Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-6363

Fail early if additional SASL providers cannot be registered with the Java Security API

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 0.10, 0.20, 0.30
    • Fix Version/s: 0.31
    • Component/s: JMS AMQP 0-x
    • Labels:
      None

      Description

      Registering SASL providers with the Java Security API requires specific SecurityManager permissions. This registration will fail if the JVM's security.policy denies it. This can happens in execution environments such as web containers.

      Currently the SASL registration takes place as a side effect of protocol connection negotiation. If it fails here, it is the IO threads that see the exception, rather than the caller's thread.

      The SASL registration should be moved so that we fail fast, on a thread belonging to the application.

      Caused by: java.security.AccessControlException: access denied (java.security.SecurityPermission putProviderProperty.AMQSASLProvider-Client)
             at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
             at java.security.AccessController.checkPermission(AccessController.java:546)
             at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
             at java.lang.SecurityManager.checkSecurityAccess(SecurityManager.java:1698)
             at java.security.Provider.check(Provider.java:386)
             at java.security.Provider.put(Provider.java:309)
             at org.apache.qpid.client.security.JCAProvider.register(JCAProvider.java:68)
             at org.apache.qpid.client.security.JCAProvider.<init>(JCAProvider.java:55)
             at org.apache.qpid.client.security.DynamicSaslRegistrar.registerSaslProviders(DynamicSaslRegistrar.java:89)
             at org.apache.qpid.client.security.CallbackHandlerRegistry.<init>(CallbackHandlerRegistry.java:116)
             at org.apache.qpid.client.security.CallbackHandlerRegistry.<clinit>(CallbackHandlerRegistry.java:69)
      

        Attachments

          Activity

            People

            • Assignee:
              orudyy Alex Rudyy
              Reporter:
              kwall Keith Wall
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: