Description of problem: Using java 6 with a datasource that is configured to use a security-domain and prefill fails on startup. Exception in thread "JCA PoolFiller" java.lang.ExceptionInInitializerError at javax.security.auth.Subject$2.run(Subject.java:533) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.createContext(Subject.java:526) at javax.security.auth.Subject.doAs(Subject.java:396) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:246) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:842) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.fillToMin(SemaphoreArrayListManagedConnectionPool.java:783) at org.jboss.jca.core.connectionmanager.pool.mcp.PoolFiller.run(PoolFiller.java:97) at java.lang.Thread.run(Thread.java:662) Caused by: java.lang.SecurityException: unable to instantiate Subject-based policy at javax.security.auth.Policy.getPolicyNoCheck(Policy.java:224) at javax.security.auth.Policy.getPolicy(Policy.java:181) at javax.security.auth.SubjectDomainCombiner$5.run(SubjectDomainCombiner.java:481) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.SubjectDomainCombiner.compatPolicy(SubjectDomainCombiner.java:477) at javax.security.auth.SubjectDomainCombiner.<clinit>(SubjectDomainCombiner.java:47) Version-Release number of selected component (if applicable): Steps to Reproduce: 1. Configure a datasource to use a security-domain and prefill <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true"> <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url> <driver>h2</driver> <pool> <min-pool-size>15</min-pool-size> <max-pool-size>150</max-pool-size> <prefill>true</prefill> </pool> <security> <security-domain>test-sec-domain</security-domain> </security> </datasource> 2. Configure the security-domain <security-domain name="test-sec-domain" cache-type="default"> <authentication> <login-module code="org.picketbox.datasource.security.CallerIdentityLoginModule" flag="required"> <module-option name="principal" value="useFirstPass"/> <module-option name="username" value="useFirstPass"/> <module-option name="password" value="useFirstPass"/> </login-module> </authentication> </security-domain> 3. Start JBoss The issue can be resolved by adding <module name="sun.jdk"/> to the dependency list in modules/system/layers/base/org/jboss/ironjacamar/impl/main/module.xml. However, this gets messy with patches. It would be nice to modify the ironjacamar module.xml to include this dependency.
Please find following business impact from customer and this is urgent issue. Thanks. Here is the reason for the urgency in getting this issue resolved. Our Government customer was notified by that the version of RedHat EAP we are using has several CAT1 (Category I security vulnerabilities) and given this severity we need to mitigate these vulnerabilities very quickly (in fact we are already past our Mitigation date for fixing these security vulnerabilities which was first week in December 2014). The Government STIG references the following security vulnerabilities reported to our customer from RedHat. https://rhn.redhat.com/errata/RHSA-2014-1021.html https://rhn.redhat.com/errata/RHSA-2014-1019.html https://rhn.redhat.com/errata/RHSA-2014-1020.html
Did not make it into 6.3.3.