Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1172832

Summary: [GSS] (6.3.x) Using java 6 with a datasource that is configured to use a security-domain and prefill fails on startup
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: SecurityAssignee: Darran Lofthouse <darran.lofthouse>
Status: CLOSED WONTFIX QA Contact: Josef Cacek <jcacek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3.2CC: anmiller, bdawidow, cdewolf, jpederse, msimka, pskopek, yoqi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1172830 Environment:
Last Closed: 2015-03-20 08:35:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1172830    
Bug Blocks: 1151405    

Description Derek Horton 2014-12-10 20:58:15 UTC 
Description of problem:

Using java 6 with a datasource that is configured to use a security-domain and prefill fails on startup.

Exception in thread "JCA PoolFiller" java.lang.ExceptionInInitializerError
    at javax.security.auth.Subject$2.run(Subject.java:533)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.createContext(Subject.java:526)
    at javax.security.auth.Subject.doAs(Subject.java:396)
    at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:246)
    at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:842)
    at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.fillToMin(SemaphoreArrayListManagedConnectionPool.java:783)
    at org.jboss.jca.core.connectionmanager.pool.mcp.PoolFiller.run(PoolFiller.java:97)
    at java.lang.Thread.run(Thread.java:662)
Caused by: java.lang.SecurityException: unable to instantiate Subject-based policy
    at javax.security.auth.Policy.getPolicyNoCheck(Policy.java:224)
    at javax.security.auth.Policy.getPolicy(Policy.java:181)
    at javax.security.auth.SubjectDomainCombiner$5.run(SubjectDomainCombiner.java:481)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.SubjectDomainCombiner.compatPolicy(SubjectDomainCombiner.java:477)
    at javax.security.auth.SubjectDomainCombiner.<clinit>(SubjectDomainCombiner.java:47)
Version-Release number of selected component (if applicable):





Steps to Reproduce:
1.  Configure a datasource to use a security-domain and prefill

                <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true">
                    <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url>
                    <driver>h2</driver>
                    <pool>
                      <min-pool-size>15</min-pool-size>                                                              
                      <max-pool-size>150</max-pool-size>
                      <prefill>true</prefill>
                    </pool> 
                    <security>
                      <security-domain>test-sec-domain</security-domain>
                    </security>
                </datasource>

2.  Configure the security-domain

              <security-domain name="test-sec-domain" cache-type="default">
                <authentication>
                  <login-module code="org.picketbox.datasource.security.CallerIdentityLoginModule" flag="required">
                      <module-option name="principal" value="useFirstPass"/>
                      <module-option name="username" value="useFirstPass"/>
                      <module-option name="password" value="useFirstPass"/>
                  </login-module>
                </authentication>
              </security-domain>


3.  Start JBoss


The issue can be resolved by adding <module name="sun.jdk"/> to the dependency list in modules/system/layers/base/org/jboss/ironjacamar/impl/main/module.xml.  However, this gets messy with patches.

It would be nice to modify the ironjacamar module.xml to include this dependency.
Comment 1 Qi Yong 2014-12-22 07:26:34 UTC 
Please find following business impact from customer and this is urgent issue. Thanks.

Here is the reason for the urgency in getting this issue resolved.  Our Government customer was notified by that the version of RedHat EAP we are using has several CAT1 (Category I security vulnerabilities) and given this severity we need to mitigate these vulnerabilities very quickly (in fact we are already past our Mitigation date for fixing these security vulnerabilities which was first week in December 2014).  The Government STIG references the following security vulnerabilities reported to our customer from RedHat.

https://rhn.redhat.com/errata/RHSA-2014-1021.html
https://rhn.redhat.com/errata/RHSA-2014-1019.html
https://rhn.redhat.com/errata/RHSA-2014-1020.html
Comment 2 Carlo de Wolf 2015-03-20 08:35:16 UTC 
Did not make it into 6.3.3.