[
https://issues.apache.org/jira/browse/TOMEE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17284768#comment-17284768
]
Nikhil edited comment on TOMEE-2946 at 2/15/21, 3:10 PM:
---------------------------------------------------------
I have further analyzed the issue over weekend and here are my views..
An enterprise application with various stateful beans having local and remote
implementations used via @Remote & @Local annotations, User roles are managed
with a custom LDAPRealm and allowed with the @RolesAllowed annotation in the
respective classes. All the these are packaged into a distributable library
part of common deployment architecture..
*File :: Sample.ear*
-> myapp1.war
-> myapp2.war
-> myapp3.war
-> mylib.jar - (openejb beans defined here)
when trying to deploy the application, exception at
*org.apache.openejb.core.stateful.StatefulContainer.checkAuthorization(StatefulContainer.java:894)*
while trying to check the permissions while running a particular EJB class
method (Though the designated roles assigned are already available) we see the
below root level error –
*java.security.AccessControlException: access denied
("javax.security.jacc.EJBMethodPermission" "MyEJBName"
"MyEJBMethodName,Remote,boolean")*
when debugging through the internals of openEJB implementations - it fails
during the permissions check w.r.t *openejb-core* library correctly defined
though and here are the context details when validating the permissions in
java.security.ProtectionDomain.implies() Line#288.
[ProtectionDomain
([file:/C:/MyServer/lib/openejb-core-8.0.6.jar|file:///C:/MyServer/lib/openejb-core-8.0.6.jar]
<no signer certificates>) java.net.URLClassLoader@614ddd49 (principals
org.apache.tomee.catalina.TomcatSecurityService$TomcatUser "user1")
java.security.Permissions@4167afe3 ( ("java.net.SocketPermission"
"localhost:0" "listen,resolve") ("java.lang.RuntimePermission" "stopThread")
("java.io.FilePermission" "\C:\MyServer\lib\openejb-core-8.0.6.jar" "read")
("java.util.PropertyPermission" "java.specification.version" "read")
("java.util.PropertyPermission" "java.version" "read")
("java.util.PropertyPermission" "os.arch" "read")
("java.util.PropertyPermission" "java.specification.vendor" "read")
("java.util.PropertyPermission" "java.vm.specification.name" "read")
("java.util.PropertyPermission" "java.vm.vendor" "read")
("java.util.PropertyPermission" "path.separator" "read")
("java.util.PropertyPermission" "os.version" "read")
("java.util.PropertyPermission" "file.separator" "read")
("java.util.PropertyPermission" "line.separator" "read")
("java.util.PropertyPermission" "java.vm.specification.vendor" "read")
("java.util.PropertyPermission" "java.specification.name" "read")
("java.util.PropertyPermission" "java.vendor.url" "read")
("java.util.PropertyPermission" "java.vendor" "read")
("java.util.PropertyPermission" "java.vm.version" "read")
("java.util.PropertyPermission" "java.vm.name" "read")
("java.util.PropertyPermission" "java.vm.specification.version" "read")
("java.util.PropertyPermission" "os.name" "read")
("java.util.PropertyPermission" "java.class.version" "read") ) ]
After these, tried to include a security policy declarations w.r.t jars/files
in *catalina.policy* (part of TomEE distribution) but that didn't work though -
==============
*Java binary args ::*
==============
-Djava.security.manager
-Djava.security.policy==C:\Myserver\conf\catalina.policy
======================
*catalina.policy file changes ::*
======================
grant codeBase "jar:[file:$|file://%24/]{catalina.home}/apps/mylib.jar!/-"
{ permission java.security.AllPermission; }
;
Also, tried with the below generic settings (just to ensure the bug analysis)
but that didn't help –
grant
{ permission java.security.AllPermission; }
;
I found a similar problem reported @
[http://tomee-openejb.979440.n4.nabble.com/OpenEJB-Embedded-Tomcat-and-SecurityManager-problem-with-java-lang-RuntimePermission-setContextClassr-td3598921.html]
but thats very old and no responses at the moment.
Debugging through the security realms further to see any other traces around
the issue..
was (Author: somasaninikhil):
I have further analysed the issue over weekend and here are my views..I have
further analysed the issue over weekend and here are my views..
An enterprise application with various stateful beans having local and remote
implementations used via @Remote & @Local annotations, User roles are managed
with a custom LDAPRealm and allowed with the @RolesAllowed annotion in the
respective classes. All the these are packaged into a distributable library
part of common deployment architecture..
*File :: Sample.ear*
-> myapp1.war
-> myapp2.war
-> myapp3.war
-> mylib.jar - (openejb beans defined here)
when trying to deploy the application, exception at
*org.apache.openejb.core.stateful.StatefulContainer.checkAuthorization(StatefulContainer.java:894)*
while trying to check the permissions while running a particular EJB class
method (Though the designated roles assigned are already available) we see the
below root level error --
*java.security.AccessControlException: access denied
("javax.security.jacc.EJBMethodPermission" "MyEJBName"
"MyEJBMethodName,Remote,boolean")*
when debugging through the internals of openEJB implementations - it fails
during the permissions check w.r.t *openejb-core* library correctly defined
though and here are the context details when validating the permissions in
java.security.ProtectionDomain.implies() Line#288.
[ProtectionDomain (file:/C:/MyServer/lib/openejb-core-8.0.6.jar <no signer
certificates>) java.net.URLClassLoader@614ddd49 (principals
org.apache.tomee.catalina.TomcatSecurityService$TomcatUser "user1")
java.security.Permissions@4167afe3 ( ("java.net.SocketPermission"
"localhost:0" "listen,resolve") ("java.lang.RuntimePermission" "stopThread")
("java.io.FilePermission" "\C:\MyServer\lib\openejb-core-8.0.6.jar" "read")
("java.util.PropertyPermission" "java.specification.version" "read")
("java.util.PropertyPermission" "java.version" "read")
("java.util.PropertyPermission" "os.arch" "read")
("java.util.PropertyPermission" "java.specification.vendor" "read")
("java.util.PropertyPermission" "java.vm.specification.name" "read")
("java.util.PropertyPermission" "java.vm.vendor" "read")
("java.util.PropertyPermission" "path.separator" "read")
("java.util.PropertyPermission" "os.version" "read")
("java.util.PropertyPermission" "file.separator" "read")
("java.util.PropertyPermission" "line.separator" "read")
("java.util.PropertyPermission" "java.vm.specification.vendor" "read")
("java.util.PropertyPermission" "java.specification.name" "read")
("java.util.PropertyPermission" "java.vendor.url" "read")
("java.util.PropertyPermission" "java.vendor" "read")
("java.util.PropertyPermission" "java.vm.version" "read")
("java.util.PropertyPermission" "java.vm.name" "read")
("java.util.PropertyPermission" "java.vm.specification.version" "read")
("java.util.PropertyPermission" "os.name" "read")
("java.util.PropertyPermission" "java.class.version" "read") ) ]
After these, tried to include a security policy declarations w.r.t jars/files
in *catalina.policy* (part of TomEE distribution) but that didn't work though -
==============
*Java binary args ::*
==============
-Djava.security.manager -Djava.security.policy==C:\Myserver\conf\catalina.policy
======================
*catalina.policy file changes ::*
======================
grant codeBase "jar:file:${catalina.home}/apps/mylib.jar!/-"
{
permission java.security.AllPermission;
};
Also, tried with the below generic settings (just to ensure the bug analysis)
but that didn't help --
grant
{
permission java.security.AllPermission;
};
I found a similar problem reported @
[http://tomee-openejb.979440.n4.nabble.com/OpenEJB-Embedded-Tomcat-and-SecurityManager-problem-with-java-lang-RuntimePermission-setContextClassr-td3598921.html]
but thats very old and no responses at the moment.
Debugging through the security realms further to see any other traces around
the issue..
> "Unauthorized Access by Principal Denied" error when trying to deploy an
> application after updating tomee from 8.0.3 to 8.0.5
> -----------------------------------------------------------------------------------------------------------------------------
>
> Key: TOMEE-2946
> URL: https://issues.apache.org/jira/browse/TOMEE-2946
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Build
> Affects Versions: 8.0.3, 8.0.4, 8.0.5, 8.0.6
> Environment: OS :: Windows
> JAVA :: Oracle JDK "1.8.0_161" and Adopt OpenJDK "1.8.0_275"
> TomEE version :: 8.0.3 / 8.0.4 / 8.0.5
> ActiveMQ :: 5.16.0
> Reporter: Nikhil
> Priority: Critical
>
> we have an enterprise application which is currently deployed over TomEE
> 8.0.3 and working fine.
>
> we have tried to update the TomEE base container from 8.0.3 to 8.0.5 & try to
> start the server to deploy the application.
> The server starts working fine but when we try to connect to the application,
> we keep getting the below errors ::
>
> [java] javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied
> [java] at
> org.apache.openejb.core.stateful.StatefulContainer.checkAuthorization(StatefulContainer.java:894)
> [java] at
> org.apache.openejb.core.stateful.StatefulContainer.businessMethod(StatefulContainer.java:686)
> [java] at
> org.apache.openejb.core.stateful.StatefulContainer.invoke(StatefulContainer.java:379)
> [java] at
> org.apache.openejb.server.ejbd.EjbRequestHandler.doEjbObject_BUSINESS_METHOD(EjbRequestHandler.java:371)
> [java] at
> org.apache.openejb.server.ejbd.EjbRequestHandler.processRequest(EjbRequestHandler.java:182)
> [java] at
> org.apache.openejb.server.ejbd.EjbDaemon.processEjbRequest(EjbDaemon.java:360)
> [java] at
> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:247)
> [java] at
> org.apache.openejb.server.ejbd.EjbServer.service(EjbServer.java:104)
> [java] at
> org.apache.openejb.server.httpd.ServerServlet.service(ServerServlet.java:60)
> [java] at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
> [java] at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
> [java] at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> [java] at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
> [java] at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
> [java] at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:45)
> [java] at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
> [java] at
> org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:182)
> [java] at
> org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:330)
> [java] at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
> [java] at
> org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97)
> [java] at
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
> [java] at
> org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240)
> [java] at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
> [java] at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
> [java] at
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
> [java] at
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
> [java] at
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:888)
> [java] at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1597)
> [java] at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
> [java] at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> [java] at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> [java] at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> [java] at java.lang.Thread.run(Thread.java:748)
>
>
> I have tried to replicate the issue by just updating the tomcat from *9.0.37
> to 9.0.38* or later without actually updating the tomee version but still see
> the same issue.. Through the initial analysis the tomcat version 9.0.38 and
> later comes with *module-info.class* inside the jars to support JDK 9 along
> with JDK8 but not sure if that's the case.
>
> Can someone please take a look and confirm if its specific with the
> tomcat/tomee update and any workarounds for the same ?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
