I am migrating an application from JBoss 6.1 with Java7 to Wildfly10 with Java8, and have found that our java security implementation has stopped working as expected.
In our application we load up a dynamic policy (java.security.Policy object) with a collection of permissions representing actions you can take in the application. We then evaluate actions a user tries to do using the java.security.auth.Subject class and the doAsPrivileged method.
When running this same code setup in Wildfly10 with Java 8, all the security policy data loads up just fine, however the doAsPrivileged strategy returns without exception for all actions and all users, essentially allowing everyone full access to everything regardless of whether or not they should be able to get to all the actions.
When debugging the fully loaded policy objects down inside of the java.security.auth space, what I see is that in addition to the standard actions, there always seems to be an AllPermissions / AllActions entry showing up. It seems like this entry is what might be causing the security behavior I am seeing. I’ve tried removing all the configuration entries that refer to java.security.AllPermission in places like the java.policy, standalone_full.xml, etc. Even with all those removed, the AllPermission type of entry still shows up.
Does anyone have any insight into this behavior, or have some suggested technical documentation that might help me figure it out?