SecurityManager

UI Components for JSF
Post Reply
pzoli
Posts: 100
Joined: 27 Feb 2012, 20:52
Location: Hungary
Contact:
Contact pzoli

23 Mar 2017, 13:56

I try use SecurityManager in wildfly. I signed a debuggable primefaces.jar, to avoid "no signer certificates".
Please help me find out why get this exception:

Code: Select all

java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "getClassLoader")" in code source "(vfs:/opt/server/wildfly-10.1.0.Final/standalone/deployments/VPSCalc.war/WEB-INF/lib/primefaces-6.0.jar [ [ Version: V3 Subject: CN=Zoltan Papp, OU=development, O=PAZO Info-Kristaly BT., L=Budapest, ST=Hungary, C=EU Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3 Key: Sun DSA Public Key Parameters:DSA p: fd7f5381 1d751229 52df4a9c 2eece4e7 f611b752 3cef4400 c31e3f80 b6512669 455d4022 51fb593d 8d58fabf c5f5ba30 f6cb9b55 6cd7813b 801d346f f26660b7 6b9950a5 a49f9fe8 047b1022 c24fbba9 d7feb7c6 1bf83b57 e7c6a8a6 150f04fb 83f6d3c5 1ec30235 54135a16 9132f675 f3ae2b61 d72aeff2 2203199d d14801c7 q: 9760508f 15230bcc b292b982 a2eb840b f0581cf5 g: f7e1a085 d69b3dde cbbcab5c 36b857b9 7994afbb fa3aea82 f9574c0b 3d078267 5159578e bad4594f e6710710 8180b449 167123e8 4c281613 b7cf0932 8cc8a6e1 3c167a8b 547c8d28 e0a3ae1e 2bb3a675 916ea37f 0bfa2135 62f1fb62 7a01243b cca4f1be a8519089 a883dfe1 5ae59f06 928b665e 807b5525 64014c3b fecf492a y: 33689c9d 7f2c8462 4fcc27e9 7534ff65 acd48e76 c307c313 7f0dd0bf 109d0b91 d79b7043 ed9bcbaa d4f232d9 191189cb 630f6365 f393ac9b 48e21c4c 78689f9c 30e85bf5 63dfbc3c ece93f6f c6249de3 9c061ec1 3fc2a2aa 9826f103 f03bd1b9 e9cd7270 21f68c66 ab5a74a2 805a4f74 68102fc0 80580e50 f9f38281 0ec72dd5 Validity: [From: Thu Mar 23 12:08:53 CET 2017, To: Wed Jun 21 13:08:53 CEST 2017] Issuer: CN=Zoltan Papp, OU=development, O=PAZO Info-Kristaly BT., L=Budapest, ST=Hungary, C=EU SerialNumber: [ 299a3bb4] Certificate Extensions: 1 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 51 EE 77 9E 1E 3A 5E 8E EB F3 FB 34 4E 77 57 53 Q.w..:^....4NwWS 0010: 60 8D 19 30 `..0 ] ] ] Algorithm: [SHA1withDSA] Signature: 0000: 30 2C 02 14 61 5D 97 FE C0 AB 0B 7E C5 B2 87 A8 0,..a].......... 0010: 2A 29 1F EE 52 23 4E A2 02 14 79 C1 B7 BB 90 41 *)..R#N...y....A 0020: 8C ED 3A DF F6 D7 E7 A9 62 F6 AF 0A A1 2A ..:.....b....* ])" of "null")
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273)
org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1528)
java.lang.Thread.getContextClassLoader(Thread.java:1440)
javax.faces.context.FacesContext.<init>(FacesContext.java:101)
com.sun.faces.context.FacesContextImpl.<init>(FacesContextImpl.java:122)
com.sun.faces.context.FacesContextFactoryImpl.getFacesContext(FacesContextFactoryImpl.java:98)
org.primefaces.context.PrimeFacesContextFactory.getFacesContext(PrimeFacesContextFactory.java:28)
com.sun.faces.context.InjectionFacesContextFactory.getFacesContext(InjectionFacesContextFactory.java:123)
javax.faces.webapp.FacesServlet.service(FacesServlet.java:648)
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:110)
java.security.AccessController.doPrivileged(Native Method)
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:107)
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
java.lang.Thread.run(Thread.java:745)
My java.policy content:

Code: Select all


// Standard extensions get all permissions by default

keystore "file:/opt/keystores/keystore.jks";

grant codeBase "file:${java.ext.dirs}/*" {
        permission java.security.AllPermission;
};

// default permissions granted to all domains

grant {
        // Allows any thread to stop itself using the java.lang.Thread.stop()
        // method that takes no argument.
        // Note that this permission is granted by default only to remain
        // backwards compatible.
        // It is strongly recommended that you either remove this permission
        // from this policy file or further restrict it to code sources
        // that you specify, because Thread.stop() is potentially unsafe.
        // See the API specification of java.lang.Thread.stop() for more
        // information.
        permission java.lang.RuntimePermission "stopThread";

        // allows anyone to listen on dynamic ports
        permission java.net.SocketPermission "localhost:0", "listen";

        // "standard" properies that can be read by anyone

        permission java.util.PropertyPermission "java.version", "read";
        permission java.util.PropertyPermission "java.vendor", "read";
        permission java.util.PropertyPermission "java.vendor.url", "read";
        permission java.util.PropertyPermission "java.class.version", "read";
        permission java.util.PropertyPermission "os.name", "read";
        permission java.util.PropertyPermission "os.version", "read";
        permission java.util.PropertyPermission "os.arch", "read";
        permission java.util.PropertyPermission "file.separator", "read";
        permission java.util.PropertyPermission "path.separator", "read";
        permission java.util.PropertyPermission "line.separator", "read";

        permission java.util.PropertyPermission "java.specification.version", "read";
        permission java.util.PropertyPermission "java.specification.vendor", "read";
        permission java.util.PropertyPermission "java.specification.name", "read";

        permission java.util.PropertyPermission "java.vm.specification.version", "read";
        permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
        permission java.util.PropertyPermission "java.vm.specification.name", "read";
        permission java.util.PropertyPermission "java.vm.version", "read";
        permission java.util.PropertyPermission "java.vm.vendor", "read";
        permission java.util.PropertyPermission "java.vm.name", "read";
};

/// Wildfly 8.0.0 security

grant {
   permission java.util.PropertyPermission "module.path","write";
   permission java.lang.RuntimePermission "accessDeclaredMembers";
   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
   permission java.lang.RuntimePermission "canCreateModuleLoader";
   permission java.lang.RuntimePermission "getenv.JAVA_MODULEPATH";
   permission java.lang.RuntimePermission "setContextClassLoader";
   permission java.lang.RuntimePermission "getBootModuleLoader";
   permission java.lang.RuntimePermission "getProtectionDomain";
   permission java.lang.RuntimePermission "createClassLoader";
   permission java.lang.RuntimePermission "getClassLoader";
   permission java.util.PropertyPermission "*","read,write";
   permission java.security.SecurityPermission "getPolicy";
   permission java.security.SecurityPermission "setPolicy";
   permission java.io.FilePermission "${jboss.home.dir}/modules/-","read";
   permission java.io.FilePermission "file:/usr/lib/jvm/-","read";
};

// Trusted core Java code
grant codeBase "file:${java.home}/lib/ext/-" {
   permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/lib/*" {
   permission java.security.AllPermission;
};
// For java.home pointing to the JDK jre directory
grant codeBase "file:${java.home}/../lib/*" {
   permission java.security.AllPermission;
};

// Trusted core Jboss code
grant codeBase "file:${jboss.home.dir}/bin/-" {
   permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/lib/-" {
   permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/standalone/lib/-" {
   permission java.security.AllPermission;
};
grant signedBy "Zoltan" codeBase "file:${jboss.home.dir}/standalone/deployments/-" {
   permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/standalone/data/-" {
   permission java.security.AllPermission;
};

// Minimal permissions are allowed to everyone else
grant {
   permission java.util.PropertyPermission "*", "read";
   permission java.lang.RuntimePermission "queuePrintJob";
   permission java.net.SocketPermission "*", "connect";
   permission java.lang.RuntimePermission "accessClassInPackage.*";
   permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getSubject";
   permission javax.management.MBeanServerPermission "findMBeanServer";
   permission javax.management.MBeanPermission "org.jboss.mx.modelmbean.XMBean#*[JMImplementation:type=MBeanRegistry]", "*";
   permission javax.security.auth.AuthPermission "createLoginContext.*";
};

// Permission getClassLoader in code source "(vfs:/opt/server/wildfly-10.1.0.Final/standalone/deployments/VPSCalc.war/WEB-INF/lib/primefaces-6.0.jar <no signer certificates>)" of "null"

// Primefaces
grant {
   permission java.lang.RuntimePermission "getClassLoader";
};
JBoss Developer Studio 11.3.0.GA
Eclipse Oxygen
Wildfly 11
PrimeFaces 6.2.3, PrimaFaces Extensions 6.2.3
Mojarra 2.2.11-jbossorg-1, MyFaces 2.2.8, Deltaspike 1.7.1
MySQL, Oracle, MS-SQL, PostgreSQL, NoSQL
Top
kukeltje
Expert Member
Posts: 9605
Joined: 17 Jun 2010, 13:34
Location: Netherlands

30 Mar 2017, 23:31

I would ask this in the Wildfly forums... better chance of success I think
Top
Post Reply

Return to “PrimeFaces”

  • Information

  • Who is online

    Users browsing this forum: No registered users and 30 guests