search

spring-projects / spring-framework

Spring Framework
https://spring.io/projects/spring-framework
Apache License 2.0
56.77k stars 38.16k forks source link

SpringBoot Error w/SecurityManager and AllPermission #24550

Closed spoofzu closed 4 years ago

spoofzu commented 4 years ago

Affects: \v5.2.0.RELEASE

Running with Spring Boot v2.2.0.RELEASE, Spring v5.2.0.RELEASE

I have been working on getting webgoat to run with springboot with a securitymanager. To minimize likelihood of user coding problems on my part, I'm using java.lang.SecurityManager as the test. I am running with the following policies,

grant { 
  permission java.security.AllPermission;
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

With SecurityManager enabled and the previous policies, no access control checks should fail. Following is the command line I use to execute springboot with webgoat.

java -classpath ./webgoat-server-8.0.0.M26.jar:./JVMXRay-0.0.1-SNAPSHOT.jar -Djava.security.manager=java.lang.SecurityManager -Djava.security.policy==/Users/milton/zwebgoat/nulljava.policy org.springframework.boot.loader.JarLauncher --server.port=8080 --server.address=localhost

The problem is that org.owasp.webgoat.HSQLDBDatabaseConfig is not found and server exists. However, if remove the SecurityManager and policy file from the command line the server starts as expected. The expected behavior with SecurityManager and the AllPermission policies should be the same as no SecurityManager. I reviewed some of the code near,

org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1465

I noticed that a different classloader may be used depending on whether springboot is initialized with a SecurityManager or not, regardless of policy settings. That's about as far as I got in the code. I checked to see if I could identify a SecurityManager unit test where this code path is exercised but didn't notice anything. I reviewed the next and other bug submissions to the spring project but didn't notice anything similar. I'm hope this information is helpful.

-----FULL STACKTRACE FOLLOWS------

Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2020-02-18 19:36:33.199 ERROR 38449 --- [           main] o.s.boot.SpringApplication               : Application run failed

org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/Users/milton/zwebgoat/webgoat-server-8.0.0.M26.jar!/BOOT-INF/classes!/org/owasp/webgoat/StartWebGoat.class]; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.owasp.webgoat.HSQLDBDatabaseConfig] for bean with name 'HSQLDBDatabaseConfig' defined in URL [jar:file:/Users/milton/zwebgoat/webgoat-server-8.0.0.M26.jar!/BOOT-INF/classes!/org/owasp/webgoat/HSQLDBDatabaseConfig.class]; nested exception is java.lang.ClassNotFoundException: org.owasp.webgoat.HSQLDBDatabaseConfig
    at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.scanCandidateComponents(ClassPathScanningCandidateComponentProvider.java:454) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvider.java:316) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.boot.context.properties.ConfigurationPropertiesScanRegistrar.scan(ConfigurationPropertiesScanRegistrar.java:83) ~[spring-boot-2.2.0.RELEASE.jar!/:2.2.0.RELEASE]
    at org.springframework.boot.context.properties.ConfigurationPropertiesScanRegistrar.registerBeanDefinitions(ConfigurationPropertiesScanRegistrar.java:60) ~[spring-boot-2.2.0.RELEASE.jar!/:2.2.0.RELEASE]
    at org.springframework.context.annotation.ImportBeanDefinitionRegistrar.registerBeanDefinitions(ImportBeanDefinitionRegistrar.java:86) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.lambda$loadBeanDefinitionsFromRegistrars$1(ConfigurationClassBeanDefinitionReader.java:385) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at java.base/java.util.LinkedHashMap.forEach(LinkedHashMap.java:684) ~[na:na]
    at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsFromRegistrars(ConfigurationClassBeanDefinitionReader.java:384) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitionsForConfigurationClass(ConfigurationClassBeanDefinitionReader.java:148) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.context.annotation.ConfigurationClassBeanDefinitionReader.loadBeanDefinitions(ConfigurationClassBeanDefinitionReader.java:120) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.context.annotation.ConfigurationClassPostProcessor.processConfigBeanDefinitions(ConfigurationClassPostProcessor.java:337) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.context.annotation.ConfigurationClassPostProcessor.postProcessBeanDefinitionRegistry(ConfigurationClassPostProcessor.java:242) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanDefinitionRegistryPostProcessors(PostProcessorRegistrationDelegate.java:275) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:95) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:706) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:532) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:141) ~[spring-boot-2.2.0.RELEASE.jar!/:2.2.0.RELEASE]
    at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:747) ~[spring-boot-2.2.0.RELEASE.jar!/:2.2.0.RELEASE]
    at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) ~[spring-boot-2.2.0.RELEASE.jar!/:2.2.0.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) ~[spring-boot-2.2.0.RELEASE.jar!/:2.2.0.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) ~[spring-boot-2.2.0.RELEASE.jar!/:2.2.0.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1215) ~[spring-boot-2.2.0.RELEASE.jar!/:2.2.0.RELEASE]
    at org.owasp.webgoat.StartWebGoat.main(StartWebGoat.java:47) ~[classes!/:8.0.0.M26]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na]
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
    at java.base/java.lang.reflect.Method.invoke(Method.java:567) ~[na:na]
    at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48) ~[webgoat-server-8.0.0.M26.jar:8.0.0.M26]
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:87) ~[webgoat-server-8.0.0.M26.jar:8.0.0.M26]
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:51) ~[webgoat-server-8.0.0.M26.jar:8.0.0.M26]
    at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:52) ~[webgoat-server-8.0.0.M26.jar:8.0.0.M26]
Caused by: org.springframework.beans.factory.CannotLoadBeanClassException: Cannot find class [org.owasp.webgoat.HSQLDBDatabaseConfig] for bean with name 'HSQLDBDatabaseConfig' defined in URL [jar:file:/Users/milton/zwebgoat/webgoat-server-8.0.0.M26.jar!/BOOT-INF/classes!/org/owasp/webgoat/HSQLDBDatabaseConfig.class]; nested exception is java.lang.ClassNotFoundException: org.owasp.webgoat.HSQLDBDatabaseConfig
    at org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1474) ~[spring-beans-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.determineTargetType(AbstractAutowireCapableBeanFactory.java:682) ~[spring-beans-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.predictBeanType(AbstractAutowireCapableBeanFactory.java:649) ~[spring-beans-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.beans.factory.support.AbstractBeanFactory.isFactoryBean(AbstractBeanFactory.java:1605) ~[spring-beans-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.doGetBeanNamesForType(DefaultListableBeanFactory.java:520) ~[spring-beans-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeanNamesForType(DefaultListableBeanFactory.java:491) ~[spring-beans-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:613) ~[spring-beans-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:605) ~[spring-beans-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.boot.context.TypeExcludeFilter.getDelegates(TypeExcludeFilter.java:77) ~[spring-boot-2.2.0.RELEASE.jar!/:2.2.0.RELEASE]
    at org.springframework.boot.context.TypeExcludeFilter.match(TypeExcludeFilter.java:65) ~[spring-boot-2.2.0.RELEASE.jar!/:2.2.0.RELEASE]
    at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.isCandidateComponent(ClassPathScanningCandidateComponentProvider.java:492) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.scanCandidateComponents(ClassPathScanningCandidateComponentProvider.java:431) ~[spring-context-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    ... 30 common frames omitted
Caused by: java.lang.ClassNotFoundException: org.owasp.webgoat.HSQLDBDatabaseConfig
    at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:436) ~[na:na]
    at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:588) ~[na:na]
    at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:92) ~[webgoat-server-8.0.0.M26.jar:8.0.0.M26]
    at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) ~[na:na]
    at java.base/java.lang.Class.forName0(Native Method) ~[na:na]
    at java.base/java.lang.Class.forName(Class.java:415) ~[na:na]
    at org.springframework.util.ClassUtils.forName(ClassUtils.java:277) ~[spring-core-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.beans.factory.support.AbstractBeanDefinition.resolveBeanClass(AbstractBeanDefinition.java:456) ~[spring-beans-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.beans.factory.support.AbstractBeanFactory.doResolveBeanClass(AbstractBeanFactory.java:1542) ~[spring-beans-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$resolveBeanClass$5(AbstractBeanFactory.java:1466) ~[spring-beans-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:688) ~[na:na]
    at org.springframework.beans.factory.support.AbstractBeanFactory.resolveBeanClass(AbstractBeanFactory.java:1465) ~[spring-beans-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
    ... 41 common frames omitted
rstoyanchev commented 4 years ago

I noticed that a different classloader may be used depending on whether springboot is initialized with a SecurityManager or not, regardless of policy settings. That's about as far as I got in the code. I checked to see if I could identify a SecurityManager unit test where this code path is exercised but didn't notice anything.

I don't think there is enough here to believe the root cause has anything in the Spring Framework.

I reviewed the next and other bug submissions to the spring project but didn't notice anything similar. I'm hope this information is helpful.

Do you mean that you searched this repository (Spring Framework) or the Spring Boot repository? The question seems more suited for Spring Boot based on the context.

I'm also wondering did you consider asking on the WebGoa's own issue tracker https://github.com/WebGoat/WebGoat?

spoofzu commented 4 years ago

It's not a bug in my code since I'm not running any code. It's not a bug in Webgoat since its spring is failing prior to any Webgoat code running. In fact, if I remove the Java security manager from springboots startup Webgoat starts as expected. This is the command that causes the failure,

java -classpath ./webgoat-server-8.0.0.M26.jar:./JVMXRay-0.0.1-SNAPSHOT.jar -Djava.security.manager=java.lang.SecurityManager -Djava.security.policy==/Users/milton/zwebgoat/nulljava.policy org.springframework.boot.loader.JarLauncher --server.port=8080 --server.address=localhost

Removing the security manager and policy like this fixes the problem, "-Djava.security.manager=java.lang.SecurityManager -Djava.security.policy==/Users/milton/zwebgoat/nulljava.policy"

This is a problem in AbstractBeanFactory.java when the Java security manager is present.

spoofzu commented 4 years ago

Bump. Plz take a look at this when possible, thank you.

Keep in mind, there is NO user code involved in this bug. This problem has been duplicated by using only core Java code. SpringBoot, chooses to use an alternative classloader anytime a SecurityManager is loaded.

bclozel commented 4 years ago

Hi @spoofzu

I believe, it's the other way around - by launching your application like this, you've chosen to deviate from the jar launcher which is using a specific class loader for loading resources from the executable jar.

Allowing this use case was considered but declined in the end, see the conversation on the Spring Boot issue tracker. You can however enable the security manager by calling something like System.setSecurityManager(new SecurityManager()); in the main application method.

If you feel that this is a missing use case from webgoat (using a security manager with their app), you can reach out to them for such an improvement. Just note that supporting that from the command line with the system classloader is not going to work because of the issue I've linked to.

I'm closing this issue since it's not related to Spring Framework. Thanks!

spoofzu commented 4 years ago

HI @bclozel

I'm not a Spring and SpringBoot expert so please bear with me. I'm building an IASP/RASP type tool called, JVMXRay. The tool monitors security access to protected resources by intercepting calls to the SecurityManager API. I extend SecurityManager with a custom implementation called, NullSecurityManager. WebGoat works great with SpringBoot but not JVMXRay. SpringBoot has trouble finding JVMXRay classes. I need my code somewhere in the classpath so I can load it via the security manager command line switch. Looks like your suggesting if I add NullSecurityManager to the WebGoat (or whatever springboot is running) code then the classloader will find my JVMXRay classes. So System.setSecurityManager(new NullSecurityManager() ); inside WebGoat should theoretically work. Of course, this solution is a little restrictive since it limits JVMXRay on SpringBoot to only those that add support to their apps for JVMXRay.

Do you think there is another way I can get JVMXRay to work with SpringBoot and WebGoat? Could I improve the SpringBoot custom classloader or something else perhaps? As a far as I know SpringBoot is a labor of love so I understand this is probably a low priority for you. Feel free to take your time responding. Appreciate your assistance and response.

Regards, Milton

bclozel commented 4 years ago

Hi @spoofzu

There are several ways to achieve something like this; it really depends on your deployment model and how developers are supposed to use this library with their application.

If they're meant to integrate it at build time, you could ask them to add that dependency to their build file, and even consider building a specific Spring Boot Starter (with configuration properties and more features).

If your product should be used on an already packed archive, you could use the PropertiesLauncher instead of the JarLauncher and add a custom entry for your jar. There are also ways to unpack an existing application and run it with additional dependencies (see this docker + Spring Boot tutorial) - just note that classpath ordering can be lost if you go with a wildcard classpath, as explained in that tutorial.

Finally, if your product is meant to be deployed as an agent (or something close to that), you could take a look at Cloud Native Buildpacks and Paketo. Paketo has buildpacks implementations that do change the classpath or attach an agent to the application, while building the container image. This makes an even better experience if you want this to be included in the CI pipeline automatically.

Thanks!

spoofzu commented 4 years ago

Ok, thanks @bclozel. I appreciate the advice. I will review these to see if it will help me get jvmxray running with webgoat. --Milton