Bug 1067620 - [GSS] (6.3.0) Cannot change application permissions on EAP 6 when the Java Security Manager is enabled
Summary: [GSS] (6.3.0) Cannot change application permissions on EAP 6 when the Java Se...
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Server
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ER2
: EAP 6.3.0
Assignee: David M. Lloyd
QA Contact: Josef Cacek
Russell Dickenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 1065994 1067622 1080939
TreeView+ depends on / blocked
 
Reported: 2014-02-20 18:27 UTC by Derek Horton
Modified: 2018-12-09 17:34 UTC (History)
6 users (show)

(edit)
An issue with the application of Java Security Manager (JSM) policies was discovered, where deployed applications were granted 'AllPermission' permission, which contradicted the policy file. The root cause of this issue was that JBoss Modules used the same logic for assigning server modules permissions and deployment permissions. The default permission for server modules is 'AllPermission', but the default for deployments should be empty permission set. This issue has now been resolved and deployment permissions can be granted in policy file by using Virtual File System (VFS) URL-based grant entries.
Clone Of: 1065994
(edit)
Last Closed: 2014-06-28 15:31:59 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker MODULES-184 Major Resolved Cannot change application permissions on EAP 6 when the Java Security Manager is enabled 2016-01-27 00:09 UTC
Red Hat Bugzilla 1070050 None None None Never
Red Hat Bugzilla 1072323 None None None Never

Internal Trackers: 1070050 1072323

Description Derek Horton 2014-02-20 18:27:54 UTC
+++ This bug was initially created as a clone of Bug #1065994 +++

Description of problem:

It looks like all deployed applications are granted "AllPermission" and there does not appear to be a way to change this.

Changing the grant statements in the policy file (-Djava.security.policy) doesn't seem to affect the permissions.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  Create a war that reads a file from the file system
2.  Configure JBoss to use the java security manager
3.  Hit the web application

Actual results:
The web application can access files on the file system.


Expected results:
The web application should not be able to access files on the file system.

Additional info:

--- Additional comment from Derek Horton on 2014-02-17 08:30:01 EST ---

Make the following config changes:

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djboss.home.dir=$JBOSS_HOME -Djava.security.policy==$PWD/server.policy"
JAVA_OPTS="$JAVA_OPTS -Djboss.modules.policy-permissions=true"



diff --git a/bin/standalone.sh b/bin/standalone.sh
index 6324aa5..1c119e2 100755
--- a/bin/standalone.sh
+++ b/bin/standalone.sh
@@ -272,6 +272,7 @@ while true; do
          -jar \"$JBOSS_HOME/jboss-modules.jar\" \
          -mp \"${JBOSS_MODULEPATH}\" \
          -jaxpmodule "javax.xml.jaxp-provider" \
+         -secmgr \
          org.jboss.as.standalone \
          -Djboss.home.dir=\"$JBOSS_HOME\" \
          -Djboss.server.base.dir=\"$JBOSS_BASE_DIR\" \
diff --git a/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml b/modules/system/layers/base/org/jboss/as/host-controller/main/module.
xml
index 6a48ee4..8dc16ec 100644
--- a/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml
+++ b/modules/system/layers/base/org/jboss/as/host-controller/main/module.xml
@@ -37,7 +37,7 @@
     <dependencies>
         <module name="javax.api"/>
         <module name="org.jboss.staxmapper"/>
-        <module name="org.jboss.vfs"/>
+        <module name="org.jboss.vfs" services="import"/>
         <module name="org.jboss.as.controller"/>
         <module name="org.jboss.as.core-security"/>        
         <module name="org.jboss.common-core"/>
diff --git a/modules/system/layers/base/org/jboss/as/server/main/module.xml b/modules/system/layers/base/org/jboss/as/server/main/module.xml
index 810b681..6a61c97 100644
--- a/modules/system/layers/base/org/jboss/as/server/main/module.xml
+++ b/modules/system/layers/base/org/jboss/as/server/main/module.xml
@@ -52,7 +52,7 @@
         <module name="org.jboss.sasl"/>
         <module name="org.jboss.stdio"/>
         <module name="org.jboss.threads"/>
-        <module name="org.jboss.vfs"/>
+        <module name="org.jboss.vfs" services="import"/>
         <module name="org.jboss.as.controller"/>
         <module name="org.jboss.as.deployment-repository"/>
         <module name="org.jboss.as.domain-http-interface"/>

Comment 1 JBoss JIRA Server 2014-02-20 23:02:58 UTC
David Lloyd <david.lloyd@redhat.com> updated the status of jira MODULES-184 to Resolved

Comment 2 JBoss JIRA Server 2014-02-27 11:52:59 UTC
David Lloyd <david.lloyd@redhat.com> updated the status of jira WFLY-3032 to Resolved

Comment 3 JBoss JIRA Server 2014-02-27 11:58:24 UTC
Ivo Studensky <istudens@redhat.com> updated the status of jira WFLY-3032 to Closed

Comment 4 Ivo Studensky 2014-02-27 13:57:58 UTC
Pull request filed:

https://github.com/jbossas/jboss-eap/pull/981

Comment 5 Ondrej Lukas 2014-03-11 08:56:01 UTC
Verification failed. Import of org.jboss.vfs is also needed in /modules/system/layers/base/org/jboss/as/standalone/main/module.xml and probably jboss-modules.jar will need update. More information in connected bz https://bugzilla.redhat.com/show_bug.cgi?id=1065994

Comment 6 Josef Cacek 2014-03-26 10:20:13 UTC
PR with the missing fix was sent: https://github.com/jbossas/jboss-eap/pull/1131

The PR contains also a new testsuite module for testing with the security manager enabled.

Comment 7 Kabir Khan 2014-04-08 14:32:47 UTC
https://github.com/jbossas/jboss-eap/pull/1189

Comment 9 Russell Dickenson 2014-05-12 05:39:20 UTC
Fernando,

I have drafted a Release Notes entry for this BZ ticket. Please verify it.


Note You need to log in before you can comment on or make changes to this bug.