Skip to content

WIP: [WFCORE-7335] Block deployments if the security manager subsyste… #6498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

WIP: [WFCORE-7335] Block deployments if the security manager subsyste… #6498

wants to merge 1 commit into from
+14 −6

Conversation

mskacelik
Copy link
Contributor

/cc @darranl
issue: https://issues.redhat.com/browse/WFCORE-7335

This is only a draft PR to showcase a possible solution.

When standalone.xml security manager subsystem configuration is invalid, f.g:

<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
    <deployment-permissions>
        <maximum-set>
            <permission class="java.io.FilePermission" name="${badExpression}" actions="write,delete"/>
        </maximum-set>
    </deployment-permissions>
</subsystem>

Upon WF instance startup, the ExpressionResolverImpl.java will log and throw an exception of type OperationClientException

wildfly-core/controller/src/main/java/org/jboss/as/controller/ExpressionResolverImpl.java

Line 282 in 70bb2a1

throw ControllerLogger.ROOT_LOGGER.cannotResolveExpression(initialValue);

OperationClientException means that:

This class implements {@link OperationClientException}, so if it is thrown during execution of an {@code OperationStepHandler}, the management kernel will adequately handle the exception as a user mistake, not a server fault.

This exception is then handled in the AbstractOperationContext:

wildfly-core/controller/src/main/java/org/jboss/as/controller/AbstractOperationContext.java

Lines 1074 to 1084 in 70bb2a1

} catch (Throwable t) {
// If it doesn't implement OperationClientException marker interface, throw it on to outer catch block
if (!(t instanceof OperationClientException)) {
throw t;
}
// Handler threw OCE; that's equivalent to a request that we set the failure description
final ModelNode failDesc = OperationClientException.class.cast(t).getFailureDescription();
step.response.get(FAILURE_DESCRIPTION).set(failDesc);
logStepFailure(step, true);
}

So here is the fundamental problem.

Possible Solution

I have come up with a solution by wrapping the OperationClientException of the expression resolver in the SecurityManagerSubsystemAdd, which, from my understanding, is only executed during the start-up of WildFly (boot). This wrapped exception is not handled in the AbstractOperationContext, making the WildFly startup fail due to the exception.

So, in the current implementation with invalid configuration:

  • using CLI => roll back the configuration (with or without -secmgr)
  • booting without -secmgr => logs the error, but the boot won't fail
  • booting with -secmgr => logs the error, but boot will fail
  • --admin-only mode => both CLI and booting (invalid XML) won't fail (with or without -secmgr)

Note

  • Is the --admin-only mode behavior valid in this case?
  • PR is missing the test, one because this is a Draft PR, so given that this solution might not be ideally implemented, I did not implement the tests yet, and secondly, I was not sure where to put these tests, if in wildfly-core repository or in the wildfly (repository) integration tests.
  • Due to this PR being a PoC, I only used RuntimeException, but maybe other exceptions would be suited better.

@mskacelik
WIP: [WFCORE-7335] Block deployments if the security manager subsyste…
4e3494a 
…m has invalid config and the security manager is enabled.
@wildfly-ci
Copy link

Core -> WildFly Preview Integration Build 14758 outcome was FAILURE using a merge of 4e3494a
Summary: Tests failed: 1 (1 new), passed: 5412, ignored: 86 Build time: 03:29:44

Failed tests

org.jboss.as.test.integration.domain.OrderedChildResourcesTestCase.testOrderedChildResources: java.lang.AssertionError: expected:<{
    "statistics-enabled" => false,
    "protocol" => {
        "RED" => undefined,
        "MPING" => undefined,
        "MERGE3" => undefined,
        "FD_ALL3" => undefined,
        "VERIFY_SUSPECT2" => undefined,
        "pbcast.NAKACK2" => undefined,
        "UNICAST3" => undefined,
        "pbcast.STABLE" => undefined,
        "pbcast.GMS" => undefined,
        "UFC" => undefined,
        "MFC" => undefined,
        "FRAG4" => undefined
    },
    "relay" => undefined,
    "transport" => {"TCP" => undefined}
}> but was:<{
    "statistics-enabled" => false,
    "protocol" => {
        "RED" => undefined,
        "MPING" => undefined,
        "MERGE3" => undefined,
        "FD_ALL3" => undefined,
        "VERIFY_SUSPECT2" => undefined,
        "pbcast.NAKACK2" => undefined,
        "UNICAST3" => undefined,
        "pbcast.GMS" => undefined,
        "UFC" => undefined,
        "MFC" => undefined,
        "FRAG4" => undefined
    },
    "relay" => undefined,
    "transport" => {"TCP" => undefined}
}>
java.lang.AssertionError: 
expected:<{
    "statistics-enabled" => false,
    "protocol" => {
        "RED" => undefined,
        "MPING" => undefined,
        "MERGE3" => undefined,
        "FD_ALL3" => undefined,
        "VERIFY_SUSPECT2" => undefined,
        "pbcast.NAKACK2" => undefined,
        "UNICAST3" => undefined,
        "pbcast.STABLE" => undefined,
        "pbcast.GMS" => undefined,
        "UFC" => undefined,
        "MFC" => undefined,

@wildfly-ci
Copy link

Core -> Full Integration Build 14951 outcome was FAILURE using a merge of 4e3494a
Summary: Tests failed: 1 (1 new), passed: 8161, ignored: 113 Build time: 04:32:17

Failed tests

org.jboss.as.test.clustering.cluster.ejb2.stateless.RemoteStatelessFailoverTestCase.testLoadbalanceAnnotatedBean: java.lang.AssertionError: Minimal number of calls done to all servers have to be 8.0 but was 6
	at org.jboss.as.test.clustering.cluster.ejb2.stateless.RemoteStatelessFailoverTestCase.validateBalancing(RemoteStatelessFailoverTestCase.java:278)
	at org.jboss.as.test.clustering.cluster.ejb2.stateless.RemoteStatelessFailoverTestCase.loadbalance(RemoteStatelessFailoverTestCase.java:247)
	at org.jboss.as.test.clustering.cluster.ejb2.stateless.RemoteStatelessFailoverTestCase.testLoadbalanceAnnotatedBean(RemoteStatelessFailoverTestCase.java:202)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at jdk.internal.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at jdk.internal.reflect.GeneratedMethodAccessor26.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at jdk.internal.reflect.GeneratedMethodAccessor25.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at jdk.internal.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at jdk.internal.reflect.GeneratedMethodAccessor3.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at jdk.internal.reflect.GeneratedMethodAccessor15.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at jdk.internal.reflect.GeneratedMethodAccessor14.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at jdk.internal.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at jdk.internal.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at jdk.internal.reflect.GeneratedMethodAccessor3.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
------- Stdout: -------
node-1 2025-09-02 15:04:56,198 INFO  [org.jboss.modules] (main) JBoss Modules version 2.1.6.Final
node-1 2025-09-02 15:04:56,611 INFO  [org.jboss.msc] (main) JBoss MSC version 1.5.6.Final
node-1 2025-09-02 15:04:56,622 INFO  [org.jboss.threads] (main) JBoss Threads version 3.9.1
node-1 2025-09-02 15:04:56,729 INFO  [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: WildFly 38.0.0.Beta1-SNAPSHOT (WildFly Core 30.0.0.Beta1-SNAPSHOT) starting
node-1 2025-09-02 15:04:57,921 INFO  [org.wildfly.security] (Controller Boot Thread) ELY00001: WildFly Elytron version 2.6.4.Final
node-1 2025-09-02 15:04:58,831 INFO  [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0039: Creating http management service using socket-binding (management-http)
node-1 2025-09-02 15:04:58,847 INFO  [org.xnio] (MSC service thread 1-9) XNIO version 3.8.16.Final
node-1 2025-09-02 15:04:58,856 INFO  [org.xnio.nio] (MSC service thread 1-9) XNIO NIO Implementation Version 3.8.16.Final
node-1 2025-09-02 15:04:58,911 INFO  [org.wildfly.extension.elytron.oidc._private] (ServerService Thread Pool -- 57) WFLYOIDC0001: Activating WildFly Elytron OIDC Subsystem
node-1 2025-09-02 15:04:58,926 INFO  [org.wildfly.extension.health] (ServerService Thread Pool -- 58) WFLYHEALTH0001: Activating Base Health Subsystem
node-1 2025-09-02 15:04:58,943 WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 81) WFLYTX0013: The node-identifier attribute on the /subsystem=transactions is set to the default value. This is a danger for environments running multiple servers. Please make sure the attribute value is unique.
node-1 2025-09-02 15:04:58,954 INFO  [org.wildfly.extension.microprofile.config.smallrye] (ServerService Thread Pool -- 70) WFLYCONF0001: Activating MicroProfile Config Subsystem
node-1 2025-09-02 15:04:58,957 INFO  [org.jboss.as.naming] (ServerService Thread Pool -- 73) WFLYNAM0001: Activating Naming Subsystem
node-1 2025-09-02 15:04:58,959 INFO  [org.wildfly.extension.microprofile.jwt.smallrye] (ServerService Thread Pool -- 71) WFLYJWT0001: Activating MicroProfile JWT Subsystem
node-1 2025-09-02 15:04:58,980 INFO  [org.jboss.as.jaxrs] (ServerService Thread Pool -- 61) WFLYRS0016: RESTEasy version 6.2.12.Final
node-1 2025-09-02 15:04:58,985 INFO  [org.jboss.as.clustering.jgroups] (ServerService Thread Pool -- 64) WFLYCLJG0001: Activating JGroups subsystem. JGroups version 5.4.8
node-1 2025-09-02 15:04:58,990 INFO  [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0003: Undertow 2.3.18.Final starting
node-1 2025-09-02 15:04:58,992 INFO  [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 48) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver (version 2.2)
node-1 2025-09-02 15:04:58,989 INFO  [org.jboss.as.webservices] (ServerService Thread Pool -- 83) WFLYWS0002: Activating WebServices Extension
node-1 2025-09-02 15:04:59,044 INFO  [org.jboss.as.jsf] (ServerService Thread Pool -- 67) WFLYJSF0007: Activated the following Jakarta Server Faces Implementations: [main]
node-1 2025-09-02 15:04:59,049 INFO  [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 59) WFLYCLINF0001: Activating Infinispan subsystem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mskacelik @wildfly-ci