Description of problem: It looks like all deployed applications are granted "AllPermission" and there does not appear to be a way to change this. Changing the grant statements in the policy file (-Djava.security.policy) doesn't seem to affect the permissions. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Create a war that reads a file from the file system 2. Configure JBoss to use the java security manager 3. Hit the web application Actual results: The web application can access files on the file system. Expected results: The web application should not be able to access files on the file system. Additional info:
Make the following config changes: JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djboss.home.dir=$JBOSS_HOME -Djava.security.policy==$PWD/server.policy" JAVA_OPTS="$JAVA_OPTS -Djboss.modules.policy-permissions=true" diff --git a/bin/standalone.sh b/bin/standalone.sh index 6324aa5..1c119e2 100755 --- a/bin/standalone.sh +++ b/bin/standalone.sh @@ -272,6 +272,7 @@ while true; do -jar \"$JBOSS_HOME/jboss-modules.jar\" \ -mp \"${JBOSS_MODULEPATH}\" \ -jaxpmodule "javax.xml.jaxp-provider" \ + -secmgr \ org.jboss.as.standalone \ -Djboss.home.dir=\"$JBOSS_HOME\" \ -Djboss.server.base.dir=\"$JBOSS_BASE_DIR\" \ diff --git a/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml b/modules/system/layers/base/org/jboss/as/host-controller/main/module. xml index 6a48ee4..8dc16ec 100644 --- a/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml +++ b/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml @@ -37,7 +37,7 @@ <dependencies> <module name="javax.api"/> <module name="org.jboss.staxmapper"/> - <module name="org.jboss.vfs"/> + <module name="org.jboss.vfs" services="import"/> <module name="org.jboss.as.controller"/> <module name="org.jboss.as.core-security"/> <module name="org.jboss.common-core"/> diff --git a/modules/system/layers/base/org/jboss/as/server/main/module.xml b/modules/system/layers/base/org/jboss/as/server/main/module.xml index 810b681..6a61c97 100644 --- a/modules/system/layers/base/org/jboss/as/server/main/module.xml +++ b/modules/system/layers/base/org/jboss/as/server/main/module.xml @@ -52,7 +52,7 @@ <module name="org.jboss.sasl"/> <module name="org.jboss.stdio"/> <module name="org.jboss.threads"/> - <module name="org.jboss.vfs"/> + <module name="org.jboss.vfs" services="import"/> <module name="org.jboss.as.controller"/> <module name="org.jboss.as.deployment-repository"/> <module name="org.jboss.as.domain-http-interface"/>
David Lloyd <david.lloyd> updated the status of jira MODULES-184 to Resolved
The fix comes in bz1080939.
*** This bug has been marked as a duplicate of bug 1080939 ***