Bug 1050755
| Summary: | Running ER8 server with Java security manager raises multiple ERRORs | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [JBoss] JBoss Fuse Service Works 6 | Reporter: | Len DiMaggio <ldimaggi> | ||||
| Component: | DT Governance | Assignee: | Eric Wittmann <eric.wittmann> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Tomas Rohovsky <trohovsk> | ||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.0.0 GA | CC: | oskutka, soa-p-jira | ||||
| Target Milestone: | CR1 | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | Bug | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 847463 [details]
Ser
The issue here is that when we try to login to the JCR repository (to get a Session), ModeShape's JaasProvider (a security provider) tries to pull current user credentials from two different places:
Subject.getSubject(AccessController.getContext())
and
PolicyContext.getContext("javax.security.auth.Subject.container")
When running *without* a security manager, the latter (JACC) mechanism is used and the current JAAS subject is returned, complete with appropriate roles configured.
When running *with* a security manager, the former mechanism is used. In this case (for some reason) the subject that gets returns has the right username but is missing all the role information. I'm not a java security expert, but I have to assume that's a bug somewhere in EAP?
In any case, I have created a workaround for this by leveraging work I did for future Tomcat support in s-ramp. Specifically, we will be passing ModeShape ServletCredentials when logging in to the JCR repository. This will cause the ServletProvider authentication handler to get used *instead* of the JaasProvider. It also means that username and role information will get pulled from the current inbound HttpRequest rather than from a JACC or JAAS subject.
Here is the relevant change: https://github.com/jboss-integration/s-ramp/commit/f759c36d3fac8a1aa51bcb161fd8662acbfe7fc1 |
Description of problem: I created a policy permit.policy with the following content: grant { permission java.security.AllPermission; }; Then added the following to the standalone.conf: JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=/opt/local/permit.policy" Starting an ER8 server raises multiple SRAMP-related errors such as: 21:35:39,136 ERROR [org.overlord.sramp.server.atom.services.AbstractFeedResource] (http-localhost.localdomain/127.0.0.1:8080-2) !!Error trying to create an Artifact Feed.!!: org.overlord.sramp.repository.query.QueryExecutionException: javax.jcr.LoginException: Unable to create session for workspace default in repository sramp: authentication or authorization failed. Check credentials. 21:35:39,203 ERROR [org.overlord.sramp.governance.QueryExecutor] (EJB default - 1) Exception for /s-ramp/ext/JavaArchive: Permission denied to perform actions "[read]" on path <unknown>: org.overlord.sramp.atom.err.SrampAtomException: Permission denied to perform actions "[read]" on path <unknown> Version-Release number of selected component (if applicable): ER8 How reproducible: 100% Steps to Reproduce: 1. See description above 2. 3. Actual results: Errors listed above. Expected results: Additional info: See attached server.log