security-manager minimum-set for MBeanServerPermission createMBeanServer not working but permissions.xml does in JBoss EAP 7.2

Solution Unverified - Updated

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 7.2

Issue

  • security-manager minimum-set for MBeanServerPermission createMBeanServer not working but permissions.xml does in JBoss EAP 7.2 , getting this error:

      ERROR [stderr] (ServerService Thread Pool -- 81) java.security.AccessControlException: WFSM000001: Permission check failed (permission "("javax.management.MBeanServerPermission" "createMBeanServer")" in code source "(vfs:/opt/jboss/jboss-eap-7.2/standalone/deployments/createMBeanServer.jar <no signer certificates>)" of "ModuleClassLoader for Module "deployment.createMBeanServer.jar" from Service Module Loader")

    Even though this permission is set in the minimum-set

      <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
      <deployment-permissions>
          <minimum-set>
              <permission class="javax.management.MBeanServerPermission" name="createMBeanServer"/>
          </minimum-set>
          <maximum-set>
              <permission class="java.security.AllPermission"/>
          </maximum-set>
      </deployment-permissions>
  </subsystem>

  • EAP does not start because a NullPointerException when a minimum-set is specified:

      ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 67) WFLYCTL0013: Operation ("add") failed - address: ([("subsystem" => "security-manager")]): java.lang.NullPointerException
  	at java.security.Permissions.getPermissionCollection(Permissions.java:240)
  	at java.security.Permissions.implies(Permissions.java:179)
  	at org.jboss.modules.security.FactoryPermissionCollection.implies(FactoryPermissionCollection.java:75)
  	at org.wildfly.extension.security.manager.SecurityManagerSubsystemAdd.performBoottime(SecurityManagerSubsystemAdd.java:101)
          ...

    For example the following minimum-set generates the NPE problem:

              <minimum-set>
              <permission class="java.util.logging.LoggingPermission" name="control"/>
          </minimum-set>

Resolution

Apply JBoss EAP 7.2 CP2 or later.

As a workaround, add module="java.se" so that the permission class is visible. The module can be added to the minimum-set or the maximum-set depending your needs.

        <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
            <deployment-permissions>
                <minimum-set>
                    <permission class="javax.management.MBeanServerPermission" name="createMBeanServer" module="java.se"/>
                </minimum-set>
                <maximum-set>
                    <permission class="java.security.AllPermission"/>
                </maximum-set>
            </deployment-permissions>
        </subsystem>

Root Cause

The root cause is that a change in the module dependencies made java.se not accessible to the security manager (when defined at standalone or domain configuration file level).

The issue is managed in the JIRA: Content from issues.jboss.org is not included.JBEAP-16526 - security-manager minimum-set for MBeanServerPermission createMBeanServer not working but permissions.xml does.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.