0 Replies Latest reply on Jan 23, 2018 6:24 AM by Stefan Helmerichs

    WildFly 10.1.0 Final, Drools 5.5.0, AccessControlException when executing rules

    Stefan Helmerichs Newbie

      Hello,

      I have a Wildfly 10.1.Final Application Server, running several modules. One of these utilizes drools rules, which will be defined by users.

      To prevent too many bad things from happening, I enabled my Security Manager by using

      -secmgr

      and granted a minimum and maximum permission set:

       

              
                  
                      
                          
                          
                          
                          
                      
                      
                          
                      
                  
              

      I then created a service class, which creates an AccessControlContext, with a ProtectionDomain for CodeSource null/null, and granted the permissions

      Runtime.getClassLoader, Runtime.suppressAccessChecks and Property.accessDeclaredMembers.

       

      When executing rules, on some systems, everything works as expected. On some systems, I get an exception:

       

       

      xxx.yyy.IllegalExecutionException: Exception executing consequence for rule "generated rule" in xxx.yyy: java.security.AccessControl
      Exception: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "getClassLoader")" in code source "(null )" of "org.drools.util.Compos
      iteClassLoader@53e672e0")
              at xxx.yyy.SecureExecutionService.trySecureExecution(SecureExecutionService.java:46)
              at xxx.yyy.SecureExecutionService.execute(SecureExecutionService.java:33)
              at xxx.yyy.SaveController.executeRules(SaveController.java:216)
              at xxx.yyy.SaveController.collectPanelRules(SaveController.java:202)
              at xxx.yyy.SaveController.save(SaveController.java:87)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at org.springframework.expression.spel.support.ReflectiveMethodExecutor.execute(ReflectiveMethodExecutor.java:70)
              at org.springframework.expression.spel.ast.MethodReference.getValueInternal(MethodReference.java:122)
              at org.springframework.expression.spel.ast.MethodReference.access$100(MethodReference.java:44)
              at org.springframework.expression.spel.ast.MethodReference$MethodValueRef.getValue(MethodReference.java:258)
              at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:85)
              at org.springframework.expression.spel.ast.SpelNodeImpl.getTypedValue(SpelNodeImpl.java:113)
              at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:105)
              at org.springframework.binding.expression.spel.SpringELExpression.getValue(SpringELExpression.java:84)
              at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:75)
              at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
              at org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
              at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
              ... 103 more
      Caused by: Exception executing consequence for rule "generated rule" in de.formsolutions.metaform: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "getClassLoader")" in code source "(null )" of "org.drools.util.CompositeClassLoader@53e672e0")
              at org.drools.runtime.rule.impl.DefaultConsequenceExceptionHandler.handleException(DefaultConsequenceExceptionHandler.java:39)
              at org.drools.common.DefaultAgenda.fireActivation(DefaultAgenda.java:1297)
              at org.drools.common.DefaultAgenda.fireNextItem(DefaultAgenda.java:1221)
              at org.drools.common.DefaultAgenda.fireAllRules(DefaultAgenda.java:1456)
              at org.drools.common.AbstractWorkingMemory.fireAllRules(AbstractWorkingMemory.java:710)
              at org.drools.common.AbstractWorkingMemory.fireAllRules(AbstractWorkingMemory.java:679)
              at org.drools.impl.StatefulKnowledgeSessionImpl.fireAllRules(StatefulKnowledgeSessionImpl.java:234)
              at xxx.yyy.SaveController.fireRules(SaveController.java:229)
              at xxx.yyy.SaveController.lambda$executeRules$1(SaveController.java:216)
              at xxx.yyy.SecureExecutionService.lambda$wrap$0(SecureExecutionService.java:78)
              at java.security.AccessController.doPrivileged(Native Method)
              at xxx.yyy.SecureExecutionService.trySecureExecution(SecureExecutionService.java:42)
              ... 123 more
      Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "getClassLoader")" in code source "(null )" of "org.drools.util.CompositeClassLoader@53e672e0")
              at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273)
              at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
              at java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1528)
              at java.lang.ClassLoader.getParent(ClassLoader.java:1374)
              at org.drools.rule.JavaDialectRuntimeData$PackageClassLoader.loadClass(JavaDialectRuntimeData.java:581)
              at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
              at xxx.yyy.Rule_generated_rule_e857abc9dba740008db41e5bd1026606.defaultConsequence(Rule_unneeded_Zum_Ende_Button_e857abc9dba740008db41e5bd1026606.java:7)
              at xxx.yyy.Rule_generated_rule_e857abc9dba740008db41e5bd1026606DefaultConsequenceInvokerGenerated.evaluate(Unknown Source)
              at xxx.yyy.Rule_generated_rule_e857abc9dba740008db41e5bd1026606DefaultConsequenceInvoker.evaluate(Unknown Source)
              at org.drools.common.DefaultAgenda.fireActivation(DefaultAgenda.java:1287)
              ... 133 more

       

      Debugging into the Elytron Wildfly Security Manager 1.0.2.Final shows that on the systems that fail, there is an additional AccessControlContext present. Five are epected:

      • the Sandbox context
      • Drools 5.5.0 Jar
      • WEB-INF/classes in the ear
      • the EJB deployment
      • the Elytron Jar

       

      The offending systems carry this extra context:

       

      ProtectionDomain  (null )
       org.drools.util.CompositeClassLoader@bd99fe2
       
       java.security.Permissions@3221162f (
       ("java.lang.RuntimePermission" "stopThread")
       ("javax.security.jacc.WebResourcePermission" "/")
       ("javax.security.jacc.WebRoleRefPermission" "" "**")
       ("javax.security.jacc.WebRoleRefPermission" "Faces Servlet" "**")
       ("javax.security.jacc.WebRoleRefPermission" "metaform" "**")
       ("java.net.SocketPermission" "localhost:0" "listen,resolve")
       ("java.net.SocketPermission" "localhost:0" "listen,resolve")
       ("javax.security.jacc.WebUserDataPermission" "/")
       ("java.util.PropertyPermission" "java.specification.version" "read")
       ("java.util.PropertyPermission" "java.version" "read")
       ("java.util.PropertyPermission" "os.arch" "read")
       ("java.util.PropertyPermission" "java.specification.vendor" "read")
       ("java.util.PropertyPermission" "java.vm.specification.name" "read")
       ("java.util.PropertyPermission" "java.vm.vendor" "read")
       ("java.util.PropertyPermission" "path.separator" "read")
       ("java.util.PropertyPermission" "os.version" "read")
       ("java.util.PropertyPermission" "file.separator" "read")
       ("java.util.PropertyPermission" "line.separator" "read")
       ("java.util.PropertyPermission" "java.vm.specification.vendor" "read")
       ("java.util.PropertyPermission" "java.specification.name" "read")
       ("java.util.PropertyPermission" "java.vendor.url" "read")
       ("java.util.PropertyPermission" "java.vendor" "read")
       ("java.util.PropertyPermission" "java.vm.version" "read")
       ("java.util.PropertyPermission" "java.vm.name" "read")
       ("java.util.PropertyPermission" "java.vm.specification.version" "read")
       ("java.util.PropertyPermission" "os.name" "read")
       ("java.util.PropertyPermission" "java.class.version" "read")
      )

       

      Technically, if I am not mistaken, this should have the AllPermission as granted by the minimum permission set, however, as stated before, on several systems, this is not even present within the AccessControlContext.

      My first guess was CentOS, as this failed only on CentOS, and a test on two developer machines (Ubuntu, Windows) showed that it worked. However, a third developer machine, using the exact same specifications as my system, does have that extra context, and subsequently, the calls fail without doing anything.

       

      I am quite confused, as the "failing permission" is one explicitly granted beforehand, and I am at a loss to explain this. If anyone here can help, any help at all would be greatly appreciated.

       

      Nachricht geändert durch Stefan Helmerichs Permissions were invisible