Bug 1261018 - java.lang.SecurityException when logging out of business central when running with Java Security Manager enabled [NEEDINFO]
java.lang.SecurityException when logging out of business central when running...
Status: NEW
Product: JBoss BPMS Platform 6
Classification: JBoss
Component: Business Central (Show other bugs)
6.1.0
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Alexandre Porcelli
Lukáš Petrovický
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-08 08:36 EDT by Martin Weiler
Modified: 2016-03-08 17:49 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
alazarot: needinfo? (porcelli)


Attachments (Terms of Use)

  None (edit)
Description Martin Weiler 2015-09-08 08:36:57 EDT
Description of problem:
When running BPMS/BRMS with the Java Security Manager enabled, the following ERROR is thrown upon logging out of business-central:

ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/business-central].[jsp]] (http-localhost/127.0.0.1:8080-6) JBWEB000236: Servlet.service() for servlet jsp threw exception: java.lang.SecurityException: attempting to add an object which is not an instance of java.security.Principal to a Subject's Principal Set
	at javax.security.auth.Subject$SecureSet.add(Subject.java:1086) [rt.jar:1.7.0_45]
	at java.util.Collections$SynchronizedCollection.add(Collections.java:1636) [rt.jar:1.7.0_45]
	at org.apache.catalina.connector.Request.setUserPrincipal(Request.java:2059) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
	at org.apache.catalina.authenticator.AuthenticatorBase.unregister(AuthenticatorBase.java:730) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
	at org.apache.catalina.authenticator.AuthenticatorBase.logout(AuthenticatorBase.java:356) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
	at org.apache.catalina.connector.Request.logout(Request.java:3265) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
	at org.apache.catalina.connector.RequestFacade.logout(RequestFacade.java:1019) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1]
	at org.apache.jsp.logout_jsp._jspService(logout_jsp.java:68)


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install BPMS/BRMS 6.1.0 with the installer, enable the Security Manager
2. Start the server, log into business-central
3. Log out of business-central

Actual results:
ERROR when logging out

Expected results:
No errors upon logging out

Additional info:
Further debugging shows that there are redundant calls to request.logout() - one that is defined in business-central/logout.jsp, and another one in uberfire code:
https://github.com/uberfire/uberfire-extensions/blob/0.5.3.Final/uberfire-security/uberfire-servlet-security/src/main/java/org/uberfire/ext/security/server/ServletSecurityAuthenticationService.java#L82

This can be traced with byteman. Before logging out, attach byteman with the following script:
# =======================================================================
RULE Request.setUserPrincipal
CLASS ^org.apache.catalina.connector.Request
METHOD setUserPrincipal(Principal)
AT ENTRY
BIND cl:Object = $0
IF TRUE
	DO System.out.println("[BYTEMAN==>] " + cl.getClass().getName() + " ==> " + Thread.currentThread().getName() + " setUserPrincipal(" + $1 + ") called "); traceStack();
ENDRULE
# =======================================================================

This will show the 2 logout calls:

1. From uberfire:

14:28:14,870 INFO  [stdout] (http-localhost/127.0.0.1:8080-4) [BYTEMAN==>] org.apache.catalina.connector.Request ==> http-localhost/127.0.0.1:8080-4 setUserPrincipal(null) called 
14:28:14,874 INFO  [stdout] (http-localhost/127.0.0.1:8080-4) Stack trace for thread http-localhost/127.0.0.1:8080-4
14:28:14,875 INFO  [stdout] (http-localhost/127.0.0.1:8080-4) org.apache.catalina.connector.Request.setUserPrincipal(Request.java:-1)
14:28:14,875 INFO  [stdout] (http-localhost/127.0.0.1:8080-4) org.apache.catalina.authenticator.AuthenticatorBase.unregister(AuthenticatorBase.java:730)
14:28:14,875 INFO  [stdout] (http-localhost/127.0.0.1:8080-4) org.apache.catalina.authenticator.AuthenticatorBase.logout(AuthenticatorBase.java:356)
14:28:14,876 INFO  [stdout] (http-localhost/127.0.0.1:8080-4) org.apache.catalina.connector.Request.logout(Request.java:3265)
14:28:14,876 INFO  [stdout] (http-localhost/127.0.0.1:8080-4) org.apache.catalina.connector.RequestFacade.logout(RequestFacade.java:1019)
14:28:14,877 INFO  [stdout] (http-localhost/127.0.0.1:8080-4) org.uberfire.ext.security.server.ServletSecurityAuthenticationService.logout(ServletSecurityAuthenticationService.java:82)

2. From logout.jsp:
14:28:16,270 INFO  [stdout] (http-localhost/127.0.0.1:8080-6) [BYTEMAN==>] org.apache.catalina.connector.Request ==> http-localhost/127.0.0.1:8080-6 setUserPrincipal(null) called 
14:28:16,274 INFO  [stdout] (http-localhost/127.0.0.1:8080-6) Stack trace for thread http-localhost/127.0.0.1:8080-6
14:28:16,275 INFO  [stdout] (http-localhost/127.0.0.1:8080-6) org.apache.catalina.connector.Request.setUserPrincipal(Request.java:-1)
14:28:16,276 INFO  [stdout] (http-localhost/127.0.0.1:8080-6) org.apache.catalina.authenticator.AuthenticatorBase.unregister(AuthenticatorBase.java:730)
14:28:16,276 INFO  [stdout] (http-localhost/127.0.0.1:8080-6) org.apache.catalina.authenticator.AuthenticatorBase.logout(AuthenticatorBase.java:356)
14:28:16,277 INFO  [stdout] (http-localhost/127.0.0.1:8080-6) org.apache.catalina.connector.Request.logout(Request.java:3265)
14:28:16,277 INFO  [stdout] (http-localhost/127.0.0.1:8080-6) org.apache.catalina.connector.RequestFacade.logout(RequestFacade.java:1019)
14:28:16,277 INFO  [stdout] (http-localhost/127.0.0.1:8080-6) org.apache.jsp.logout_jsp._jspService(logout_jsp.java:68)


Without the security manager enabled, the Request.setUserPrincipal invocation is (almost) a no-op, therefore the issue only shows up with JSM enabled.

Note You need to log in before you can comment on or make changes to this bug.