3 Replies Latest reply on Aug 21, 2009 4:21 AM by Richard Opalka

    Removing JACC Permissions Hack

    Richard Opalka Master

      This is related to: JBAS-5935

      I'm trying to remove JACC permissions hack in JBossWS AS integration code base and I have two issues with that:

      ad1) When I'll comment out WSJACCPermissionsDeploymentAspect DA from
      jboss-5.2.0.Beta/server/all/deployers/jbossws.deployer/META-INF/stack-agnostic-jboss-beans.xml and I'll start AS:

      [/home/opalka][/opt/svn/jbossas/branches/Branch_5_x/build/output/jboss-5.2.0.Beta/bin]>./run.sh -c all

      and finally I'll run the test

      [/home/opalka][/opt/svn/jbossas/branches/Branch_5_x/testsuite]>./build.sh one-test -Dtest=org.jboss.test.webservice.jbws309.JBWS309TestCase

      I'd expect this test to fail, but it isn't. What is going on wrong with it? In that usecase JACC permissions shouln't be generated at all and test should fail, at least from what I read in associated JIRA JBAS-4644

      ad2) I don't know how to fix that issue properly? Can I move WarSecurityDeployer from POST_CLASSLOADER deployers map to REAL_CLASSLOADERS map, or it have to stay in POST_CLASSLOADER map to prevent potential security attacks?
      Associated JBossWS deployers that generate web meta data cannot be moved from REAL to POST_CLASSLOADER stage because of dependency on EJB3 REAL deployers.

        • 1. Re: Removing JACC Permissions Hack
          Anil Saldanha Master

          JBossWS creates a transient webapp to deal with ws invocations. The original problem was that this web app metadata was not being fed to the security deployer which happens very early in the pipeline of deployers. For this reason, we generated the JACC permissions for this particular transient web app in the webservices module.

          The fix would be to get the metadata of this transient web app to go through the chain of deployers just like regular standard web apps that get deployed in AS.

          • 2. Re: Removing JACC Permissions Hack
            Richard Opalka Master

             

            "anil.saldhana@jboss.com" wrote:
            JBossWS creates a transient webapp to deal with ws invocations. The original problem was that this web app metadata was not being fed to the security deployer which happens very early in the pipeline of deployers. For this reason, we generated the JACC permissions for this particular transient web app in the webservices module.

            Yes, this is how it works now. Almost all JBossWS deployers (except WSDescriptorDeployer)) are REAL stage deployers.
            "anil.saldhana@jboss.com" wrote:

            The fix would be to get the metadata of this transient web app to go through the chain of deployers just like regular standard web apps that get deployed in AS.

            OK, I'll investigate whether our dependency on EJB real deployers is really necessary or not and I will try to move our deployers to lower stage.