Merge pull request wildfly#18479 from darranl/WFLY-20001

[WFLY-20001] Switch to using PolicyUtil from Elytron EE to access java.security.Policy
darranl · Dec 11, 2024 · e23c04d · e23c04d
2 parents 5f6455f + b3bf55e
commit e23c04d
Show file tree

Hide file tree

Showing 10 changed files with 27 additions and 12 deletions.
diff --git a/...leon-shared/src/main/resources/modules/system/layers/base/org/jboss/as/ee/main/module.xml b/...leon-shared/src/main/resources/modules/system/layers/base/org/jboss/as/ee/main/module.xml
@@ -31,6 +31,7 @@
         <module name="org.jboss.as.controller"/>
         <module name="org.jboss.as.naming" optional="true"/>
         <module name="org.wildfly.security.elytron-private"/>
+        <module name="org.wildfly.security.jakarta.authorization"/>
         <module name="org.wildfly.extension.request-controller" />
         <module name="org.jboss.as.server" />
         <module name="org.jboss.invocation"/>

diff --git a/...on-shared/src/main/resources/modules/system/layers/base/org/jboss/as/ejb3/main/module.xml b/...on-shared/src/main/resources/modules/system/layers/base/org/jboss/as/ejb3/main/module.xml
@@ -108,6 +108,7 @@
         <module name="org.wildfly.http-client.ejb" services="import"/>
         <module name="org.wildfly.iiop-openjdk"/>
         <module name="org.wildfly.security.elytron-private"/>
+        <module name="org.wildfly.security.jakarta.authorization"/>
         <module name="org.wildfly.service"/>
         <module name="org.wildfly.subsystem"/>
         <module name="org.wildfly.transaction.client"/>

diff --git a/.../main/resources/modules/system/layers/base/org/wildfly/extension/undertow/main/module.xml b/.../main/resources/modules/system/layers/base/org/wildfly/extension/undertow/main/module.xml
@@ -54,6 +54,7 @@
         <module name="org.wildfly.security.elytron-private"/>
         <module name="org.wildfly.security.elytron-web.undertow-server"/>
         <module name="org.wildfly.security.elytron-web.undertow-server-servlet"/>
+        <module name="org.wildfly.security.jakarta.authorization"/>
         <module name="org.jboss.as.server"/>
         <module name="org.jboss.common-beans" services="import"/>
         <module name="org.jboss.marshalling"/>

diff --git a/ee/pom.xml b/ee/pom.xml
@@ -143,6 +143,10 @@
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-security-manager-action</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wildfly.security.jakarta</groupId>
+            <artifactId>jakarta-authorization</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.wildfly.transaction</groupId>
             <artifactId>wildfly-transaction-client</artifactId>

diff --git a/ee/src/main/java/org/jboss/as/ee/security/JaccService.java b/ee/src/main/java/org/jboss/as/ee/security/JaccService.java
@@ -7,8 +7,7 @@
 
 import static org.jboss.as.ee.logging.EeLogger.ROOT_LOGGER;
 import static org.wildfly.common.Assert.checkNotNullParam;
-
-import java.security.Policy;
+import static org.wildfly.security.authz.jacc.PolicyUtil.getPolicyUtil;
 
 import jakarta.security.jacc.PolicyConfiguration;
 import jakarta.security.jacc.PolicyConfigurationFactory;
@@ -84,7 +83,7 @@ public void start(StartContext context) throws StartException {
                     policyConfiguration.commit();
                 }
                 // Allow the policy to incorporate the policy configs
-                Policy.getPolicy().refresh();
+                getPolicyUtil().refresh();
             }
         } catch (Exception e) {
             throw ROOT_LOGGER.unableToStartException("JaccService", e);

diff --git a/ejb3/pom.xml b/ejb3/pom.xml
@@ -209,6 +209,11 @@ vi:ts=4:sw=4:expandtab
             <artifactId>wildfly-elytron-security-manager-action</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.wildfly.security.jakarta</groupId>
+            <artifactId>jakarta-authorization</artifactId>
+        </dependency>
+
         <dependency>
             <groupId>jakarta.transaction</groupId>
             <artifactId>jakarta.transaction-api</artifactId>

diff --git a/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java b/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java
@@ -9,7 +9,6 @@
 
 import java.lang.reflect.Method;
 import java.security.AccessController;
-import java.security.Policy;
 import java.security.Principal;
 import java.security.PrivilegedAction;
 import java.security.PrivilegedExceptionAction;
@@ -68,6 +67,7 @@
 import org.wildfly.security.auth.server.SecurityDomain;
 import org.wildfly.security.auth.server.SecurityIdentity;
 import org.wildfly.security.authz.Roles;
+import org.wildfly.security.authz.jacc.PolicyUtil;
 import org.wildfly.security.manager.WildFlySecurityManager;
 import org.wildfly.transaction.client.ContextTransactionManager;
 
@@ -423,9 +423,9 @@ public boolean isBeanManagedTransaction() {
     public boolean isCallerInRole(final String roleName) throws IllegalStateException {
         if (isSecurityDomainKnown()) {
             if (enableJacc) {
-                Policy policy = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction<Policy>) Policy::getPolicy) : Policy.getPolicy();
+                PolicyUtil policyUtil = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction<PolicyUtil>) PolicyUtil::getPolicyUtil) : PolicyUtil.getPolicyUtil();
                 ProtectionDomain domain = new ProtectionDomain(null, null, null, JaccInterceptor.getGrantedRoles(getCallerSecurityIdentity()));
-                return policy.implies(domain, new EJBRoleRefPermission(getComponentName(), roleName));
+                return policyUtil.implies(domain, new EJBRoleRefPermission(getComponentName(), roleName));
             } else {
                 boolean tmpBool = checkCallerSecurityIdentityRole(roleName); // rls debug todo remove
                 if (ROOT_LOGGER.isTraceEnabled()) {

diff --git a/ejb3/src/main/java/org/jboss/as/ejb3/security/JaccInterceptor.java b/ejb3/src/main/java/org/jboss/as/ejb3/security/JaccInterceptor.java
@@ -9,7 +9,6 @@
 
 import java.lang.reflect.Method;
 import java.security.AccessController;
-import java.security.Policy;
 import java.security.Principal;
 import java.security.PrivilegedAction;
 import java.security.PrivilegedActionException;
@@ -32,6 +31,7 @@
 import org.wildfly.common.Assert;
 import org.wildfly.security.auth.server.SecurityDomain;
 import org.wildfly.security.auth.server.SecurityIdentity;
+import org.wildfly.security.authz.jacc.PolicyUtil;
 import org.wildfly.security.manager.WildFlySecurityManager;
 
 /**
@@ -96,8 +96,8 @@ private void hasPermission(EJBComponent ejbComponent, ComponentView componentVie
         MethodInterfaceType methodIntfType = componentView.getPrivateData(MethodInterfaceType.class);
         EJBMethodPermission permission = createEjbMethodPermission(method, ejbComponent, methodIntfType);
         ProtectionDomain domain = new ProtectionDomain (componentView.getProxyClass().getProtectionDomain().getCodeSource(), null, null, getGrantedRoles(securityIdentity));
-        Policy policy = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction<Policy>) Policy::getPolicy) : Policy.getPolicy();
-        if (!policy.implies(domain, permission)) {
+        PolicyUtil policyUtil = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction<PolicyUtil>) PolicyUtil::getPolicyUtil) : PolicyUtil.getPolicyUtil();
+        if (!policyUtil.implies(domain, permission)) {
             throw EjbLogger.ROOT_LOGGER.invocationOfMethodNotAllowed(method,ejbComponent.getComponentName());
         }
     }

diff --git a/undertow/pom.xml b/undertow/pom.xml
@@ -260,6 +260,10 @@
             <groupId>org.wildfly.security</groupId>
             <artifactId>wildfly-elytron-ssl</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wildfly.security.jakarta</groupId>
+            <artifactId>jakarta-authorization</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>

diff --git a/.../src/main/java/org/wildfly/extension/undertow/security/jacc/JACCAuthorizationManager.java b/.../src/main/java/org/wildfly/extension/undertow/security/jacc/JACCAuthorizationManager.java
@@ -9,7 +9,6 @@
 
 import java.security.CodeSource;
 import java.security.Permission;
-import java.security.Policy;
 import java.security.Principal;
 import java.security.PrivilegedAction;
 import java.security.ProtectionDomain;
@@ -30,6 +29,7 @@
 import io.undertow.servlet.api.ServletInfo;
 import io.undertow.servlet.api.SingleConstraintMatch;
 import io.undertow.servlet.api.TransportGuaranteeType;
+import org.wildfly.security.authz.jacc.PolicyUtil;
 import org.wildfly.security.manager.WildFlySecurityManager;
 
 /**
@@ -125,8 +125,8 @@ private boolean hasPermission(Account account, Deployment deployment, ServletInf
     }
 
     private boolean hasPermission(ProtectionDomain domain, Permission permission) {
-        Policy policy = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction<Policy>) Policy::getPolicy) : Policy.getPolicy();
-        return policy.implies(domain, permission);
+        PolicyUtil policyUtil = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction<PolicyUtil>) PolicyUtil::getPolicyUtil) : PolicyUtil.getPolicyUtil();
+        return policyUtil.implies(domain, permission);
     }
 
     private Principal[] getGrantedRoles(Account account, Deployment deployment) {