Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WFLY-5340] Additional system property to specify the module to use for JACC initialisation. #8124

Merged
merged 2 commits into from Sep 15, 2015
Merged

[WFLY-5340] Additional system property to specify the module to use for JACC initialisation. #8124

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
982ad5c
[WFLY-5340] Update the SecurityActions so common code is used for the…
darranl Sep 15, 2015
25899d5
[WFLY-5340] Add a system property 'org.jboss.as.security.jacc-module'…
darranl Sep 15, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
27 changes: 26 additions & 1 deletion security/subsystem/src/main/java/org/jboss/as/security/service/JaccService.java
View file
Open in desktop
Expand Up @@ -22,6 +22,8 @@

package org.jboss.as.security.service;

import static org.jboss.as.security.service.SecurityBootstrapService.JACC_MODULE;

import java.security.Policy;

import javax.security.jacc.PolicyConfiguration;
Expand All @@ -30,13 +32,15 @@

import org.jboss.as.security.SecurityExtension;
import org.jboss.as.security.logging.SecurityLogger;
import org.jboss.modules.ModuleLoadException;
import org.jboss.msc.inject.Injector;
import org.jboss.msc.service.Service;
import org.jboss.msc.service.ServiceName;
import org.jboss.msc.service.StartContext;
import org.jboss.msc.service.StartException;
import org.jboss.msc.service.StopContext;
import org.jboss.msc.value.InjectedValue;
import org.wildfly.security.manager.WildFlySecurityManager;

/**
* A service for JACC policies
Expand Down Expand Up @@ -75,7 +79,7 @@ public PolicyConfiguration getValue() throws IllegalStateException, IllegalArgum
@Override
public void start(StartContext context) throws StartException {
try {
PolicyConfigurationFactory pcf = PolicyConfigurationFactory.getPolicyConfigurationFactory();
PolicyConfigurationFactory pcf = getPolicyConfigurationFactory();
synchronized (pcf) { // synchronize on the factory
policyConfiguration = pcf.getPolicyConfiguration(contextId, false);
if (metaData != null) {
Expand Down Expand Up @@ -104,6 +108,27 @@ public void start(StartContext context) throws StartException {
}
}

private PolicyConfigurationFactory getPolicyConfigurationFactory() throws ModuleLoadException, ClassNotFoundException, PolicyContextException {
String module = WildFlySecurityManager.getPropertyPrivileged(JACC_MODULE, null);
final ClassLoader originalClassLoader;
final ClassLoader jaccClassLoader;
if (module != null) {
jaccClassLoader = SecurityActions.getModuleClassLoader(JACC_MODULE);
originalClassLoader = SecurityActions.setThreadContextClassLoader(jaccClassLoader);
} else {
jaccClassLoader = null;
originalClassLoader = null;
}

try {
return PolicyConfigurationFactory.getPolicyConfigurationFactory();
} finally {
if (originalClassLoader != null) {
SecurityActions.setThreadContextClassLoader(originalClassLoader);
}
}
}

/** {@inheritDoc} */
@Override
public void stop(StopContext context) {
Expand Down
130 changes: 89 additions & 41 deletions security/subsystem/src/main/java/org/jboss/as/security/service/SecurityActions.java
View file
Open in desktop
Expand Up @@ -22,22 +22,22 @@

package org.jboss.as.security.service;

import static java.security.AccessController.doPrivileged;

import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;

import org.jboss.as.security.logging.SecurityLogger;
import org.jboss.as.security.remoting.RemotingContext;
import org.wildfly.security.manager.action.GetModuleClassLoaderAction;
import org.wildfly.security.manager.WildFlySecurityManager;
import org.jboss.modules.Module;
import org.jboss.modules.ModuleClassLoader;
import org.jboss.modules.ModuleIdentifier;
import org.jboss.modules.ModuleLoadException;
import org.jboss.modules.ModuleLoader;
import org.jboss.remoting3.Connection;

import static java.security.AccessController.doPrivileged;
import org.wildfly.security.manager.WildFlySecurityManager;
import org.wildfly.security.manager.action.GetModuleClassLoaderAction;

/**
* Privileged blocks for this package
Expand All @@ -51,52 +51,93 @@ class SecurityActions {
static ModuleClassLoader getModuleClassLoader(final String moduleSpec) throws ModuleLoadException {
ModuleLoader loader = Module.getCallerModuleLoader();
final Module module = loader.loadModule(ModuleIdentifier.fromString(moduleSpec));
return WildFlySecurityManager.isChecking() ? doPrivileged(new GetModuleClassLoaderAction(module)) : module.getClassLoader();
GetModuleClassLoaderAction action = new GetModuleClassLoaderAction(module);
return WildFlySecurityManager.isChecking() ? doPrivileged(action) : action.run();
}

static Class<?> loadClass(final String name) throws ClassNotFoundException {
if (WildFlySecurityManager.isChecking()) {
try {
return doPrivileged(new PrivilegedExceptionAction<Class<?>>() {
public Class<?> run() throws ClassNotFoundException {
ClassLoader[] cls = new ClassLoader[] { SecurityActions.class.getClassLoader(), // PB classes (not always on TCCL [modular env])
WildFlySecurityManager.getCurrentContextClassLoaderPrivileged(), // User defined classes
ClassLoader.getSystemClassLoader() // System loader, usually has app class path
};
ClassNotFoundException e = null;
for (ClassLoader cl : cls) {
if (cl == null) continue;

try {
return cl.loadClass(name);
} catch (ClassNotFoundException ce) {
e = ce;
}
}
throw e != null ? e : SecurityLogger.ROOT_LOGGER.cnfe(name);
return classLoaderActions().loadClass(name);
}

static ClassLoader setThreadContextClassLoader(ClassLoader toSet) {
return classLoaderActions().setThreadContextClassLoader(toSet);
}

private static ClassLoaderActions classLoaderActions() {
return WildFlySecurityManager.isChecking() ? ClassLoaderActions.PRIVILEGED : ClassLoaderActions.NON_PRIVILEGED;
}

private interface ClassLoaderActions {

Class<?> loadClass(final String name) throws ClassNotFoundException;

ClassLoader setThreadContextClassLoader(ClassLoader toSet);

ClassLoaderActions NON_PRIVILEGED = new ClassLoaderActions() {

@Override
public Class<?> loadClass(String name) throws ClassNotFoundException {
ClassLoader[] cls = new ClassLoader[] { SecurityActions.class.getClassLoader(), // PB classes (not always on TCCL [modular env])
WildFlySecurityManager.getCurrentContextClassLoaderPrivileged(), // User defined classes
ClassLoader.getSystemClassLoader() // System loader, usually has app class path
};
ClassNotFoundException e = null;
for (ClassLoader cl : cls) {
if (cl == null)
continue;

try {
return cl.loadClass(name);
} catch (ClassNotFoundException ce) {
e = ce;
}
});
} catch (PrivilegedActionException pae) {
throw SecurityLogger.ROOT_LOGGER.cnfeThrow(name, pae);
}
throw e != null ? e : SecurityLogger.ROOT_LOGGER.cnfe(name);
}
} else {
ClassLoader[] cls = new ClassLoader[] { SecurityActions.class.getClassLoader(), // PB classes (not always on TCCL [modular env])
WildFlySecurityManager.getCurrentContextClassLoaderPrivileged(), // User defined classes
ClassLoader.getSystemClassLoader() // System loader, usually has app class path
};
ClassNotFoundException e = null;
for (ClassLoader cl : cls) {
if (cl == null)
continue;

@Override
public ClassLoader setThreadContextClassLoader(ClassLoader toSet) {
Thread currentThread = Thread.currentThread();
ClassLoader previous = currentThread.getContextClassLoader();
currentThread.setContextClassLoader(toSet);
return previous;
}
};

ClassLoaderActions PRIVILEGED = new ClassLoaderActions() {

@Override
public Class<?> loadClass(final String name) throws ClassNotFoundException {
try {
return cl.loadClass(name);
} catch (ClassNotFoundException ce) {
e = ce;
return doPrivileged(new PrivilegedExceptionAction<Class<?>>() {

@Override
public Class<?> run() throws Exception {
return NON_PRIVILEGED.loadClass(name);
}
});
} catch (PrivilegedActionException e) {
Exception cause = e.getException();
if (cause instanceof ClassNotFoundException) {
throw (ClassNotFoundException) cause;
} else if (cause instanceof RuntimeException) {
throw (RuntimeException) cause;
}
throw new RuntimeException(cause);
}
}
throw e != null ? e : SecurityLogger.ROOT_LOGGER.cnfe(name);
}

@Override
public ClassLoader setThreadContextClassLoader(final ClassLoader toSet) {
return doPrivileged(new PrivilegedAction<ClassLoader>() {

@Override
public ClassLoader run() {
return NON_PRIVILEGED.setThreadContextClassLoader(toSet);
}
});
}
};
}

static void remotingContextClear() {
Expand Down Expand Up @@ -126,6 +167,7 @@ private interface RemotingContextAssociationActions {

RemotingContextAssociationActions NON_PRIVILEGED = new RemotingContextAssociationActions() {

@Override
public boolean isSet() {
return RemotingContext.isSet();
}
Expand All @@ -145,34 +187,40 @@ public void clear() {

private final PrivilegedAction<Boolean> IS_SET_ACTION = new PrivilegedAction<Boolean>() {

@Override
public Boolean run() {
return NON_PRIVILEGED.isSet();
}
};

private final PrivilegedAction<Connection> GET_CONNECTION_ACTION = new PrivilegedAction<Connection>() {

@Override
public Connection run() {
return NON_PRIVILEGED.getConnection();
}
};

private final PrivilegedAction<Void> CLEAR_ACTION = new PrivilegedAction<Void>() {

@Override
public Void run() {
NON_PRIVILEGED.clear();
return null;
}
};

@Override
public boolean isSet() {
return doPrivileged(IS_SET_ACTION);
}

@Override
public Connection getConnection() {
return doPrivileged(GET_CONNECTION_ACTION);
}

@Override
public void clear() {
doPrivileged(CLEAR_ACTION);
}
Expand Down
14 changes: 13 additions & 1 deletion security/subsystem/src/main/java/org/jboss/as/security/service/SecurityBootstrapService.java
View file
Open in desktop
Expand Up @@ -33,6 +33,7 @@
import org.jboss.as.security.logging.SecurityLogger;
import org.jboss.as.security.plugins.ModuleClassLoaderLocator;
import org.jboss.as.server.moduleservice.ServiceModuleLoader;
import org.jboss.modules.ModuleLoadException;
import org.jboss.msc.inject.Injector;
import org.jboss.msc.service.Service;
import org.jboss.msc.service.ServiceName;
Expand All @@ -54,6 +55,8 @@
*/
public class SecurityBootstrapService implements Service<Void> {

static final String JACC_MODULE = "org.jboss.as.security.jacc-module";

public static final ServiceName SERVICE_NAME = SecurityExtension.JBOSS_SECURITY.append("bootstrap");

private static final SecurityLogger log = SecurityLogger.ROOT_LOGGER;
Expand Down Expand Up @@ -82,8 +85,9 @@ public void start(StartContext context) throws StartException {

// Get the current Policy impl
oldPolicy = Policy.getPolicy();
String module = WildFlySecurityManager.getPropertyPrivileged(JACC_MODULE, null);
String provider = WildFlySecurityManager.getPropertyPrivileged(JACC_POLICY_PROVIDER, "org.jboss.security.jacc.DelegatingPolicy");
Class<?> providerClass = SecurityActions.loadClass(provider);
Class<?> providerClass = loadClass(module, provider);
try {
// Look for a ctor(Policy) signature
Class<?>[] ctorSig = { Policy.class };
Expand Down Expand Up @@ -122,6 +126,14 @@ public void start(StartContext context) throws StartException {
}
}

private Class<?> loadClass(final String module, final String className) throws ClassNotFoundException, ModuleLoadException {
if (module != null) {
return SecurityActions.getModuleClassLoader(module).loadClass(className);
}

return SecurityActions.loadClass(className);
}

/** {@inheritDoc} */
@SuppressWarnings("rawtypes")
@Override
Expand Down