Bug 1065994 - [GSS] (6.2.x) Cannot change application permissions on EAP 6 when the Java Security Manager is enabled
Summary: [GSS] (6.2.x) Cannot change application permissions on EAP 6 when the Java Se...
Status: CLOSED DUPLICATE of bug 1080939
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: jbossas
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: CR3
: EAP 6.2.3
Assignee: Ivo Studensky
QA Contact: Josef Cacek
Russell Dickenson
Depends On: 1067620
Blocks: 953259 eap62-cp03-blockers 1067621 1076629
TreeView+ depends on / blocked
Reported: 2014-02-17 13:18 UTC by Derek Horton
Modified: 2018-12-09 17:31 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1067620 (view as bug list)
Last Closed: 2014-04-17 11:14:47 UTC
Type: Bug

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1070049 None None None 2019-03-07 20:02:53 UTC
Red Hat One Jira Issue Tracker MODULES-184 Major Resolved Cannot change application permissions on EAP 6 when the Java Security Manager is enabled 2019-03-07 20:02:59 UTC

Internal Links: 1070049

Description Derek Horton 2014-02-17 13:18:05 UTC
Description of problem:

It looks like all deployed applications are granted "AllPermission" and there does not appear to be a way to change this.

Changing the grant statements in the policy file (-Djava.security.policy) doesn't seem to affect the permissions.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Create a war that reads a file from the file system
2.  Configure JBoss to use the java security manager
3.  Hit the web application

Actual results:
The web application can access files on the file system.

Expected results:
The web application should not be able to access files on the file system.

Additional info:

Comment 1 Derek Horton 2014-02-17 13:30:01 UTC
Make the following config changes:

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djboss.home.dir=$JBOSS_HOME -Djava.security.policy==$PWD/server.policy"
JAVA_OPTS="$JAVA_OPTS -Djboss.modules.policy-permissions=true"

diff --git a/bin/standalone.sh b/bin/standalone.sh
index 6324aa5..1c119e2 100755
--- a/bin/standalone.sh
+++ b/bin/standalone.sh
@@ -272,6 +272,7 @@ while true; do
          -jar \"$JBOSS_HOME/jboss-modules.jar\" \
          -mp \"${JBOSS_MODULEPATH}\" \
          -jaxpmodule "javax.xml.jaxp-provider" \
+         -secmgr \
          org.jboss.as.standalone \
          -Djboss.home.dir=\"$JBOSS_HOME\" \
          -Djboss.server.base.dir=\"$JBOSS_BASE_DIR\" \
diff --git a/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml b/modules/system/layers/base/org/jboss/as/host-controller/main/module.
index 6a48ee4..8dc16ec 100644
--- a/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml
+++ b/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml
@@ -37,7 +37,7 @@
         <module name="javax.api"/>
         <module name="org.jboss.staxmapper"/>
-        <module name="org.jboss.vfs"/>
+        <module name="org.jboss.vfs" services="import"/>
         <module name="org.jboss.as.controller"/>
         <module name="org.jboss.as.core-security"/>        
         <module name="org.jboss.common-core"/>
diff --git a/modules/system/layers/base/org/jboss/as/server/main/module.xml b/modules/system/layers/base/org/jboss/as/server/main/module.xml
index 810b681..6a61c97 100644
--- a/modules/system/layers/base/org/jboss/as/server/main/module.xml
+++ b/modules/system/layers/base/org/jboss/as/server/main/module.xml
@@ -52,7 +52,7 @@
         <module name="org.jboss.sasl"/>
         <module name="org.jboss.stdio"/>
         <module name="org.jboss.threads"/>
-        <module name="org.jboss.vfs"/>
+        <module name="org.jboss.vfs" services="import"/>
         <module name="org.jboss.as.controller"/>
         <module name="org.jboss.as.deployment-repository"/>
         <module name="org.jboss.as.domain-http-interface"/>

Comment 2 JBoss JIRA Server 2014-02-20 23:02:57 UTC
David Lloyd <david.lloyd@redhat.com> updated the status of jira MODULES-184 to Resolved

Comment 11 Ivo Studensky 2014-04-15 11:21:50 UTC
The fix comes in bz1080939.

Comment 12 Ivo Studensky 2014-04-17 11:14:47 UTC

*** This bug has been marked as a duplicate of bug 1080939 ***

Note You need to log in before you can comment on or make changes to this bug.