Problem turning on security manager with JBoss 4.0.4
osganian Sep 25, 2008 8:33 PMI'm running jboss with the following system props turned on:
-Djboss.home.dir=%JBOSS_HOME% -Djboss.server.home.dir=%JBOSS_HOME%/server/default -Djava.security.manager -Djava.security.policy=%JBOSS_HOME%/server/default/conf/security/server.policy
My server.policy file looks like:
/** Java 2 Access Control Policy for the Application **/ // The Java2 security policy for the securitymgr tests // Install with -Djava.security.policy==server.policy // and -Djboss.home.dir=path_to_jboss_distribution // and -Djboss.server.home.dir=path_to_jboss_server_home // Trusted core Java code grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; grant codeBase "file:${java.home}/lib/*" { permission java.security.AllPermission; }; // For java.home pointing to the JDK jre directory grant codeBase "file:${java.home}/../lib/*" { permission java.security.AllPermission; }; // Trusted core JBoss code grant codeBase "file:${jboss.home.dir}/bin/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.home.dir}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/work/-" { permission java.security.AllPermission; }; // Minimal permissions are allowed to everyone to run the system. grant { // Permissions I had to add for everything to work. permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete"; permission java.io.SerializablePermission "enableSubstitution"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.lang.RuntimePermission "defineClassInPackage.*"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "getStackTrace"; permission java.lang.RuntimePermission "preferences"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.lang.RuntimePermission "reflectionFactoryAccess"; permission java.lang.RuntimePermission "readFileDescriptor"; permission java.lang.RuntimePermission "writeFileDescriptor"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.net.SocketPermission "*", "connect"; permission java.security.SecurityPermission "getPolicy"; permission java.util.PropertyPermission "*", "read,write"; permission java.util.logging.LoggingPermission "control", ""; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "getSubjectFromDomainCombiner"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "getPolicy"; // JBoss permissions permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.*"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.management.MBeanPermission "org.jboss.mx.modelmbean.XMBean#*[JMImplementation:type=MBeanRegistry]", "*"; }; // Special permissions based on principal. grant principal org.jboss.security.SimplePrincipal "test" { permission javax.security.auth.AuthPermission "testPerm"; }; grant principal org.jboss.security.SimpleGroup "Roles" { permission javax.security.auth.AuthPermission "rolePerm"; };
JBoss starts up fine and everything seems to work until I try and see if I have the "testPerm" permission. I login as user test and I have a simple JSP page that does:
<% boolean ok = false; javax.security.auth.Subject subject = (javax.security.auth.Subject) session.getAttribute("subject"); if (subject != null) { try { System.err.println("*** 1"); final javax.security.auth.AuthPermission perm = new javax.security.auth.AuthPermission("testPerm"); System.err.println("*** 2"); try { java.security.PrivilegedExceptionAction action = new java.security.PrivilegedExceptionAction() { public Object run() { System.err.println("*** A"); try { java.security.AccessController.checkPermission(perm); System.err.println("*** A2"); return Boolean.TRUE; } catch (Throwable ex) { // User doesn't have the required permission. System.err.println("*** B"); ex.printStackTrace(); } return Boolean.FALSE; } }; System.err.println("*** SUB: " + subject); ok = ((Boolean)javax.security.auth.Subject.doAsPrivileged(subject, action, null)).booleanValue(); System.err.println("*** OK: " + ok); } catch (java.security.PrivilegedActionException e) { // User doesn't have the required permission. System.err.println("*** C"); e.printStackTrace(); } } catch (Throwable t) { System.err.println("*** WOW"); t.printStackTrace(); } } %> <html> <body> yo <%=ok%> </body> </html>
Printing out the principals in the subject returns:
*** Principals *** Name: test *** Class: org.jboss.security.SimplePrincipal *** Name: Roles *** Class: org.jboss.security.SimpleGroup
But I get this exception:
java.lang.LinkageError: org/jboss/security/SimplePrincipal at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:242) at sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1403) at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1307) at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1270) at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1211) at sun.security.provider.PolicyFile.implies(PolicyFile.java:1166) at java.security.ProtectionDomain.implies(ProtectionDomain.java:195) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:249) at java.security.AccessController.checkPermission(AccessController.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkRead(SecurityManager.java:871) at java.io.File.exists(File.java:700) at org.apache.naming.resources.FileDirContext.file(FileDirContext.java:827) ...
Does anybody have any idea what I am doing wrong?
Thanks for any help,
Mike