      Show
      Deploy the war Hit: http://localhost:8080/JBEAP-19256/Servlet expected: This is the Forward Servlet doPost for /forward remoteHost: 127.0.0.1 queryString: null servletPath: /forward getRequestURL: http: //localhost:8080/JBEAP-19256/forward Hit: http://localhost:8080/JBEAP-19256/Servlet?forward=forward.jsp expected: This is the Forward Servlet doPost for /forward Enable security manager: in bin/standalone.conf , uncomment SECMGR="true" add to standalone.xml : <subsystem xmlns= "urn:jboss:domain:security-manager:1.0" > <deployment-permissions> <minimum-set> <permission class= "java.io.FilePermission" name= "${jboss.server.temp.dir}/-" actions= "read" /> <permission class= "java.util.PropertyPermission" name= "*" actions= "read" /> </minimum-set> <maximum-set> <permission class= "java.security.AllPermission" /> </maximum-set> </deployment-permissions> </subsystem> Hit: http://localhost:8080/JBEAP-19256/Servlet expected: This is the Forward Servlet doPost for /forward remoteHost: 127.0.0.1 queryString: null servletPath: /forward getRequestURL: http: //localhost:8080/JBEAP-19256/forward Hit: http://localhost:8080/JBEAP-19256/Servlet?forward=forward.jsp expected: This is the Forward Servlet doPost for /forward

      When the security manager is enabled and a Servlet tries to use the RequestDispatcher to forward to a jsp, it fails silently even when the security manager permission for the VFS directory is granted.

      It looks like it may be running under the wrong security context when the security manager is invoked.

      2020-04-16 14:46:55,390 DEBUG [io.undertow.request] (default task-1) Invalid path forward.jsp: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/jboss/jboss-eap-7.2/standalone/tmp" "read")" in code source "(vfs:/content/JBEAP-19256.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.JBEAP-19256.war" from Service Module Loader")
  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:307)
  at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:204)
  at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
  at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:372)
  at sun.nio.fs.UnixPath.checkRead(UnixPath.java:795)
  at sun.nio.fs.UnixFileAttributeViews$Basic.readAttributes(UnixFileAttributeViews.java:49)
  at sun.nio.fs.UnixFileSystemProvider.readAttributes(UnixFileSystemProvider.java:144)
  at java.nio.file.Files.readAttributes(Files.java:1737)
  at java.nio.file.Files.isSymbolicLink(Files.java:2153)
  at io.undertow.server.handlers.resource.PathResourceManager.getSymlinkBase(PathResourceManager.java:309)
  at io.undertow.server.handlers.resource.PathResourceManager.getResource(PathResourceManager.java:218)
  at org.wildfly.extension.undertow.deployment.ServletResourceManager.getResource(ServletResourceManager.java:74)
  at io.undertow.server.handlers.resource.CachingResourceManager.getResource(CachingResourceManager.java:114)
  at io.undertow.server.handlers.resource.CachingResourceManager.getResource(CachingResourceManager.java:32)
  at io.undertow.servlet.handlers.ServletPathMatches.getServletHandlerByPath(ServletPathMatches.java:96)
  at io.undertow.servlet.spec.RequestDispatcherImpl.<init>(RequestDispatcherImpl.java:74)
  at io.undertow.servlet.spec.ServletContextImpl.getRequestDispatcher(ServletContextImpl.java:334)
  at com.redhat.examples.servlet.Servlet.doPost(Servlet.java:51)
  at com.redhat.examples.servlet.Servlet.doGet(Servlet.java:40)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:686)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
  at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
  at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
  at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
  at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
  at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68)
  at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
  at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
  at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
  at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
  at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
  at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
  at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269)
  at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78)
  at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133)
  at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130)
  at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
  at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
  at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
  at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
  at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
  at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
  at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1504)
  at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249)
  at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78)
  at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:105)
  at java.security.AccessController.doPrivileged(Native Method)
  at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:102)
  at io.undertow.server.Connectors.executeRootHandler(Connectors.java:376)
  at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
  at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
  at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
  at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
  at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
  at java.lang.Thread.run(Thread.java:748)

            rhn-engineering-lgao Lin Gao
            rhn-engineering-lgao Lin Gao
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: