Wildfly Security Manager Configuration

  • Updated

This information applies to Wildfly versions 10, 11, 14, 18, 23-27 (the latest release available as of this writing).

Issue

Wildfly 8 security manager uses traditional means of enablement and configuration but does not provide adequate means of granting permissions to deployed applications. For that reason we don’t support the use of security manager on Wildfly 8.

Cause

The Security Manager configuration in Wildfly application server explicitly disables standard security manager configuration system properties.

  • -Djava.security.manager

  • -Djava.security.policy=…

and implements custom Security Manager configuration mechanisms.

Resolution

To enable the security manager in Wildfly either pass a command line argument -secmgr or set an environment variable SECMGR to true. The following excerpt is from reference [1]:

Running JBoss / WildFly with a Security Manager

The first step for using a Security Manager in the applicaiton server is activating it. In order to do that, you can either set the -secmgr flag to the startup script or set the SECMGR variable to true, by uncommenting in your standalone.conf the following line:

# Uncomment this to run with a security manager enabled
SECMGR="true"

 

 Custom policy file locations via –Djava.security.policy= are disabled without replacement. However, JBoss will honor the content of policies located in default JDK location {java.home}/lib/security/java.policy( And, likely, in the default user location {user.home}/.java.policy as well.). To grant the agent permissions necessary to work with the security manager append the following to the JDK default policy:

// CONTRAST
grant codeBase "file:/opt/contrast/contrast.jar" {
permission java.security.AllPermission;
};

 

 Documented methods for policy configuration in Wildfly include the use of JavaEE 7 web application scope policies configured via META-INF/permissions.xml and server scoped configuration of specific Wildfly server “modules”. The JavaEE 7 web application permissions.xml configurations may be required for deployed web apps, but neither it nor the modules policy configuration will grant necessary permissions to the java agent.

In addition to the security manager policy configurations, to allow the agent to function with Wildfly’s classloader system the value of environment variable BOSS_MODULES_SYSTEM_PKGS, originally org.jboss.byteman , will have to be modified to also include the Java agent base package: com.contrastsecurity.agent,org.jboss.byteman

References:

  1. Using Java EE 7 Security Manager with WildFly

  2. Default Policy Implementation and Policy File Syntax

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request