[
https://issues.apache.org/jira/browse/TOMEE-2946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17284768#comment-17284768
]
Nikhil edited comment on TOMEE-2946 at 2/16/21, 3:42 AM:
---------------------------------------------------------
I have further analyzed the issue over weekend and here are my views..
An enterprise application with various stateful beans having local and remote
implementations used via @Remote & @Local annotations, User roles are managed
with a custom LDAPRealm and allowed with the @RolesAllowed annotation in the
respective classes. All the these are packaged into a distributable library
part of common deployment architecture..
{quote}*File :: Sample.ear*
-> myapp1.war
-> myapp2.war
-> myapp3.war
-> mylib.jar - (openejb beans defined here)
{quote}
when trying to deploy the application, exception at
*org.apache.openejb.core.stateful.StatefulContainer.checkAuthorization(StatefulContainer.java:894)*
while trying to check the permissions while running a particular EJB class
method (Though the designated roles assigned are already available) we see the
below root level error –
{quote}*java.security.AccessControlException: access denied
("javax.security.jacc.EJBMethodPermission" "MyEJBName"
"MyEJBMethodName,Remote,boolean")*
{quote}
when debugging through the internals of openEJB implementations - it fails
during the permissions check w.r.t *openejb-core* library correctly defined
though and here are the context details when validating the permissions in
java.security.ProtectionDomain.implies() Line#288.
{quote}[ProtectionDomain
([file:/C:/MyServer/lib/openejb-core-8.0.6.jar|file:///C:/MyServer/lib/openejb-core-8.0.6.jar]
<no signer certificates>) java.net.URLClassLoader@614ddd49 (principals
org.apache.tomee.catalina.TomcatSecurityService$TomcatUser "user1")
java.security.Permissions@4167afe3 ( ("java.net.SocketPermission"
"localhost:0" "listen,resolve") ("java.lang.RuntimePermission" "stopThread")
("java.io.FilePermission" "\C:\MyServer\lib\openejb-core-8.0.6.jar" "read")
("java.util.PropertyPermission" "java.specification.version" "read")
("java.util.PropertyPermission" "java.version" "read")
("java.util.PropertyPermission" "os.arch" "read")
("java.util.PropertyPermission" "java.specification.vendor" "read")
("java.util.PropertyPermission" "java.vm.specification.name" "read")
("java.util.PropertyPermission" "java.vm.vendor" "read")
("java.util.PropertyPermission" "path.separator" "read")
("java.util.PropertyPermission" "os.version" "read")
("java.util.PropertyPermission" "file.separator" "read")
("java.util.PropertyPermission" "line.separator" "read")
("java.util.PropertyPermission" "java.vm.specification.vendor" "read")
("java.util.PropertyPermission" "java.specification.name" "read")
("java.util.PropertyPermission" "java.vendor.url" "read")
("java.util.PropertyPermission" "java.vendor" "read")
("java.util.PropertyPermission" "java.vm.version" "read")
("java.util.PropertyPermission" "java.vm.name" "read")
("java.util.PropertyPermission" "java.vm.specification.version" "read")
("java.util.PropertyPermission" "os.name" "read")
("java.util.PropertyPermission" "java.class.version" "read") ) ]
{quote}
After these, tried to include a security policy declarations w.r.t jars/files
in *catalina.policy* (part of TomEE distribution) but that didn't work though -
*Java binary args ::*
{quote}-Djava.security.manager
-Djava.security.policy==C:\Myserver\conf\catalina.policy
{quote}
*catalina.policy file changes ::*
{quote}grant codeBase
"jar:[file:$|file://%24/]{catalina.home}/apps/mylib.jar!/-"
{
permission java.security.AllPermission;
{{};}}
{quote}
Also, tried with the below generic settings (just to ensure the bug analysis)
but that didn't help –
{quote}{{grant}}
{
permission java.security.AllPermission;
{{};}}
{quote}
I found a similar problem reported @
[http://tomee-openejb.979440.n4.nabble.com/OpenEJB-Embedded-Tomcat-and-SecurityManager-problem-with-java-lang-RuntimePermission-setContextClassr-td3598921.html]
but thats very old and no responses at the moment.
Debugging through the security realms further to see any other traces around
the issue..
was (Author: somasaninikhil):
I have further analyzed the issue over weekend and here are my views..
An enterprise application with various stateful beans having local and remote
implementations used via @Remote & @Local annotations, User roles are managed
with a custom LDAPRealm and allowed with the @RolesAllowed annotation in the
respective classes. All the these are packaged into a distributable library
part of common deployment architecture..
{quote}*File :: Sample.ear*
-> myapp1.war
-> myapp2.war
-> myapp3.war
-> mylib.jar - (openejb beans defined here)
{quote}
when trying to deploy the application, exception at
*org.apache.openejb.core.stateful.StatefulContainer.checkAuthorization(StatefulContainer.java:894)*
while trying to check the permissions while running a particular EJB class
method (Though the designated roles assigned are already available) we see the
below root level error –
{quote}*java.security.AccessControlException: access denied
("javax.security.jacc.EJBMethodPermission" "MyEJBName"
"MyEJBMethodName,Remote,boolean")*
{quote}
when debugging through the internals of openEJB implementations - it fails
during the permissions check w.r.t *openejb-core* library correctly defined
though and here are the context details when validating the permissions in
java.security.ProtectionDomain.implies() Line#288.
{quote}[ProtectionDomain
([file:/C:/MyServer/lib/openejb-core-8.0.6.jar|file:///C:/MyServer/lib/openejb-core-8.0.6.jar]
<no signer certificates>) java.net.URLClassLoader@614ddd49 (principals
org.apache.tomee.catalina.TomcatSecurityService$TomcatUser "user1")
java.security.Permissions@4167afe3 ( ("java.net.SocketPermission"
"localhost:0" "listen,resolve") ("java.lang.RuntimePermission" "stopThread")
("java.io.FilePermission" "\C:\MyServer\lib\openejb-core-8.0.6.jar" "read")
("java.util.PropertyPermission" "java.specification.version" "read")
("java.util.PropertyPermission" "java.version" "read")
("java.util.PropertyPermission" "os.arch" "read")
("java.util.PropertyPermission" "java.specification.vendor" "read")
("java.util.PropertyPermission" "java.vm.specification.name" "read")
("java.util.PropertyPermission" "java.vm.vendor" "read")
("java.util.PropertyPermission" "path.separator" "read")
("java.util.PropertyPermission" "os.version" "read")
("java.util.PropertyPermission" "file.separator" "read")
("java.util.PropertyPermission" "line.separator" "read")
("java.util.PropertyPermission" "java.vm.specification.vendor" "read")
("java.util.PropertyPermission" "java.specification.name" "read")
("java.util.PropertyPermission" "java.vendor.url" "read")
("java.util.PropertyPermission" "java.vendor" "read")
("java.util.PropertyPermission" "java.vm.version" "read")
("java.util.PropertyPermission" "java.vm.name" "read")
("java.util.PropertyPermission" "java.vm.specification.version" "read")
("java.util.PropertyPermission" "os.name" "read")
("java.util.PropertyPermission" "java.class.version" "read") ) ]
{quote}
After these, tried to include a security policy declarations w.r.t jars/files
in *catalina.policy* (part of TomEE distribution) but that didn't work though -
*Java binary args ::*
{quote}-Djava.security.manager
-Djava.security.policy==C:\Myserver\conf\catalina.policy
{quote}
*catalina.policy file changes ::*
{quote}{{ grant codeBase
"jar:[file:$|file://%24/]{catalina.home}/apps/mylib.jar!/-"}}
{{{ }}
{{permission java.security.AllPermission; }}
{{};}}
{quote}
Also, tried with the below generic settings (just to ensure the bug analysis)
but that didn't help –
{quote}{{grant}}
{{{ }}
{{permission java.security.AllPermission; }}
{{};}}
{quote}
I found a similar problem reported @
[http://tomee-openejb.979440.n4.nabble.com/OpenEJB-Embedded-Tomcat-and-SecurityManager-problem-with-java-lang-RuntimePermission-setContextClassr-td3598921.html]
but thats very old and no responses at the moment.
Debugging through the security realms further to see any other traces around
the issue..
> "Unauthorized Access by Principal Denied" error when trying to deploy an
> application after updating tomee from 8.0.3 to 8.0.5
> -----------------------------------------------------------------------------------------------------------------------------
>
> Key: TOMEE-2946
> URL: https://issues.apache.org/jira/browse/TOMEE-2946
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Build
> Affects Versions: 8.0.3, 8.0.4, 8.0.5, 8.0.6
> Environment: OS :: Windows
> JAVA :: Oracle JDK "1.8.0_161" and Adopt OpenJDK "1.8.0_275"
> TomEE version :: 8.0.3 / 8.0.4 / 8.0.5
> ActiveMQ :: 5.16.0
> Reporter: Nikhil
> Priority: Critical
>
> we have an enterprise application which is currently deployed over TomEE
> 8.0.3 and working fine.
>
> we have tried to update the TomEE base container from 8.0.3 to 8.0.5 & try to
> start the server to deploy the application.
> The server starts working fine but when we try to connect to the application,
> we keep getting the below errors ::
>
> [java] javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied
> [java] at
> org.apache.openejb.core.stateful.StatefulContainer.checkAuthorization(StatefulContainer.java:894)
> [java] at
> org.apache.openejb.core.stateful.StatefulContainer.businessMethod(StatefulContainer.java:686)
> [java] at
> org.apache.openejb.core.stateful.StatefulContainer.invoke(StatefulContainer.java:379)
> [java] at
> org.apache.openejb.server.ejbd.EjbRequestHandler.doEjbObject_BUSINESS_METHOD(EjbRequestHandler.java:371)
> [java] at
> org.apache.openejb.server.ejbd.EjbRequestHandler.processRequest(EjbRequestHandler.java:182)
> [java] at
> org.apache.openejb.server.ejbd.EjbDaemon.processEjbRequest(EjbDaemon.java:360)
> [java] at
> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:247)
> [java] at
> org.apache.openejb.server.ejbd.EjbServer.service(EjbServer.java:104)
> [java] at
> org.apache.openejb.server.httpd.ServerServlet.service(ServerServlet.java:60)
> [java] at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
> [java] at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
> [java] at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> [java] at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
> [java] at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
> [java] at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:45)
> [java] at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
> [java] at
> org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:182)
> [java] at
> org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:330)
> [java] at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
> [java] at
> org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97)
> [java] at
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
> [java] at
> org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240)
> [java] at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
> [java] at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
> [java] at
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
> [java] at
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
> [java] at
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:888)
> [java] at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1597)
> [java] at
> org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
> [java] at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> [java] at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> [java] at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> [java] at java.lang.Thread.run(Thread.java:748)
>
>
> I have tried to replicate the issue by just updating the tomcat from *9.0.37
> to 9.0.38* or later without actually updating the tomee version but still see
> the same issue.. Through the initial analysis the tomcat version 9.0.38 and
> later comes with *module-info.class* inside the jars to support JDK 9 along
> with JDK8 but not sure if that's the case.
>
> Can someone please take a look and confirm if its specific with the
> tomcat/tomee update and any workarounds for the same ?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
