Search code examples
wildfly-10java-securityjavapolicy

Wildfly Security Manager : Permission failed for javax.management.MBeanPermission


I have My JBOSS Wildfly10 set up. I am enabling SECMGR flag in standlone.conf.bat file to true for enabling java security manager and as my war is deployed in wildfy 10 ,I am giving following permission set in standalone.xml as below and getting following error:

14:49:56,804 INFO [stdout] (ServerService Thread Pool -- 58) 2017-03-28 14:49:56,804 ServerService Thread Pool -- 58 ERROR Could not unregister MBeans for org.apac he.logging.log4j2:type=2483b420,component=Loggers,name=*,subtype=RingBuffer java.security.AccessControlException: WFSM000001: Permission check failed (permission "( "javax.management.MBeanPermission" "-#-[-]" "queryNames")" in code source "(vfs:/C:/wildfly-10.0.0.Final/standalone/deployments/mySample.war/WEB-INF/lib/log4j-core-2.5. jar )" of "null")

My Standalone.xml configuration is as below so please can anyone help me out here where I am doing wrong ?

 <subsystem xmlns="urn:jboss:domain:security-manager:1.0">
                <deployment-permissions>
                    <minimum-set>
                        <permission class="java.lang.RuntimePermission" name="shutdownHooks"/>
                        <permission class="java.util.PropertyPermission" name="*" actions="read"/>
                        <permission class="java.lang.RuntimePermission" name="createClassLoader"/>
                        <permission class="java.lang.RuntimePermission" name="getClassLoader"/>
                        <permission class="java.lang.RuntimePermission" name="shutdownHooks"/>
                        <permission class="javax.management.MBeanServerPermission" name="createMBeanServer"/>
                        <permission class="java.lang.reflect.ReflectPermission" name="suppressAccessChecks"/>
                        <permission class="javax.management.MBeanPermission" name="registerMBean"/>
                        <permission class="javax.management.MBeanPermission" name="queryNames"/>
                    </minimum-set>
                </deployment-permissions>
            </subsystem>

Solution

  • The queryNames and registerMBean permissions aren't quite right. The name attribute should be the name of the MBean. The registerMBeanand queryNames are actions.

    It should probably look something like:

    <permission class="javax.management.MBeanPermission" name="*" actions="registerMBean"/>
    <permission class="javax.management.MBeanPermission" name="*" actions="queryNames"/>
    

    You can specify the specific names or just use * as a wildcard. Have a look at the MBeanPermission for more details.