+++ This bug was initially created as a clone of Bug #1065994 +++ Description of problem: It looks like all deployed applications are granted "AllPermission" and there does not appear to be a way to change this. Changing the grant statements in the policy file (-Djava.security.policy) doesn't seem to affect the permissions. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Create a war that reads a file from the file system 2. Configure JBoss to use the java security manager 3. Hit the web application Actual results: The web application can access files on the file system. Expected results: The web application should not be able to access files on the file system. Additional info: --- Additional comment from Derek Horton on 2014-02-17 08:30:01 EST --- Make the following config changes: JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djboss.home.dir=$JBOSS_HOME -Djava.security.policy==$PWD/server.policy" JAVA_OPTS="$JAVA_OPTS -Djboss.modules.policy-permissions=true" diff --git a/bin/standalone.sh b/bin/standalone.sh index 6324aa5..1c119e2 100755 --- a/bin/standalone.sh +++ b/bin/standalone.sh @@ -272,6 +272,7 @@ while true; do -jar \"$JBOSS_HOME/jboss-modules.jar\" \ -mp \"${JBOSS_MODULEPATH}\" \ -jaxpmodule "javax.xml.jaxp-provider" \ + -secmgr \ org.jboss.as.standalone \ -Djboss.home.dir=\"$JBOSS_HOME\" \ -Djboss.server.base.dir=\"$JBOSS_BASE_DIR\" \ diff --git a/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml b/modules/system/layers/base/org/jboss/as/host-controller/main/module. xml index 6a48ee4..8dc16ec 100644 --- a/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml +++ b/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml @@ -37,7 +37,7 @@ <dependencies> <module name="javax.api"/> <module name="org.jboss.staxmapper"/> - <module name="org.jboss.vfs"/> + <module name="org.jboss.vfs" services="import"/> <module name="org.jboss.as.controller"/> <module name="org.jboss.as.core-security"/> <module name="org.jboss.common-core"/> diff --git a/modules/system/layers/base/org/jboss/as/server/main/module.xml b/modules/system/layers/base/org/jboss/as/server/main/module.xml index 810b681..6a61c97 100644 --- a/modules/system/layers/base/org/jboss/as/server/main/module.xml +++ b/modules/system/layers/base/org/jboss/as/server/main/module.xml @@ -52,7 +52,7 @@ <module name="org.jboss.sasl"/> <module name="org.jboss.stdio"/> <module name="org.jboss.threads"/> - <module name="org.jboss.vfs"/> + <module name="org.jboss.vfs" services="import"/> <module name="org.jboss.as.controller"/> <module name="org.jboss.as.deployment-repository"/> <module name="org.jboss.as.domain-http-interface"/>
David Lloyd <david.lloyd> updated the status of jira MODULES-184 to Resolved
David Lloyd <david.lloyd> updated the status of jira WFLY-3032 to Resolved
Ivo Studensky <istudens> updated the status of jira WFLY-3032 to Closed
Pull request filed: https://github.com/jbossas/jboss-eap/pull/981
Verification failed. Import of org.jboss.vfs is also needed in /modules/system/layers/base/org/jboss/as/standalone/main/module.xml and probably jboss-modules.jar will need update. More information in connected bz https://bugzilla.redhat.com/show_bug.cgi?id=1065994
PR with the missing fix was sent: https://github.com/jbossas/jboss-eap/pull/1131 The PR contains also a new testsuite module for testing with the security manager enabled.
https://github.com/jbossas/jboss-eap/pull/1189
Fernando, I have drafted a Release Notes entry for this BZ ticket. Please verify it.