1036872 – [CCC] (6.3) Cannot configure a security policy file setting that disables policy files specifies in JRE's java.security file

Bug 1036872 - [CCC] (6.3) Cannot configure a security policy file setting that disables policy files specifies in JRE's java.security file

Summary: [CCC] (6.3) Cannot configure a security policy file setting that disables pol...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Server
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	DR0
Target Release:	EAP 6.3.0
Assignee:	Kabir Khan
QA Contact:	Michal Karm Babacek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1044394
TreeView+	depends on / blocked

Reported:	2013-12-02 19:35 UTC by Brian Stansberry
Modified:	2014-06-28 15:43 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	An issue was identified in using the special prefix of `=` to disable the default policy files. The underlying cause was that when the Host Controller started a server, it provided `null` as the value of the `java.security.policy` setting, leading to the use of the policy files specified in the java.security file and possibly permission failures preventing server booting. This issue was fixed by modifying parsing of system properties so that the value of a system property whose value begins with "=" is no longer reset to `null` by the Host Controller when starting a server.
Clone Of:
Environment:
Last Closed:	2014-06-28 15:43:29 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Brian Stansberry 2013-12-02 19:35:11 UTC

When a security manager is installed, by default the VM reads policy files specified in the VM installation's java.security file. By default this includes the following:

# The default is to have a single system-wide policy file,
# and a policy file in the user's home directory.
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy

The user can also specify a policy file to use via system property java.security.policy. A special behavior of the value of that system property is if it starts with "=" then the policy files specified in java.security are ignored, and only the file set via the java.security.policy system property are used.

For example, this disables the use of the defaults:

-Djava.security.policy==/Users/kabir/tmp/permit.policy

See http://docs.oracle.com/javase/6/docs/technotes/guides/security/PolicyFiles.html for full details.

The bug is the Host Controller process' Main class handles parsing of system properties such that the value of a system property whose value begins with "=" instead becomes null. This causes the specified property file to be ignored, likely leading to permission problems on the host's servers, e.g.:

[Server:server-one] Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission module.path write)
[Server:server-one]     at java.security.AccessControlContext.checkPermission(AccessControlContext.java:376)
[Server:server-one]     at java.security.AccessController.checkPermission(AccessController.java:549)
[Server:server-one]     at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
[Server:server-one]     at java.lang.System.setProperty(System.java:741)
[Server:server-one]     at org.jboss.modules.Main.main(Main.java:148)

Comment 3 Michal Karm Babacek 2014-02-28 17:47:27 UTC

Fix is present in the delivered bits. Verified.

Note You need to log in before you can comment on or make changes to this bug.