Bug 1067620

Summary: [GSS] (6.3.0) Cannot change application permissions on EAP 6 when the Java Security Manager is enabled
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: ServerAssignee: David M. Lloyd <david.lloyd>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: urgent Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.2.0CC: bmaxwell, istudens, jason.greene, jcacek, kkhan, olukas
Target Milestone: ER2   
Target Release: EAP 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An issue with the application of Java Security Manager (JSM) policies was discovered, where deployed applications were granted 'AllPermission' permission, which contradicted the policy file. The root cause of this issue was that JBoss Modules used the same logic for assigning server modules permissions and deployment permissions. The default permission for server modules is 'AllPermission', but the default for deployments should be empty permission set. This issue has now been resolved and deployment permissions can be granted in policy file by using Virtual File System (VFS) URL-based grant entries.
Story Points: ---
Clone Of: 1065994 Environment:
Last Closed: 2014-06-28 15:31:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1065994, 1067622, 1080939    

Description Derek Horton 2014-02-20 18:27:54 UTC
+++ This bug was initially created as a clone of Bug #1065994 +++

Description of problem:

It looks like all deployed applications are granted "AllPermission" and there does not appear to be a way to change this.

Changing the grant statements in the policy file (-Djava.security.policy) doesn't seem to affect the permissions.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Create a war that reads a file from the file system
2.  Configure JBoss to use the java security manager
3.  Hit the web application

Actual results:
The web application can access files on the file system.

Expected results:
The web application should not be able to access files on the file system.

Additional info:

--- Additional comment from Derek Horton on 2014-02-17 08:30:01 EST ---

Make the following config changes:

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djboss.home.dir=$JBOSS_HOME -Djava.security.policy==$PWD/server.policy"
JAVA_OPTS="$JAVA_OPTS -Djboss.modules.policy-permissions=true"

diff --git a/bin/standalone.sh b/bin/standalone.sh
index 6324aa5..1c119e2 100755
--- a/bin/standalone.sh
+++ b/bin/standalone.sh
@@ -272,6 +272,7 @@ while true; do
          -jar \"$JBOSS_HOME/jboss-modules.jar\" \
          -mp \"${JBOSS_MODULEPATH}\" \
          -jaxpmodule "javax.xml.jaxp-provider" \
+         -secmgr \
          org.jboss.as.standalone \
          -Djboss.home.dir=\"$JBOSS_HOME\" \
          -Djboss.server.base.dir=\"$JBOSS_BASE_DIR\" \
diff --git a/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml b/modules/system/layers/base/org/jboss/as/host-controller/main/module.
index 6a48ee4..8dc16ec 100644
--- a/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml
+++ b/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml
@@ -37,7 +37,7 @@
         <module name="javax.api"/>
         <module name="org.jboss.staxmapper"/>
-        <module name="org.jboss.vfs"/>
+        <module name="org.jboss.vfs" services="import"/>
         <module name="org.jboss.as.controller"/>
         <module name="org.jboss.as.core-security"/>        
         <module name="org.jboss.common-core"/>
diff --git a/modules/system/layers/base/org/jboss/as/server/main/module.xml b/modules/system/layers/base/org/jboss/as/server/main/module.xml
index 810b681..6a61c97 100644
--- a/modules/system/layers/base/org/jboss/as/server/main/module.xml
+++ b/modules/system/layers/base/org/jboss/as/server/main/module.xml
@@ -52,7 +52,7 @@
         <module name="org.jboss.sasl"/>
         <module name="org.jboss.stdio"/>
         <module name="org.jboss.threads"/>
-        <module name="org.jboss.vfs"/>
+        <module name="org.jboss.vfs" services="import"/>
         <module name="org.jboss.as.controller"/>
         <module name="org.jboss.as.deployment-repository"/>
         <module name="org.jboss.as.domain-http-interface"/>

Comment 1 JBoss JIRA Server 2014-02-20 23:02:58 UTC
David Lloyd <david.lloyd@redhat.com> updated the status of jira MODULES-184 to Resolved

Comment 2 JBoss JIRA Server 2014-02-27 11:52:59 UTC
David Lloyd <david.lloyd@redhat.com> updated the status of jira WFLY-3032 to Resolved

Comment 3 JBoss JIRA Server 2014-02-27 11:58:24 UTC
Ivo Studensky <istudens@redhat.com> updated the status of jira WFLY-3032 to Closed

Comment 4 Ivo Studensky 2014-02-27 13:57:58 UTC
Pull request filed:


Comment 5 Ondrej Lukas 2014-03-11 08:56:01 UTC
Verification failed. Import of org.jboss.vfs is also needed in /modules/system/layers/base/org/jboss/as/standalone/main/module.xml and probably jboss-modules.jar will need update. More information in connected bz https://bugzilla.redhat.com/show_bug.cgi?id=1065994

Comment 6 Josef Cacek 2014-03-26 10:20:13 UTC
PR with the missing fix was sent: https://github.com/jbossas/jboss-eap/pull/1131

The PR contains also a new testsuite module for testing with the security manager enabled.

Comment 7 Kabir Khan 2014-04-08 14:32:47 UTC

Comment 9 Russell Dickenson 2014-05-12 05:39:20 UTC

I have drafted a Release Notes entry for this BZ ticket. Please verify it.