Bug 1172830 - [GSS] (6.4.0) Using java 6 with a datasource that is configured to use a security-domain and prefill fails on startup
Summary: [GSS] (6.4.0) Using java 6 with a datasource that is configured to use a secu...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.3.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: EAP 6.4.0
Assignee: Darran Lofthouse
QA Contact: Pavel Slavicek
URL:
Whiteboard:
Depends On:
Blocks: 1172832 1204286
TreeView+ depends on / blocked
 
Reported: 2014-12-10 20:56 UTC by Derek Horton
Modified: 2019-08-19 12:40 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
: 1172832 (view as bug list)
Environment:
Last Closed: 2019-08-19 12:38:53 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
Reproducer bz-1172830.war (6.22 KB, application/zip)
2015-03-20 16:50 UTC, Josef Cacek 		no flags Details
View All

Description Derek Horton 2014-12-10 20:56:54 UTC 
Description of problem:

Using java 6 with a datasource that is configured to use a security-domain and prefill fails on startup.

Exception in thread "JCA PoolFiller" java.lang.ExceptionInInitializerError
    at javax.security.auth.Subject$2.run(Subject.java:533)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.createContext(Subject.java:526)
    at javax.security.auth.Subject.doAs(Subject.java:396)
    at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:246)
    at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:842)
    at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.fillToMin(SemaphoreArrayListManagedConnectionPool.java:783)
    at org.jboss.jca.core.connectionmanager.pool.mcp.PoolFiller.run(PoolFiller.java:97)
    at java.lang.Thread.run(Thread.java:662)
Caused by: java.lang.SecurityException: unable to instantiate Subject-based policy
    at javax.security.auth.Policy.getPolicyNoCheck(Policy.java:224)
    at javax.security.auth.Policy.getPolicy(Policy.java:181)
    at javax.security.auth.SubjectDomainCombiner$5.run(SubjectDomainCombiner.java:481)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.SubjectDomainCombiner.compatPolicy(SubjectDomainCombiner.java:477)
    at javax.security.auth.SubjectDomainCombiner.<clinit>(SubjectDomainCombiner.java:47)
Version-Release number of selected component (if applicable):





Steps to Reproduce:
1.  Configure a datasource to use a security-domain and prefill

                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true">
                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
                    <driver>h2</driver>
                    <pool>
                      <min-pool-size>15</min-pool-size>                                                              
                      <max-pool-size>150</max-pool-size>
                      <prefill>true</prefill>
                    </pool> 
                    <security>
                      <security-domain>test-sec-domain</security-domain>
                    </security>
                </datasource>

2.  Configure the security-domain

              <security-domain name="test-sec-domain" cache-type="default">
                <authentication>
                  <login-module code="org.picketbox.datasource.security.CallerIdentityLoginModule" flag="required">
                      <module-option name="principal" value="useFirstPass"/>
                      <module-option name="username" value="useFirstPass"/>
                      <module-option name="password" value="useFirstPass"/>
                  </login-module>
                </authentication>
              </security-domain>


3.  Start JBoss


The issue can be resolved by adding <module name="sun.jdk"/> to the dependency list in modules/system/layers/base/org/jboss/ironjacamar/impl/main/module.xml.  However, this gets messy with patches.

It would be nice to modify the ironjacamar module.xml to include this dependency.
Comment 4 Josef Cacek 2015-03-20 16:43:21 UTC 
Verification failed.

IBM JDK 6 still reports problems in this configuration. Other tested Java versions on my Linux box seem to be OK. I'll continue with testing on other platforms too. 

The stacktrace on IBM Java 6 says:

java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/ExampleDS
        at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:151)
        at org.jboss.test.DataSourceServlet.doGet(DataSourceServlet.java:54)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
        at java.lang.Thread.run(Thread.java:761)
Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/ExampleDS
        at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:421)
        at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:368)
        at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:510)
        at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:143)
        ... 16 more
Caused by: javax.resource.ResourceException: IJ000651: Unable to get managed connection pool
        at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getManagedConnectionPool(AbstractPool.java:197)
        at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:417)
        at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:354)
        ... 19 more
Caused by: java.lang.NullPointerException
        at javax.resource.spi.security.PasswordCredential.equals(PasswordCredential.java:105)
        at javax.security.auth.Subject$SecureSet.contains(Subject.java:1394)
        at java.util.AbstractCollection.containsAll(AbstractCollection.java:158)
        at java.util.AbstractSet.equals(AbstractSet.java:62)
        at java.util.Collections$SynchronizedSet.equals(Collections.java:834)
        at javax.security.auth.Subject.equals(Subject.java:1013)
        at org.jboss.jca.core.connectionmanager.pool.strategy.SecurityActions.equals(SecurityActions.java:73)
        at org.jboss.jca.core.connectionmanager.pool.strategy.SubjectKey.equals(SubjectKey.java:86)
        at java.util.concurrent.ConcurrentHashMap$Segment.get(ConcurrentHashMap.java:403)
        at java.util.concurrent.ConcurrentHashMap.get(ConcurrentHashMap.java:834)
        at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getManagedConnectionPool(AbstractPool.java:172)
        ... 21 more
Comment 5 Josef Cacek 2015-03-20 16:50:45 UTC 
Created attachment 1004563 [details]
Reproducer bz-1172830.war

Attaching reproducer. 

Steps:

0) download attached reproducer to /tmp/bz-1172830.war

1) start EAP (with the tested Java version)

2) configure the server and deploy reproducer using JBoss CLI:
/subsystem=security/security-domain=test-sec-domain:add(cache-type=default)
/subsystem=security/security-domain=test-sec-domain/authentication=classic:add
/subsystem=security/security-domain=test-sec-domain/authentication=classic/login-module=CallerIdentity:add(code=org.picketbox.datasource.security.CallerIdentityLoginModule, flag=required, module-options=[("principal"=>"principal"), ("username"=>"username"), ("password"=>"password")])
/subsystem=datasources/data-source=ExampleDS:disable
reload
/subsystem=datasources/data-source=ExampleDS:remove
/subsystem=datasources/data-source=ExampleDS:add(jndi-name="java:jboss/datasources/ExampleDS",use-java-context=true,connection-url="jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE",driver-name=h2,min-pool-size=15,max-pool-size=150,pool-prefill=true,security-domain=test-sec-domain)
/subsystem=datasources/data-source=ExampleDS:enable
deploy /tmp/bz-1172830.war

3) go to http://localhost:8080/bz-1172830/ and check the output
Comment 9 Josef Cacek 2015-04-02 11:46:21 UTC 
Verified in 6.4.0.CR2.

The regression test was fixed.
Note You need to log in before you can comment on or make changes to this bug.