3 Replies Latest reply on Sep 26, 2008 3:34 PM by osganian

    Problem turning on security manager with JBoss 4.0.4

    osganian
    osganian Sep 25, 2008 8:33 PM

      I'm running jboss with the following system props turned on:

      -Djboss.home.dir=%JBOSS_HOME% -Djboss.server.home.dir=%JBOSS_HOME%/server/default -Djava.security.manager -Djava.security.policy=%JBOSS_HOME%/server/default/conf/security/server.policy


      My server.policy file looks like: 

      /** Java 2 Access Control Policy for the Application **/

// The Java2 security policy for the securitymgr tests
// Install with -Djava.security.policy==server.policy
// and -Djboss.home.dir=path_to_jboss_distribution
// and -Djboss.server.home.dir=path_to_jboss_server_home

// Trusted core Java code
grant codeBase "file:${java.home}/lib/ext/-" {
 permission java.security.AllPermission;
};

grant codeBase "file:${java.home}/lib/*" {
 permission java.security.AllPermission;
};

// For java.home pointing to the JDK jre directory
grant codeBase "file:${java.home}/../lib/*" {
 permission java.security.AllPermission;
};

// Trusted core JBoss code
grant codeBase "file:${jboss.home.dir}/bin/-" {
 permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/lib/-" {
 permission java.security.AllPermission;
};

grant codeBase "file:${jboss.server.home.dir}/lib/-" {
 permission java.security.AllPermission;
};

grant codeBase "file:${jboss.server.home.dir}/deploy/-" {
 permission java.security.AllPermission;
};

grant codeBase "file:${jboss.server.home.dir}/work/-" {
 permission java.security.AllPermission;
};

// Minimal permissions are allowed to everyone to run the system.
grant {
 // Permissions I had to add for everything to work.
 permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
 permission java.io.SerializablePermission "enableSubstitution";
 permission java.io.SerializablePermission "enableSubclassImplementation";
 permission java.lang.RuntimePermission "accessClassInPackage.*";
 permission java.lang.RuntimePermission "defineClassInPackage.*";
 permission java.lang.RuntimePermission "accessDeclaredMembers";
 permission java.lang.RuntimePermission "createClassLoader";
 permission java.lang.RuntimePermission "getClassLoader";
 permission java.lang.RuntimePermission "getProtectionDomain";
 permission java.lang.RuntimePermission "getStackTrace";
 permission java.lang.RuntimePermission "preferences";
 permission java.lang.RuntimePermission "queuePrintJob";
 permission java.lang.RuntimePermission "reflectionFactoryAccess";
 permission java.lang.RuntimePermission "readFileDescriptor";
 permission java.lang.RuntimePermission "writeFileDescriptor";
 permission java.lang.RuntimePermission "setContextClassLoader";
 permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
 permission java.net.SocketPermission "*", "connect";
 permission java.security.SecurityPermission "getPolicy";
 permission java.util.PropertyPermission "*", "read,write";
 permission java.util.logging.LoggingPermission "control", "";

 permission javax.security.auth.AuthPermission "createLoginContext.*";
 permission javax.security.auth.AuthPermission "doAs";
 permission javax.security.auth.AuthPermission "doAsPrivileged";
 permission javax.security.auth.AuthPermission "getSubject";
 permission javax.security.auth.AuthPermission "getSubjectFromDomainCombiner";
 permission javax.security.auth.AuthPermission "getLoginConfiguration";
 permission javax.security.auth.AuthPermission "getPolicy";

 // JBoss permissions
 permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.*";
 permission javax.management.MBeanServerPermission "findMBeanServer";
 permission javax.management.MBeanPermission "org.jboss.mx.modelmbean.XMBean#*[JMImplementation:type=MBeanRegistry]", "*";
};

// Special permissions based on principal.
grant principal org.jboss.security.SimplePrincipal "test" {
 permission javax.security.auth.AuthPermission "testPerm";
};

grant principal org.jboss.security.SimpleGroup "Roles" {
 permission javax.security.auth.AuthPermission "rolePerm";
};


      JBoss starts up fine and everything seems to work until I try and see if I have the "testPerm" permission. I login as user test and I have a simple JSP page that does: 

      <%
boolean ok = false;

javax.security.auth.Subject subject =
 (javax.security.auth.Subject) session.getAttribute("subject");
if (subject != null) {
 try {
 System.err.println("*** 1");
 final javax.security.auth.AuthPermission perm =
 new javax.security.auth.AuthPermission("testPerm");
 System.err.println("*** 2");

 try {
 java.security.PrivilegedExceptionAction action =
 new java.security.PrivilegedExceptionAction() {
 public Object run() {
 System.err.println("*** A");
 try {
 java.security.AccessController.checkPermission(perm);
 System.err.println("*** A2");

 return Boolean.TRUE;
 } catch (Throwable ex) {
 // User doesn't have the required permission.
 System.err.println("*** B");
 ex.printStackTrace();
 }

 return Boolean.FALSE;
 }
 };

 System.err.println("*** SUB: " + subject);
 ok = ((Boolean)javax.security.auth.Subject.doAsPrivileged(subject, action, null)).booleanValue();
 System.err.println("*** OK: " + ok);
 } catch (java.security.PrivilegedActionException e) {
 // User doesn't have the required permission.
 System.err.println("*** C");
 e.printStackTrace();
 }
 } catch (Throwable t) {
 System.err.println("*** WOW");
 t.printStackTrace();
 }
}
%>

<html>
<body>
yo <%=ok%>
</body>
</html>


      Printing out the principals in the subject returns: 

      *** Principals
*** Name: test
*** Class: org.jboss.security.SimplePrincipal
*** Name: Roles
*** Class: org.jboss.security.SimpleGroup


      But I get this exception: 

       java.lang.LinkageError: org/jboss/security/SimplePrincipal
 at java.lang.Class.forName0(Native Method)
 at java.lang.Class.forName(Class.java:242)
 at sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1403)
 at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1307)
 at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1270)
 at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1211)
 at sun.security.provider.PolicyFile.implies(PolicyFile.java:1166)
 at java.security.ProtectionDomain.implies(ProtectionDomain.java:195)
 at java.security.AccessControlContext.checkPermission(AccessControlContext.java:249)
 at java.security.AccessController.checkPermission(AccessController.java:427)
 at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
 at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
 at java.io.File.exists(File.java:700)
 at org.apache.naming.resources.FileDirContext.file(FileDirContext.java:827)
...


      Does anybody have any idea what I am doing wrong?

      Thanks for any help,
      Mike

      • 2888 Views
      • Tags:
        • 1. Re: Problem turning on security manager with JBoss 4.0.4
          osganian
          osganian Sep 26, 2008 11:26 AM (in response to osganian)

          The class org.jboss.security.SimplePrincipal exists in the following JARs under my jboss home:

          client/jbossall-client.jar
          client/jbosssx-client.jar
          server/default/lib/jbosssx.jar

          Now, when I run only the server/default/lib/jbosssx.jar is being used. I even renamed the client directory to clientzzz and when jboss starts up i can rename the directory, etc so I know those 2 jars shouldn't be in the game when JBoss is up and running. But I still get a linkage error when I have:

          grant principal org.jboss.security.SimplePrincipal "test" {
 permission javax.security.auth.AuthPermission "testPerm";
};


          In my policy file. Has anybody run across this? Or know exactly how you are supposed to assign permissions to specific users/groups?

          Thanks for any help

            • Actions
          • 2. Re: Problem turning on security manager with JBoss 4.0.4
            osganian
            osganian Sep 26, 2008 1:13 PM (in response to osganian)

            Trying it under JDK 1.6.0_05 I get:

            java.lang.ClassCircularityError: org/jboss/security/SimplePrincipal
 at java.lang.Class.forName0(Native Method)
 at java.lang.Class.forName(Class.java:247)
 at sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1381)
 at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1268)
 at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1231)
 at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1167)
 at sun.security.provider.PolicyFile.implies(PolicyFile.java:1122)
 at java.security.ProtectionDomain.implies(ProtectionDomain.java:213)
 at java.security.AccessControlContext.checkPermission(AccessControlContext.java:301)
 at java.security.AccessController.checkPermission(AccessController.java:546)
 at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
 at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
 at java.io.File.exists(File.java:731)
 at org.apache.naming.resources.FileDirContext.file(FileDirContext.java:827)
 at org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:210)
 at org.apache.naming.resources.ProxyDirContext.lookup(ProxyDirContext.java:293)
 at org.apache.catalina.loader.WebappClassLoader.findResourceInternal(WebappClassLoader.java:1884)
 at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1749)
 at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:866)
 at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1319)
 at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1198)
 at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
 at java.lang.Class.forName0(Native Method)
 at java.lang.Class.forName(Class.java:247)
 at sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1381)
 at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1268)
 at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1231)
 at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1167)
 at sun.security.provider.PolicyFile.implies(PolicyFile.java:1122)
 at java.security.ProtectionDomain.implies(ProtectionDomain.java:213)
 at java.security.AccessControlContext.checkPermission(AccessControlContext.java:301)
 at java.security.AccessController.checkPermission(AccessController.java:546)
 at com.illuminatics.util.SecurityUtils$1.run(SecurityUtils.java:34)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
 at com.illuminatics.util.SecurityUtils.hasPermission(SecurityUtils.java:49)
 at org.apache.jsp.test3_jsp._jspService(test3_jsp.java:72)


            Somebody out there must have used org.jboss.security.SimplePrincipal class to grant specific permissions to a user, right?

              • Actions
            • 3. Re: Problem turning on security manager with JBoss 4.0.4
              osganian
              osganian Sep 26, 2008 3:34 PM (in response to osganian)

              If anybody cares or even visits this forum, the problem was in the default jboss-service.xml that is bundled in the tomcat sar directory. You need to change the Java2ClassLoadingCompliance attribute to true:

               <attribute name="Java2ClassLoadingCompliance">true</attribute>




                • Actions