Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-10838

Camunda cockpit crashes if JavaSecurity manager is enabled

XMLWordPrintable

    • Icon: Bug Report Bug Report
    • Resolution: Fixed
    • Icon: L3 - Default L3 - Default
    • None
    • 7.11.0
    • cockpit, engine
    • None
    • jdk1.8.0_181
      MacOSX High Siera
      Tomcat 9.0.19

      When camunda-bpm-tomcat-7.11.0 (tomcat 9.0.19, java sun 1.8 [mac os]) is launched with catalina "-security" option (enabled security manager) /camunda application fails to handle any requests with error:

      Caused by: org.apache.ibatis.ognl.OgnlException: shouldPerformAuthorizatioCheck [java.lang.IllegalAccessException: Method [public boolean org.camunda.bpm.engine.impl.db.AuthorizationCheck.getShouldPerformAuthorizatioCheck()] cannot be accessed.]

      I did add additional grants:

      grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
        permission java.util.PropertyPermission "user.dir", "read"; // CUSTOM
        permission java.lang.RuntimePermission "accessDeclaredMembers"; // CUSTOM
// continue as in original catalina.policy
}
// continue as in original catalina.policy
grant {
permission java.lang.RuntimePermission "accessDeclaredMembers"; // CUSTOM
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // CUSTOM
    permission java.util.PropertyPermission "com.fasterxml.jackson.core.util.BufferRecyclers.trackReusableBuffers", "read"; // CUSTOM
    permission java.util.PropertyPermission "resteasy.allowGzip", "read"; // CUSTOM

// all other grants as originally in catalina policy
}
// all other grants as originally in catalina policy

      Stack trace and policy attached.

      Adding Runtime, Reflect wildcard permissions "*" does result in the same issue. Seems current camunda package does not works with SecurityManager enabled or only with AllPermission - which defeats the purpose.

        This is the controller panel for Smart Panels app

          1. catalina.policy
            13 kB
          2. localhost.2019-09-25.log
            50 kB

            [CAM-10838] Camunda cockpit crashes if JavaSecurity manager is enabled

            Tassilo Weidner added a comment -

            Hi Ruslanas,

            thank you for reaching out to us with your question.

            I will look into your problem and come back to your with my insights soon.

            Stay tuned!

            Cheers,
            Tassilo

            Tassilo Weidner added a comment - Hi Ruslanas, thank you for reaching out to us with your question. I will look into your problem and come back to your with my insights soon. Stay tuned! Cheers, Tassilo

            Ruslanas Abdrachimovas added a comment -

            Thank you!

            Ruslanas Abdrachimovas added a comment - Thank you!

            Tassilo Weidner added a comment -

            Hi Ruslanas,

            thanks for your patience.

            We do not officially support tomcat with the -security flag enabled and do therefore no QA efforts in this direction.

            However, according to your configurations I would expect that the security manager allows the reflective access. Reading through the official tomcat documentation, I found the following paragraph:

            [...] the majority of Tomcat users do not run with a security manager, so Tomcat is not as well user-tested in this configuration. There have been, and continue to be, bugs reported that are triggered by running under a security manager.

            I assume that this could also be a bug in tomcat. Have you considered that?

            Cheers,
            Tassilo

            Tassilo Weidner added a comment - Hi Ruslanas, thanks for your patience. We do not officially support tomcat with the -security flag enabled and do therefore no QA efforts in this direction. However, according to your configurations I would expect that the security manager allows the reflective access. Reading through the official tomcat documentation, I found the following paragraph: [...] the majority of Tomcat users do not run with a security manager, so Tomcat is not as well user-tested in this configuration. There have been, and continue to be, bugs reported that are triggered by running under a security manager. I assume that this could also be a bug in tomcat. Have you considered that? Cheers, Tassilo

            Tassilo Weidner added a comment -

            Hi Ruslanas,

            I close this ticket due to inactivity. Feel free to open a new ticket if necessary.

            Cheers,
            Tassilo

            Tassilo Weidner added a comment - Hi Ruslanas, I close this ticket due to inactivity. Feel free to open a new ticket if necessary. Cheers, Tassilo

              Unassigned Unassigned
              ruslanasa Ruslanas Abdrachimovas
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: