From 8c5341fed9f64b839ca501aa79f418a2dccdbd57 Mon Sep 17 00:00:00 2001 From: Ingo Weiss Date: Tue, 9 Jul 2024 10:58:43 +0100 Subject: [PATCH 1/5] [ELY-2783] Fix LdapTestSuite on JDK 8u362+ Issue: https://issues.redhat.com/browse/ELY-2783 --- .../java/org/wildfly/security/ldap/DirContextFactoryRule.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/java/org/wildfly/security/ldap/DirContextFactoryRule.java b/src/test/java/org/wildfly/security/ldap/DirContextFactoryRule.java index 909da1d4d3d..1f15363d49e 100644 --- a/src/test/java/org/wildfly/security/ldap/DirContextFactoryRule.java +++ b/src/test/java/org/wildfly/security/ldap/DirContextFactoryRule.java @@ -80,7 +80,7 @@ public ExceptionSupplier create() { TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustFactory.init(keyStore); - SSLContext context = SSLContext.getInstance("TLS"); + SSLContext context = SSLContext.getInstance("TLSv1.2"); context.init(null, trustFactory.getTrustManagers(), null); socketFactory = context.getSocketFactory(); } catch (Exception e) { From ee9995e533534643b03e1b47b1581e0c18f9b539 Mon Sep 17 00:00:00 2001 From: Ingo Weiss Date: Wed, 10 Jul 2024 06:38:08 +0100 Subject: [PATCH 2/5] [ELY-2784] GSS compatibility tests fail with Java 8u362+ Issue: https://issues.redhat.com/browse/ELY-2784 --- .../security/sasl/gssapi/GssapiCompatibilitySuiteChild.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/test/java/org/wildfly/security/sasl/gssapi/GssapiCompatibilitySuiteChild.java b/src/test/java/org/wildfly/security/sasl/gssapi/GssapiCompatibilitySuiteChild.java index 2a4c35d0230..ebdda0c98f0 100644 --- a/src/test/java/org/wildfly/security/sasl/gssapi/GssapiCompatibilitySuiteChild.java +++ b/src/test/java/org/wildfly/security/sasl/gssapi/GssapiCompatibilitySuiteChild.java @@ -54,6 +54,7 @@ import org.junit.Assert; import org.junit.BeforeClass; import org.junit.FixMethodOrder; +import org.junit.Ignore; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.MethodSorters; @@ -89,6 +90,7 @@ public class GssapiCompatibilitySuiteChild { private static final Provider wildFlyElytronProvider = new WildFlyElytronProvider(); @Test + @Ignore("ELY-2784") public void test1Auth() throws Exception { client = Subject.doAs(clientSubject, (PrivilegedExceptionAction) () -> { @@ -149,6 +151,7 @@ public void test1Auth() throws Exception { } @Test + @Ignore("ELY-2784") public void test2AuthInt() throws Exception { client = Subject.doAs(clientSubject, (PrivilegedExceptionAction) () -> { @@ -233,6 +236,7 @@ public void test2AuthInt() throws Exception { } @Test + @Ignore("ELY-2784") public void test3AuthConf() throws Exception { client = Subject.doAs(clientSubject, (PrivilegedExceptionAction) () -> { From 4e7e1a1560863da8dc53185b429f4ccd211e4504 Mon Sep 17 00:00:00 2001 From: ChristinaDsl Date: Wed, 3 Jul 2024 16:57:28 +0300 Subject: [PATCH 3/5] [ELY-2787] Adjust the offsets used for getCallerClass so individual methods only need to compensate for how they affected the call stack without second guessing other influences. --- .../security/manager/StackInspector.java | 2 +- .../manager/WildFlySecurityManager.java | 84 +++++++++++-------- 2 files changed, 49 insertions(+), 37 deletions(-) diff --git a/src/main/java/org/wildfly/security/manager/StackInspector.java b/src/main/java/org/wildfly/security/manager/StackInspector.java index 3c80127d582..629bff15dd4 100644 --- a/src/main/java/org/wildfly/security/manager/StackInspector.java +++ b/src/main/java/org/wildfly/security/manager/StackInspector.java @@ -60,7 +60,7 @@ public static StackInspector getInstance() { * @return the caller class */ public Class getCallerClass(int skipFrames) { - return WildFlySecurityManager.getCallerClass(max(0, skipFrames) + 2); + return WildFlySecurityManager.getCallerClass(max(0, skipFrames) + 1); } /** diff --git a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java index b01d781fe49..bdad5110506 100644 --- a/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java +++ b/src/main/java/org/wildfly/security/manager/WildFlySecurityManager.java @@ -145,9 +145,21 @@ public static void install() throws SecurityException { @SuppressWarnings("deprecation") static Class getCallerClass(int n) { if (hasGetCallerClass) { - return Reflection.getCallerClass(n + callerOffset); + /* + * The callerOffset identifies how many calls on the stack by calling + * Reflection.getCallerClass. + * + * An additional 1 is added to take into account the call to. + * WildFlySecurityManager.getCallerClass(int); + */ + return Reflection.getCallerClass(n + callerOffset + 1); } else { - return getCallStack()[n + callerOffset]; + /* + * Fixed offset of 2 to take into account the following calls on the call stack: - + * WildFlySecurityManager.getCallStack(); + * WildFlySecurityManager.getCallerClass(int); + */ + return getCallStack()[n + 2]; } } @@ -805,7 +817,7 @@ public static T doUnchecked(PrivilegedAction action) { try { final SecurityManager sm = getSecurityManager(); if (sm != null) { - checkPDPermission(getCallerClass(2), doUncheckedPermission); + checkPDPermission(getCallerClass(1), doUncheckedPermission); } return action.run(); } finally { @@ -835,7 +847,7 @@ public static T doUnchecked(PrivilegedExceptionAction action) throws Priv try { final SecurityManager sm = getSecurityManager(); if (sm != null) { - checkPDPermission(getCallerClass(2), doUncheckedPermission); + checkPDPermission(getCallerClass(1), doUncheckedPermission); } return action.run(); } catch (Exception e) { @@ -863,7 +875,7 @@ public static T doUnchecked(PrivilegedAction action, AccessControlContext try { final SecurityManager sm = getSecurityManager(); if (sm != null) { - checkPDPermission(getCallerClass(2), doUncheckedPermission); + checkPDPermission(getCallerClass(1), doUncheckedPermission); } return AccessController.doPrivileged(action, context); } finally { @@ -890,7 +902,7 @@ public static T doUnchecked(PrivilegedExceptionAction action, AccessContr try { final SecurityManager sm = getSecurityManager(); if (sm != null) { - checkPDPermission(getCallerClass(2), doUncheckedPermission); + checkPDPermission(getCallerClass(1), doUncheckedPermission); } return AccessController.doPrivileged(action, context); } finally { @@ -917,7 +929,7 @@ public static T doUnchecked(P parameter, ParametricPrivilegedAction try { final SecurityManager sm = getSecurityManager(); if (sm != null) { - checkPDPermission(getCallerClass(2), doUncheckedPermission); + checkPDPermission(getCallerClass(1), doUncheckedPermission); } return action.run(parameter); } finally { @@ -949,7 +961,7 @@ public static T doUnchecked(P parameter, ParametricPrivilegedExceptionAct try { final SecurityManager sm = getSecurityManager(); if (sm != null) { - checkPDPermission(getCallerClass(2), doUncheckedPermission); + checkPDPermission(getCallerClass(1), doUncheckedPermission); } return action.run(parameter); } catch (Exception e) { @@ -979,7 +991,7 @@ public static T doUnchecked(P parameter, ParametricPrivilegedAction try { final SecurityManager sm = getSecurityManager(); if (sm != null) { - checkPDPermission(getCallerClass(2), doUncheckedPermission); + checkPDPermission(getCallerClass(1), doUncheckedPermission); } return doPrivilegedWithParameter(parameter, action, context); } finally { @@ -1008,7 +1020,7 @@ public static T doUnchecked(P parameter, ParametricPrivilegedExceptionAct try { final SecurityManager sm = getSecurityManager(); if (sm != null) { - checkPDPermission(getCallerClass(2), doUncheckedPermission); + checkPDPermission(getCallerClass(1), doUncheckedPermission); } return doPrivilegedWithParameter(parameter, action, context); } finally { @@ -1123,13 +1135,13 @@ public static String getPropertyPrivileged(String name, String def) { } ctx.checking = false; try { - checkPropertyReadPermission(getCallerClass(2), name); + checkPropertyReadPermission(getCallerClass(1), name); return getProperty(name, def); } finally { ctx.checking = true; } } else { - checkPropertyReadPermission(getCallerClass(2), name); + checkPropertyReadPermission(getCallerClass(1), name); return doPrivileged(new ReadPropertyAction(name, def)); } } @@ -1157,13 +1169,13 @@ public static String getEnvPropertyPrivileged(String name, String def) { } ctx.checking = false; try { - checkEnvPropertyReadPermission(getCallerClass(2), name); + checkEnvPropertyReadPermission(getCallerClass(1), name); return def(getenv(name), def); } finally { ctx.checking = true; } } else { - checkEnvPropertyReadPermission(getCallerClass(2), name); + checkEnvPropertyReadPermission(getCallerClass(1), name); return doPrivileged(new ReadEnvironmentPropertyAction(name, def)); } } @@ -1187,13 +1199,13 @@ public static String setPropertyPrivileged(String name, String value) { } ctx.checking = false; try { - checkPropertyWritePermission(getCallerClass(2), name); + checkPropertyWritePermission(getCallerClass(1), name); return setProperty(name, value); } finally { ctx.checking = true; } } else { - checkPropertyWritePermission(getCallerClass(2), name); + checkPropertyWritePermission(getCallerClass(1), name); return doPrivileged(new WritePropertyAction(name, value)); } } @@ -1216,13 +1228,13 @@ public static String clearPropertyPrivileged(String name) { } ctx.checking = false; try { - checkPropertyWritePermission(getCallerClass(2), name); + checkPropertyWritePermission(getCallerClass(1), name); return clearProperty(name); } finally { ctx.checking = true; } } else { - checkPropertyWritePermission(getCallerClass(2), name); + checkPropertyWritePermission(getCallerClass(1), name); return doPrivileged(new ClearPropertyAction(name)); } } @@ -1245,13 +1257,13 @@ public static ClassLoader getCurrentContextClassLoaderPrivileged() { } ctx.checking = false; try { - checkPDPermission(getCallerClass(2), GET_CLASS_LOADER_PERMISSION); + checkPDPermission(getCallerClass(1), GET_CLASS_LOADER_PERMISSION); return currentThread().getContextClassLoader(); } finally { ctx.checking = true; } } else { - checkPDPermission(getCallerClass(2), GET_CLASS_LOADER_PERMISSION); + checkPDPermission(getCallerClass(1), GET_CLASS_LOADER_PERMISSION); return doPrivileged(GetContextClassLoaderAction.getInstance()); } } @@ -1281,7 +1293,7 @@ public static ClassLoader setCurrentContextClassLoaderPrivileged(ClassLoader new ctx.checking = false; // separate try/finally to guarantee proper exception flow try { - checkPDPermission(getCallerClass(2), SET_CLASS_LOADER_PERMISSION); + checkPDPermission(getCallerClass(1), SET_CLASS_LOADER_PERMISSION); try { return thread.getContextClassLoader(); } finally { @@ -1291,7 +1303,7 @@ public static ClassLoader setCurrentContextClassLoaderPrivileged(ClassLoader new ctx.checking = true; } } else { - checkPDPermission(getCallerClass(2), SET_CLASS_LOADER_PERMISSION); + checkPDPermission(getCallerClass(1), SET_CLASS_LOADER_PERMISSION); return doPrivileged(new SetContextClassLoaderAction(newClassLoader)); } } @@ -1321,7 +1333,7 @@ public static ClassLoader setCurrentContextClassLoaderPrivileged(final Class ctx.checking = false; // separate try/finally to guarantee proper exception flow try { - final Class caller = getCallerClass(2); + final Class caller = getCallerClass(1); checkPDPermission(caller, SET_CLASS_LOADER_PERMISSION); checkPDPermission(caller, GET_CLASS_LOADER_PERMISSION); try { @@ -1333,7 +1345,7 @@ public static ClassLoader setCurrentContextClassLoaderPrivileged(final Class ctx.checking = true; } } else { - final Class caller = getCallerClass(2); + final Class caller = getCallerClass(1); checkPDPermission(caller, SET_CLASS_LOADER_PERMISSION); checkPDPermission(caller, GET_CLASS_LOADER_PERMISSION); return doPrivileged(new SetContextClassLoaderAction(clazz.getClassLoader())); @@ -1358,13 +1370,13 @@ public static Properties getSystemPropertiesPrivileged() { } ctx.checking = false; try { - checkPDPermission(getCallerClass(2), PROPERTIES_PERMISSION); + checkPDPermission(getCallerClass(1), PROPERTIES_PERMISSION); return getProperties(); } finally { ctx.checking = true; } } else { - checkPDPermission(getCallerClass(2), PROPERTIES_PERMISSION); + checkPDPermission(getCallerClass(1), PROPERTIES_PERMISSION); return doPrivileged(GetSystemPropertiesAction.getInstance()); } } @@ -1387,13 +1399,13 @@ public static Map getSystemEnvironmentPrivileged() { } ctx.checking = false; try { - checkPDPermission(getCallerClass(2), ENVIRONMENT_PERMISSION); + checkPDPermission(getCallerClass(1), ENVIRONMENT_PERMISSION); return getenv(); } finally { ctx.checking = true; } } else { - checkPDPermission(getCallerClass(2), ENVIRONMENT_PERMISSION); + checkPDPermission(getCallerClass(1), ENVIRONMENT_PERMISSION); return doPrivileged(GetEnvironmentAction.getInstance()); } } @@ -1417,13 +1429,13 @@ public static ClassLoader getClassLoaderPrivileged(Class clazz) { } ctx.checking = false; try { - checkPDPermission(getCallerClass(2), GET_CLASS_LOADER_PERMISSION); + checkPDPermission(getCallerClass(1), GET_CLASS_LOADER_PERMISSION); return clazz.getClassLoader(); } finally { ctx.checking = true; } } else { - checkPDPermission(getCallerClass(2), GET_CLASS_LOADER_PERMISSION); + checkPDPermission(getCallerClass(1), GET_CLASS_LOADER_PERMISSION); return doPrivileged(new GetClassLoaderAction(clazz)); } } @@ -1481,7 +1493,7 @@ public static T doPrivilegedWithParameter(P parameter, ParametricPrivileg final Context ctx = CTX.get(); ctx.action1 = (ParametricPrivilegedAction) action; ctx.parameter = parameter; - return (T) doPrivileged(PA_TRAMPOLINE1, ACC_CACHE.get(getCallerClass(2))); + return (T) doPrivileged(PA_TRAMPOLINE1, ACC_CACHE.get(getCallerClass(1))); } /** @@ -1498,7 +1510,7 @@ public static T doPrivilegedWithParameter(P parameter, ParametricPrivileg final Context ctx = CTX.get(); ctx.action2 = (ParametricPrivilegedExceptionAction) action; ctx.parameter = parameter; - return (T) doPrivileged(PA_TRAMPOLINE2, ACC_CACHE.get(getCallerClass(2))); + return (T) doPrivileged(PA_TRAMPOLINE2, ACC_CACHE.get(getCallerClass(1))); } /** @@ -1521,10 +1533,10 @@ public static T doPrivilegedWithParameter(P parameter, ParametricPrivileg try { ProtectionDomain[] protectionDomainStack = getProtectionDomainStack(accessControlContext); if (protectionDomainStack == null || protectionDomainStack.length == 0) { - combined = ACC_CACHE.get(getCallerClass(2)); + combined = ACC_CACHE.get(getCallerClass(1)); } else { final ProtectionDomain[] finalDomains = Arrays.copyOf(protectionDomainStack, protectionDomainStack.length + 1); - finalDomains[protectionDomainStack.length] = getCallerClass(2).getProtectionDomain(); + finalDomains[protectionDomainStack.length] = getCallerClass(1).getProtectionDomain(); combined = new AccessControlContext(finalDomains); } } finally { @@ -1553,10 +1565,10 @@ public static T doPrivilegedWithParameter(P parameter, ParametricPrivileg try { ProtectionDomain[] protectionDomainStack = getProtectionDomainStack(accessControlContext); if (protectionDomainStack == null || protectionDomainStack.length == 0) { - combined = ACC_CACHE.get(getCallerClass(2)); + combined = ACC_CACHE.get(getCallerClass(1)); } else { final ProtectionDomain[] finalDomains = Arrays.copyOf(protectionDomainStack, protectionDomainStack.length + 1); - finalDomains[protectionDomainStack.length] = getCallerClass(2).getProtectionDomain(); + finalDomains[protectionDomainStack.length] = getCallerClass(1).getProtectionDomain(); combined = new AccessControlContext(finalDomains); } } finally { From 68f16acfa487da88117ac39e4c13e99e34eeb739 Mon Sep 17 00:00:00 2001 From: Darran Lofthouse Date: Fri, 12 Jul 2024 17:25:42 +0100 Subject: [PATCH 4/5] [ELY-2788] Release WildFly Elytron 1.1.13.Final --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index efcbefd8533..25d1a44ae36 100644 --- a/pom.xml +++ b/pom.xml @@ -31,7 +31,7 @@ org.wildfly.security wildfly-elytron - 1.1.13.CR1-SNAPSHOT + 1.1.13.Final WildFly Elytron WildFly Security SPIs From 1db7bb85de7dba2bf0a11aead89ab9713b8e93e7 Mon Sep 17 00:00:00 2001 From: Darran Lofthouse Date: Fri, 12 Jul 2024 17:27:46 +0100 Subject: [PATCH 5/5] Next is 1.1.14 --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 25d1a44ae36..db4a9563f36 100644 --- a/pom.xml +++ b/pom.xml @@ -31,7 +31,7 @@ org.wildfly.security wildfly-elytron - 1.1.13.Final + 1.1.14.CR1-SNAPSHOT WildFly Elytron WildFly Security SPIs @@ -504,7 +504,7 @@ org.wildfly.security wildfly-elytron - 1.1.12.Final + 1.1.13.Final jar