Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-6363

Fail early if additional SASL providers cannot be registered with the Java Security API

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 0.10, 0.20, 0.30
    • 0.31
    • JMS AMQP 0-x
    • None

    Description

      Registering SASL providers with the Java Security API requires specific SecurityManager permissions. This registration will fail if the JVM's security.policy denies it. This can happens in execution environments such as web containers.

      Currently the SASL registration takes place as a side effect of protocol connection negotiation. If it fails here, it is the IO threads that see the exception, rather than the caller's thread.

      The SASL registration should be moved so that we fail fast, on a thread belonging to the application.

      Caused by: java.security.AccessControlException: access denied (java.security.SecurityPermission putProviderProperty.AMQSASLProvider-Client)
             at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
             at java.security.AccessController.checkPermission(AccessController.java:546)
             at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
             at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1698)
             at java.security.Provider.check(Provider.java:386)
             at java.security.Provider.put(Provider.java:309)
             at org.apache.qpid.client.security.JCAProvider.register(JCAProvider.java:68)
             at org.apache.qpid.client.security.JCAProvider.<init>(JCAProvider.java:55)
             at org.apache.qpid.client.security.DynamicSaslRegistrar.registerSaslProviders(DynamicSaslRegistrar.java:89)
             at org.apache.qpid.client.security.CallbackHandlerRegistry.<init>(CallbackHandlerRegistry.java:116)
             at org.apache.qpid.client.security.CallbackHandlerRegistry.<clinit>(CallbackHandlerRegistry.java:69)
      

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            orudyy Alex Rudyy
            kwall Keith Wall
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment