Bug 1172830

Summary: [GSS] (6.4.0) Using java 6 with a datasource that is configured to use a security-domain and prefill fails on startup
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: SecurityAssignee: Darran Lofthouse <darran.lofthouse>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Slavicek <pslavice>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3.3CC: anmiller, bdawidow, cdewolf, chaowan, pskopek, wili
Target Milestone: CR1   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1172832 (view as bug list) Environment:
Last Closed: 2019-08-19 12:38:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1172832, 1204286    
Attachments:
Description Flags
Reproducer bz-1172830.war none

Description Derek Horton 2014-12-10 20:56:54 UTC 
Description of problem:

Using java 6 with a datasource that is configured to use a security-domain and prefill fails on startup.

Exception in thread "JCA PoolFiller" java.lang.ExceptionInInitializerError
    at javax.security.auth.Subject$2.run(Subject.java:533)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.createContext(Subject.java:526)
    at javax.security.auth.Subject.doAs(Subject.java:396)
    at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:246)
    at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:842)
    at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.fillToMin(SemaphoreArrayListManagedConnectionPool.java:783)
    at org.jboss.jca.core.connectionmanager.pool.mcp.PoolFiller.run(PoolFiller.java:97)
    at java.lang.Thread.run(Thread.java:662)
Caused by: java.lang.SecurityException: unable to instantiate Subject-based policy
    at javax.security.auth.Policy.getPolicyNoCheck(Policy.java:224)
    at javax.security.auth.Policy.getPolicy(Policy.java:181)
    at javax.security.auth.SubjectDomainCombiner$5.run(SubjectDomainCombiner.java:481)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.SubjectDomainCombiner.compatPolicy(SubjectDomainCombiner.java:477)
    at javax.security.auth.SubjectDomainCombiner.<clinit>(SubjectDomainCombiner.java:47)
Version-Release number of selected component (if applicable):





Steps to Reproduce:
1.  Configure a datasource to use a security-domain and prefill

                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true">
                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
                    <driver>h2</driver>
                    <pool>
                      <min-pool-size>15</min-pool-size>                                                              
                      <max-pool-size>150</max-pool-size>
                      <prefill>true</prefill>
                    </pool> 
                    <security>
                      <security-domain>test-sec-domain</security-domain>
                    </security>
                </datasource>

2.  Configure the security-domain

              <security-domain name="test-sec-domain" cache-type="default">
                <authentication>
                  <login-module code="org.picketbox.datasource.security.CallerIdentityLoginModule" flag="required">
                      <module-option name="principal" value="useFirstPass"/>
                      <module-option name="username" value="useFirstPass"/>
                      <module-option name="password" value="useFirstPass"/>
                  </login-module>
                </authentication>
              </security-domain>


3.  Start JBoss


The issue can be resolved by adding <module name="sun.jdk"/> to the dependency list in modules/system/layers/base/org/jboss/ironjacamar/impl/main/module.xml.  However, this gets messy with patches.

It would be nice to modify the ironjacamar module.xml to include this dependency.
Comment 4 Josef Cacek 2015-03-20 16:43:21 UTC 
Verification failed.

IBM JDK 6 still reports problems in this configuration. Other tested Java versions on my Linux box seem to be OK. I'll continue with testing on other platforms too. 

The stacktrace on IBM Java 6 says:

java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/ExampleDS
        at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:151)
        at org.jboss.test.DataSourceServlet.doGet(DataSourceServlet.java:54)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
        at java.lang.Thread.run(Thread.java:761)
Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/ExampleDS
        at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:421)
        at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:368)
        at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:510)
        at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:143)
        ... 16 more
Caused by: javax.resource.ResourceException: IJ000651: Unable to get managed connection pool
        at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getManagedConnectionPool(AbstractPool.java:197)
        at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:417)
        at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:354)
        ... 19 more
Caused by: java.lang.NullPointerException
        at javax.resource.spi.security.PasswordCredential.equals(PasswordCredential.java:105)
        at javax.security.auth.Subject$SecureSet.contains(Subject.java:1394)
        at java.util.AbstractCollection.containsAll(AbstractCollection.java:158)
        at java.util.AbstractSet.equals(AbstractSet.java:62)
        at java.util.Collections$SynchronizedSet.equals(Collections.java:834)
        at javax.security.auth.Subject.equals(Subject.java:1013)
        at org.jboss.jca.core.connectionmanager.pool.strategy.SecurityActions.equals(SecurityActions.java:73)
        at org.jboss.jca.core.connectionmanager.pool.strategy.SubjectKey.equals(SubjectKey.java:86)
        at java.util.concurrent.ConcurrentHashMap$Segment.get(ConcurrentHashMap.java:403)
        at java.util.concurrent.ConcurrentHashMap.get(ConcurrentHashMap.java:834)
        at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getManagedConnectionPool(AbstractPool.java:172)
        ... 21 more
Comment 5 Josef Cacek 2015-03-20 16:50:45 UTC 
Created attachment 1004563 [details]
Reproducer bz-1172830.war

Attaching reproducer. 

Steps:

0) download attached reproducer to /tmp/bz-1172830.war

1) start EAP (with the tested Java version)

2) configure the server and deploy reproducer using JBoss CLI:
/subsystem=security/security-domain=test-sec-domain:add(cache-type=default)
/subsystem=security/security-domain=test-sec-domain/authentication=classic:add
/subsystem=security/security-domain=test-sec-domain/authentication=classic/login-module=CallerIdentity:add(code=org.picketbox.datasource.security.CallerIdentityLoginModule, flag=required, module-options=[("principal"=>"principal"), ("username"=>"username"), ("password"=>"password")])
/subsystem=datasources/data-source=ExampleDS:disable
reload
/subsystem=datasources/data-source=ExampleDS:remove
/subsystem=datasources/data-source=ExampleDS:add(jndi-name="java:jboss/datasources/ExampleDS",use-java-context=true,connection-url="jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE",driver-name=h2,min-pool-size=15,max-pool-size=150,pool-prefill=true,security-domain=test-sec-domain)
/subsystem=datasources/data-source=ExampleDS:enable
deploy /tmp/bz-1172830.war

3) go to http://localhost:8080/bz-1172830/ and check the output
Comment 9 Josef Cacek 2015-04-02 11:46:21 UTC 
Verified in 6.4.0.CR2.

The regression test was fixed.