From 5c72a645fbeb2e82c2d09610cbda8a1862fe5a64 Mon Sep 17 00:00:00 2001 From: Darran Lofthouse Date: Tue, 26 Nov 2024 12:05:55 +0000 Subject: [PATCH 1/3] [WFLY-20001] Update the JaccService to use the new PolicyUtil SPI for Policy access. --- .../system/layers/base/org/jboss/as/ee/main/module.xml | 1 + ee/pom.xml | 4 ++++ ee/src/main/java/org/jboss/as/ee/security/JaccService.java | 5 ++--- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ee-feature-pack/galleon-shared/src/main/resources/modules/system/layers/base/org/jboss/as/ee/main/module.xml b/ee-feature-pack/galleon-shared/src/main/resources/modules/system/layers/base/org/jboss/as/ee/main/module.xml index f3af1b94c5be..f7e446406d30 100644 --- a/ee-feature-pack/galleon-shared/src/main/resources/modules/system/layers/base/org/jboss/as/ee/main/module.xml +++ b/ee-feature-pack/galleon-shared/src/main/resources/modules/system/layers/base/org/jboss/as/ee/main/module.xml @@ -31,6 +31,7 @@ + diff --git a/ee/pom.xml b/ee/pom.xml index ea88e16b278a..e9e6aeae0c2b 100644 --- a/ee/pom.xml +++ b/ee/pom.xml @@ -143,6 +143,10 @@ org.wildfly.security wildfly-elytron-security-manager-action + + org.wildfly.security.jakarta + jakarta-authorization + org.wildfly.transaction wildfly-transaction-client diff --git a/ee/src/main/java/org/jboss/as/ee/security/JaccService.java b/ee/src/main/java/org/jboss/as/ee/security/JaccService.java index 435fc2e93d3e..bd3cf944582f 100644 --- a/ee/src/main/java/org/jboss/as/ee/security/JaccService.java +++ b/ee/src/main/java/org/jboss/as/ee/security/JaccService.java @@ -7,8 +7,7 @@ import static org.jboss.as.ee.logging.EeLogger.ROOT_LOGGER; import static org.wildfly.common.Assert.checkNotNullParam; - -import java.security.Policy; +import static org.wildfly.security.authz.jacc.PolicyUtil.getPolicyUtil; import jakarta.security.jacc.PolicyConfiguration; import jakarta.security.jacc.PolicyConfigurationFactory; @@ -84,7 +83,7 @@ public void start(StartContext context) throws StartException { policyConfiguration.commit(); } // Allow the policy to incorporate the policy configs - Policy.getPolicy().refresh(); + getPolicyUtil().refresh(); } } catch (Exception e) { throw ROOT_LOGGER.unableToStartException("JaccService", e); From b8b8b6758cfc54911fa4796649d053a87d4c6747 Mon Sep 17 00:00:00 2001 From: Darran Lofthouse Date: Tue, 26 Nov 2024 12:22:39 +0000 Subject: [PATCH 2/3] [WFLY-20001] Update the EJB3 subsystem to use the new PolicyUtil for Policy access. --- .../system/layers/base/org/jboss/as/ejb3/main/module.xml | 1 + ejb3/pom.xml | 5 +++++ .../main/java/org/jboss/as/ejb3/component/EJBComponent.java | 6 +++--- .../java/org/jboss/as/ejb3/security/JaccInterceptor.java | 6 +++--- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ee-feature-pack/galleon-shared/src/main/resources/modules/system/layers/base/org/jboss/as/ejb3/main/module.xml b/ee-feature-pack/galleon-shared/src/main/resources/modules/system/layers/base/org/jboss/as/ejb3/main/module.xml index 15682b314b47..95752a31e1eb 100644 --- a/ee-feature-pack/galleon-shared/src/main/resources/modules/system/layers/base/org/jboss/as/ejb3/main/module.xml +++ b/ee-feature-pack/galleon-shared/src/main/resources/modules/system/layers/base/org/jboss/as/ejb3/main/module.xml @@ -108,6 +108,7 @@ + diff --git a/ejb3/pom.xml b/ejb3/pom.xml index 5193305075a4..ac761cba1e7d 100644 --- a/ejb3/pom.xml +++ b/ejb3/pom.xml @@ -209,6 +209,11 @@ vi:ts=4:sw=4:expandtab wildfly-elytron-security-manager-action + + org.wildfly.security.jakarta + jakarta-authorization + + jakarta.transaction jakarta.transaction-api diff --git a/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java b/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java index 4f617dd5873a..8c4fbf020a3c 100644 --- a/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java +++ b/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java @@ -9,7 +9,6 @@ import java.lang.reflect.Method; import java.security.AccessController; -import java.security.Policy; import java.security.Principal; import java.security.PrivilegedAction; import java.security.PrivilegedExceptionAction; @@ -68,6 +67,7 @@ import org.wildfly.security.auth.server.SecurityDomain; import org.wildfly.security.auth.server.SecurityIdentity; import org.wildfly.security.authz.Roles; +import org.wildfly.security.authz.jacc.PolicyUtil; import org.wildfly.security.manager.WildFlySecurityManager; import org.wildfly.transaction.client.ContextTransactionManager; @@ -423,9 +423,9 @@ public boolean isBeanManagedTransaction() { public boolean isCallerInRole(final String roleName) throws IllegalStateException { if (isSecurityDomainKnown()) { if (enableJacc) { - Policy policy = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction) Policy::getPolicy) : Policy.getPolicy(); + PolicyUtil policyUtil = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction) PolicyUtil::getPolicyUtil) : PolicyUtil.getPolicyUtil(); ProtectionDomain domain = new ProtectionDomain(null, null, null, JaccInterceptor.getGrantedRoles(getCallerSecurityIdentity())); - return policy.implies(domain, new EJBRoleRefPermission(getComponentName(), roleName)); + return policyUtil.implies(domain, new EJBRoleRefPermission(getComponentName(), roleName)); } else { boolean tmpBool = checkCallerSecurityIdentityRole(roleName); // rls debug todo remove if (ROOT_LOGGER.isTraceEnabled()) { diff --git a/ejb3/src/main/java/org/jboss/as/ejb3/security/JaccInterceptor.java b/ejb3/src/main/java/org/jboss/as/ejb3/security/JaccInterceptor.java index bb7ba36c12b3..32896039413b 100644 --- a/ejb3/src/main/java/org/jboss/as/ejb3/security/JaccInterceptor.java +++ b/ejb3/src/main/java/org/jboss/as/ejb3/security/JaccInterceptor.java @@ -9,7 +9,6 @@ import java.lang.reflect.Method; import java.security.AccessController; -import java.security.Policy; import java.security.Principal; import java.security.PrivilegedAction; import java.security.PrivilegedActionException; @@ -32,6 +31,7 @@ import org.wildfly.common.Assert; import org.wildfly.security.auth.server.SecurityDomain; import org.wildfly.security.auth.server.SecurityIdentity; +import org.wildfly.security.authz.jacc.PolicyUtil; import org.wildfly.security.manager.WildFlySecurityManager; /** @@ -96,8 +96,8 @@ private void hasPermission(EJBComponent ejbComponent, ComponentView componentVie MethodInterfaceType methodIntfType = componentView.getPrivateData(MethodInterfaceType.class); EJBMethodPermission permission = createEjbMethodPermission(method, ejbComponent, methodIntfType); ProtectionDomain domain = new ProtectionDomain (componentView.getProxyClass().getProtectionDomain().getCodeSource(), null, null, getGrantedRoles(securityIdentity)); - Policy policy = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction) Policy::getPolicy) : Policy.getPolicy(); - if (!policy.implies(domain, permission)) { + PolicyUtil policyUtil = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction) PolicyUtil::getPolicyUtil) : PolicyUtil.getPolicyUtil(); + if (!policyUtil.implies(domain, permission)) { throw EjbLogger.ROOT_LOGGER.invocationOfMethodNotAllowed(method,ejbComponent.getComponentName()); } } From b3bf55e9f1afca289794d53fbbf0ce0b6e4f8191 Mon Sep 17 00:00:00 2001 From: Darran Lofthouse Date: Tue, 26 Nov 2024 12:28:47 +0000 Subject: [PATCH 3/3] [WFLY-20001] Update the Undertow subsystem to use the new PolicyUtil for Policy access. --- .../base/org/wildfly/extension/undertow/main/module.xml | 1 + undertow/pom.xml | 4 ++++ .../undertow/security/jacc/JACCAuthorizationManager.java | 6 +++--- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ee-feature-pack/galleon-shared/src/main/resources/modules/system/layers/base/org/wildfly/extension/undertow/main/module.xml b/ee-feature-pack/galleon-shared/src/main/resources/modules/system/layers/base/org/wildfly/extension/undertow/main/module.xml index 20b609e084ac..7223201722bb 100644 --- a/ee-feature-pack/galleon-shared/src/main/resources/modules/system/layers/base/org/wildfly/extension/undertow/main/module.xml +++ b/ee-feature-pack/galleon-shared/src/main/resources/modules/system/layers/base/org/wildfly/extension/undertow/main/module.xml @@ -54,6 +54,7 @@ + diff --git a/undertow/pom.xml b/undertow/pom.xml index 6f7bbca5e794..3ef053155b87 100644 --- a/undertow/pom.xml +++ b/undertow/pom.xml @@ -260,6 +260,10 @@ org.wildfly.security wildfly-elytron-ssl + + org.wildfly.security.jakarta + jakarta-authorization + com.google.guava guava diff --git a/undertow/src/main/java/org/wildfly/extension/undertow/security/jacc/JACCAuthorizationManager.java b/undertow/src/main/java/org/wildfly/extension/undertow/security/jacc/JACCAuthorizationManager.java index 671c3ee19ff6..051c5fe5a884 100644 --- a/undertow/src/main/java/org/wildfly/extension/undertow/security/jacc/JACCAuthorizationManager.java +++ b/undertow/src/main/java/org/wildfly/extension/undertow/security/jacc/JACCAuthorizationManager.java @@ -9,7 +9,6 @@ import java.security.CodeSource; import java.security.Permission; -import java.security.Policy; import java.security.Principal; import java.security.PrivilegedAction; import java.security.ProtectionDomain; @@ -30,6 +29,7 @@ import io.undertow.servlet.api.ServletInfo; import io.undertow.servlet.api.SingleConstraintMatch; import io.undertow.servlet.api.TransportGuaranteeType; +import org.wildfly.security.authz.jacc.PolicyUtil; import org.wildfly.security.manager.WildFlySecurityManager; /** @@ -125,8 +125,8 @@ private boolean hasPermission(Account account, Deployment deployment, ServletInf } private boolean hasPermission(ProtectionDomain domain, Permission permission) { - Policy policy = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction) Policy::getPolicy) : Policy.getPolicy(); - return policy.implies(domain, permission); + PolicyUtil policyUtil = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction) PolicyUtil::getPolicyUtil) : PolicyUtil.getPolicyUtil(); + return policyUtil.implies(domain, permission); } private Principal[] getGrantedRoles(Account account, Deployment deployment) {