7 Replies Latest reply on Aug 28, 2017 2:03 AM by lam_shing

JBOSS EAP java security policy

dsexton18 Feb 2, 2016 9:11 AM

I have JBOSS EAP 6.4.5 I am having issues with getting java security policy to work correctly. For the most part it is granting permissions however my app is getting denied permissions for the below.

Permissions denied "/u01/standalone/foo/deployments/Foo.ear/lib/spring-web-4.1.6.RELEASE.jar/org/springframework/web/context/ContextLoader.properties

I added the below to the java security policy file but now luck.

grant codeBase "vfs:/u01/standalone/foo/deployments/FOO.ear/-" { permission java.security.AllPermission; }

;

permission org.jboss.vfs.VirtualFilePermission "/u01/standalone/foo/deployments/Foo.ear/lib/spring-web-4.1.6.RELEASE.jar/org/springframework/web/context/ContextLoader.properties", "read";

I also had some runtime permissions get denied but I can’t recall what they are off the top of my head right now. I do know I added those specific runtime permissions to the security policy but the log still showed access denied. Is there a way to grant all permissions to runtime just for now?

Any help is appreciated. Thanks

1. Re: JBOSS EAP java security policy

fernando.paz Jul 28, 2016 5:41 PM (in response to dsexton18)

I have the same problem someone has an idea?
Actions
2. Re: JBOSS EAP java security policy

mchoma Jul 29, 2016 3:47 AM (in response to dsexton18)

I wonder if setting -Djava.security.debug=access:failure reveal some more detailed information?

https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/html-single/Security_Guide/index.html#Debug_Security_Manager_Policies
http://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html
Actions
3. Re: JBOSS EAP java security policy

fernando.paz Aug 1, 2016 12:31 PM (in response to mchoma)

Thanks Martin

I had I mistake when I am writing the policy.. I forget:

grant {
permission java.security.AllPermission;
};

";"

Regards
Actions
4. Re: JBOSS EAP java security policy

adityan Jul 17, 2017 11:36 AM (in response to mchoma)

Hi Martin, I have followed same steps but still having issue. Can you share the changes you have made?
Thanks,
Aditya

This is link to my question:

Unable to deploy application when Java Security Manager is enabled on JBoss 6.x EAP
Actions
5. Re: JBOSS EAP java security policy

lam_shing Aug 11, 2017 4:41 AM (in response to fernando.paz)

you may want to use the policytool in jdk to open the policy file as a way to verify the policy file. Note that the policytool does not know "vfs:" in the URL. Other than that, it's ok.
Actions
6. Re: JBOSS EAP java security policy

adityan Aug 11, 2017 7:56 AM (in response to lam_shing)

Hey Thanks for your reply. I removed vfs entry from the file.
After checking logs I found a peculiar behavior. "Access was granted to a certain file and again denied for the same file." Have you encountered such behavior on JBoss?
Actions
7. Re: JBOSS EAP java security policy

lam_shing Aug 28, 2017 2:03 AM (in response to adityan)

You only need to replace vfs: by file: only for the policytool to check. After the policytool verfiied that it's ok , revert to the original version with "vfs:".
Actions

Go to original post