Bug 1067620 - [GSS] (6.3.0) Cannot change application permissions on EAP 6 when the Java Security Manager is enabled
Summary: [GSS] (6.3.0) Cannot change application permissions on EAP 6 when the Java Se...
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Server
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ER2
: EAP 6.3.0
Assignee: David M. Lloyd
QA Contact: Josef Cacek
Russell Dickenson
Depends On:
Blocks: 1065994 1067622 1080939
TreeView+ depends on / blocked
Reported: 2014-02-20 18:27 UTC by Derek Horton
Modified: 2018-12-09 17:34 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An issue with the application of Java Security Manager (JSM) policies was discovered, where deployed applications were granted 'AllPermission' permission, which contradicted the policy file. The root cause of this issue was that JBoss Modules used the same logic for assigning server modules permissions and deployment permissions. The default permission for server modules is 'AllPermission', but the default for deployments should be empty permission set. This issue has now been resolved and deployment permissions can be granted in policy file by using Virtual File System (VFS) URL-based grant entries.
Clone Of: 1065994
Last Closed: 2014-06-28 15:31:59 UTC
Type: Bug

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1070050 None None None Never
Red Hat Bugzilla 1072323 None None None Never
Red Hat One Jira Issue Tracker MODULES-184 Major Resolved Cannot change application permissions on EAP 6 when the Java Security Manager is enabled 2016-01-27 00:09:26 UTC

Internal Links: 1070050 1072323

Description Derek Horton 2014-02-20 18:27:54 UTC
+++ This bug was initially created as a clone of Bug #1065994 +++

Description of problem:

It looks like all deployed applications are granted "AllPermission" and there does not appear to be a way to change this.

Changing the grant statements in the policy file (-Djava.security.policy) doesn't seem to affect the permissions.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Create a war that reads a file from the file system
2.  Configure JBoss to use the java security manager
3.  Hit the web application

Actual results:
The web application can access files on the file system.

Expected results:
The web application should not be able to access files on the file system.

Additional info:

--- Additional comment from Derek Horton on 2014-02-17 08:30:01 EST ---

Make the following config changes:

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djboss.home.dir=$JBOSS_HOME -Djava.security.policy==$PWD/server.policy"
JAVA_OPTS="$JAVA_OPTS -Djboss.modules.policy-permissions=true"

diff --git a/bin/standalone.sh b/bin/standalone.sh
index 6324aa5..1c119e2 100755
--- a/bin/standalone.sh
+++ b/bin/standalone.sh
@@ -272,6 +272,7 @@ while true; do
          -jar \"$JBOSS_HOME/jboss-modules.jar\" \
          -mp \"${JBOSS_MODULEPATH}\" \
          -jaxpmodule "javax.xml.jaxp-provider" \
+         -secmgr \
          org.jboss.as.standalone \
          -Djboss.home.dir=\"$JBOSS_HOME\" \
          -Djboss.server.base.dir=\"$JBOSS_BASE_DIR\" \
diff --git a/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml b/modules/system/layers/base/org/jboss/as/host-controller/main/module.
index 6a48ee4..8dc16ec 100644
--- a/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml
+++ b/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml
@@ -37,7 +37,7 @@
         <module name="javax.api"/>
         <module name="org.jboss.staxmapper"/>
-        <module name="org.jboss.vfs"/>
+        <module name="org.jboss.vfs" services="import"/>
         <module name="org.jboss.as.controller"/>
         <module name="org.jboss.as.core-security"/>        
         <module name="org.jboss.common-core"/>
diff --git a/modules/system/layers/base/org/jboss/as/server/main/module.xml b/modules/system/layers/base/org/jboss/as/server/main/module.xml
index 810b681..6a61c97 100644
--- a/modules/system/layers/base/org/jboss/as/server/main/module.xml
+++ b/modules/system/layers/base/org/jboss/as/server/main/module.xml
@@ -52,7 +52,7 @@
         <module name="org.jboss.sasl"/>
         <module name="org.jboss.stdio"/>
         <module name="org.jboss.threads"/>
-        <module name="org.jboss.vfs"/>
+        <module name="org.jboss.vfs" services="import"/>
         <module name="org.jboss.as.controller"/>
         <module name="org.jboss.as.deployment-repository"/>
         <module name="org.jboss.as.domain-http-interface"/>

Comment 1 JBoss JIRA Server 2014-02-20 23:02:58 UTC
David Lloyd <david.lloyd@redhat.com> updated the status of jira MODULES-184 to Resolved

Comment 2 JBoss JIRA Server 2014-02-27 11:52:59 UTC
David Lloyd <david.lloyd@redhat.com> updated the status of jira WFLY-3032 to Resolved

Comment 3 JBoss JIRA Server 2014-02-27 11:58:24 UTC
Ivo Studensky <istudens@redhat.com> updated the status of jira WFLY-3032 to Closed

Comment 4 Ivo Studensky 2014-02-27 13:57:58 UTC
Pull request filed:


Comment 5 Ondrej Lukas 2014-03-11 08:56:01 UTC
Verification failed. Import of org.jboss.vfs is also needed in /modules/system/layers/base/org/jboss/as/standalone/main/module.xml and probably jboss-modules.jar will need update. More information in connected bz https://bugzilla.redhat.com/show_bug.cgi?id=1065994

Comment 6 Josef Cacek 2014-03-26 10:20:13 UTC
PR with the missing fix was sent: https://github.com/jbossas/jboss-eap/pull/1131

The PR contains also a new testsuite module for testing with the security manager enabled.

Comment 7 Kabir Khan 2014-04-08 14:32:47 UTC

Comment 9 Russell Dickenson 2014-05-12 05:39:20 UTC

I have drafted a Release Notes entry for this BZ ticket. Please verify it.

Note You need to log in before you can comment on or make changes to this bug.