Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1051148

Summary: -Djava.security.debug=access:failure results in successful accesses being logged as ERRORs
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Len DiMaggio <ldimaggi>
Component: SecurityAssignee: Anil Saldhana <anil.saldhana>
Status: CLOSED NOTABUG QA Contact: Josef Cacek <jcacek>
Severity: high Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: unspecified   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-30 07:35:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Server log none

Description Len DiMaggio 2014-01-09 18:51:37 UTC 
Description of problem:

Setting the Java Security Manager to run with a totally permissive policy and -Djava.security.debug=access:failure results in successful accesses being logged as ERRORs

Version-Release number of selected component (if applicable):
6.1.1.GA

How reproducible:
100%

Steps to Reproduce:

1. Define a security policy of:

grant {
   permission java.security.AllPermission;
};

2. Add this to standalone.sh:

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==/opt/local/permit.policy -Djava.security.debug=access:failure"

3. Start up the server

Actual results:
ERRORs such as: 

13:35:30,657 ERROR [stderr] (MSC service thread 1-2) access: access allowed ("java.lang.RuntimePermission" "getClassLoader")

Expected results:
No errors for successful access.

Additional info:
See attached server.log
Comment 1 Len DiMaggio 2014-01-09 18:54:24 UTC 
Created attachment 847751 [details]
Server log
Comment 2 Josef Cacek 2014-07-30 07:35:31 UTC 
It's not a bug, it's a feature. :)

Printing security debug information to the error stream is a Java feature. 
Look at sun.security.util.Debug:

    public void println(String message)
    {
        System.err.println(prefix + ": "+message);
    }

even running "java -Djava.security.debug=help" prints the help to STD_ERR.

EAP captures the error stream and sends it to JBoss Logging with ERROR level set.
For instance look at org.jboss.as.server.Main.main():

StdioContext.install();
StdioContext context = StdioContext.create(new NullInputStream(), new LoggingOutputStream(Logger.getLogger("stdout"), Level.INFO), new LoggingOutputStream(Logger.getLogger("stderr"), Level.ERROR));
StdioContext.setStdioContextSelector(new SimpleStdioContextSelector(context));