WildFly 10.1.0 Final, Drools 5.5.0, AccessControlException when executing rules
lhug Jan 23, 2018 6:24 AMHello,
I have a Wildfly 10.1.Final Application Server, running several modules. One of these utilizes drools rules, which will be defined by users.
To prevent too many bad things from happening, I enabled my Security Manager by using
-secmgr
and granted a minimum and maximum permission set:
I then created a service class, which creates an AccessControlContext, with a ProtectionDomain for CodeSource null/null, and granted the permissions
Runtime.getClassLoader, Runtime.suppressAccessChecks and Property.accessDeclaredMembers.
When executing rules, on some systems, everything works as expected. On some systems, I get an exception:
xxx.yyy.IllegalExecutionException: Exception executing consequence for rule "generated rule" in xxx.yyy: java.security.AccessControl Exception: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "getClassLoader")" in code source "(null )" of "org.drools.util.Compos iteClassLoader@53e672e0") at xxx.yyy.SecureExecutionService.trySecureExecution(SecureExecutionService.java:46) at xxx.yyy.SecureExecutionService.execute(SecureExecutionService.java:33) at xxx.yyy.SaveController.executeRules(SaveController.java:216) at xxx.yyy.SaveController.collectPanelRules(SaveController.java:202) at xxx.yyy.SaveController.save(SaveController.java:87) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute(ReflectiveMethodExecutor.java:70) at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:122) at org.springframework.expression.spel.ast.MethodReference.access$100(MethodReference.java:44) at org.springframework.expression.spel.ast.MethodReference$MethodValueRef.getValue(MethodReference.java:258) at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:85) at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:113) at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:105) at org.springframework.binding.expression.spel.SpringELExpression.getValue(SpringELExpression.java:84) at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:75) at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188) at org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145) at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51) ... 103 more Caused by: Exception executing consequence for rule "generated rule" in de.formsolutions.metaform: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "getClassLoader")" in code source "(null )" of "org.drools.util.CompositeClassLoader@53e672e0") at org.drools.runtime.rule.impl.DefaultConsequenceExceptionHandler.handleException(DefaultConsequenceExceptionHandler.java:39) at org.drools.common.DefaultAgenda.fireActivation(DefaultAgenda.java:1297) at org.drools.common.DefaultAgenda.fireNextItem(DefaultAgenda.java:1221) at org.drools.common.DefaultAgenda.fireAllRules(DefaultAgenda.java:1456) at org.drools.common.AbstractWorkingMemory.fireAllRules(AbstractWorkingMemory.java:710) at org.drools.common.AbstractWorkingMemory.fireAllRules(AbstractWorkingMemory.java:679) at org.drools.impl.StatefulKnowledgeSessionImpl.fireAllRules(StatefulKnowledgeSessionImpl.java:234) at xxx.yyy.SaveController.fireRules(SaveController.java:229) at xxx.yyy.SaveController.lambda$executeRules$1(SaveController.java:216) at xxx.yyy.SecureExecutionService.lambda$wrap$0(SecureExecutionService.java:78) at java.security.AccessController.doPrivileged(Native Method) at xxx.yyy.SecureExecutionService.trySecureExecution(SecureExecutionService.java:42) ... 123 more Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "getClassLoader")" in code source "(null )" of "org.drools.util.CompositeClassLoader@53e672e0") at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273) at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175) at java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1528) at java.lang.ClassLoader.getParent(ClassLoader.java:1374) at org.drools.rule.JavaDialectRuntimeData$PackageClassLoader.loadClass(JavaDialectRuntimeData.java:581) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at xxx.yyy.Rule_generated_rule_e857abc9dba740008db41e5bd1026606.defaultConsequence(Rule_unneeded_Zum_Ende_Button_e857abc9dba740008db41e5bd1026606.java:7) at xxx.yyy.Rule_generated_rule_e857abc9dba740008db41e5bd1026606DefaultConsequenceInvokerGenerated.evaluate(Unknown Source) at xxx.yyy.Rule_generated_rule_e857abc9dba740008db41e5bd1026606DefaultConsequenceInvoker.evaluate(Unknown Source) at org.drools.common.DefaultAgenda.fireActivation(DefaultAgenda.java:1287) ... 133 more
Debugging into the Elytron Wildfly Security Manager 1.0.2.Final shows that on the systems that fail, there is an additional AccessControlContext present. Five are epected:
- the Sandbox context
- Drools 5.5.0 Jar
- WEB-INF/classes in the ear
- the EJB deployment
- the Elytron Jar
The offending systems carry this extra context:
ProtectionDomain (null ) org.drools.util.CompositeClassLoader@bd99fe2 java.security.Permissions@3221162f ( ("java.lang.RuntimePermission" "stopThread") ("javax.security.jacc.WebResourcePermission" "/") ("javax.security.jacc.WebRoleRefPermission" "" "**") ("javax.security.jacc.WebRoleRefPermission" "Faces Servlet" "**") ("javax.security.jacc.WebRoleRefPermission" "metaform" "**") ("java.net.SocketPermission" "localhost:0" "listen,resolve") ("java.net.SocketPermission" "localhost:0" "listen,resolve") ("javax.security.jacc.WebUserDataPermission" "/") ("java.util.PropertyPermission" "java.specification.version" "read") ("java.util.PropertyPermission" "java.version" "read") ("java.util.PropertyPermission" "os.arch" "read") ("java.util.PropertyPermission" "java.specification.vendor" "read") ("java.util.PropertyPermission" "java.vm.specification.name" "read") ("java.util.PropertyPermission" "java.vm.vendor" "read") ("java.util.PropertyPermission" "path.separator" "read") ("java.util.PropertyPermission" "os.version" "read") ("java.util.PropertyPermission" "file.separator" "read") ("java.util.PropertyPermission" "line.separator" "read") ("java.util.PropertyPermission" "java.vm.specification.vendor" "read") ("java.util.PropertyPermission" "java.specification.name" "read") ("java.util.PropertyPermission" "java.vendor.url" "read") ("java.util.PropertyPermission" "java.vendor" "read") ("java.util.PropertyPermission" "java.vm.version" "read") ("java.util.PropertyPermission" "java.vm.name" "read") ("java.util.PropertyPermission" "java.vm.specification.version" "read") ("java.util.PropertyPermission" "os.name" "read") ("java.util.PropertyPermission" "java.class.version" "read") )
Technically, if I am not mistaken, this should have the AllPermission as granted by the minimum permission set, however, as stated before, on several systems, this is not even present within the AccessControlContext.
My first guess was CentOS, as this failed only on CentOS, and a test on two developer machines (Ubuntu, Windows) showed that it worked. However, a third developer machine, using the exact same specifications as my system, does have that extra context, and subsequently, the calls fail without doing anything.
I am quite confused, as the "failing permission" is one explicitly granted beforehand, and I am at a loss to explain this. If anyone here can help, any help at all would be greatly appreciated.
Nachricht geändert durch Stefan Helmerichs Permissions were invisible