Wildfly Security Manager not processing JndiPermission

Question

I'm trying to get my existing application to work with the Wildfly Security Manager. To start, I'm running my applications and adding the configuration that I need to standalone.xml like this in response to exceptions in the application log file:

<subsystem xmlns="urn:jboss:domain:security-manager:1.0">
    <deployment-permissions>
        <minimum-set>
            <permission class="java.util.PropertyPermission" name="*" actions="read,write"/>
            <permission .../>
        </minimum-set>
    </deployment-permissions>
</subsystem>

This is working okay, until I get to the following exception:

2017-01-03 16:00:22,119 ERROR [com.myapp.ClusteredCache] (ServerService Thread Pool -- 68) Failed to bind to JNDI name: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("org.wildfly.naming.java.permission.JndiPermission" "/AppCacheImpl" "bind")" in code source "(vfs:/content/myapp-wildfly.jar <no signer certificates>)" of "null")
        at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273) [wildfly-elytron-1.0.2.Final.jar:1.0.2.Final]
        ...

I add a permission like this:

<permission class="org.wildfly.naming.java.permission.JndiPermission" name="-" actions="all"/>

or:

<permission class="org.wildfly.naming.java.permission.JndiPermission" name="&lt;&lt;ALL BINDINGS&gt;&gt;" actions="all"/>

or even specifically:

<permission class="org.wildfly.naming.java.permission.JndiPermission" name="/AppCacheImpl" actions="bind"/>

but WildFly still throws the exception. Any idea what I'm doing wrong?

Answer 1

This was a class loading error. Because of how JndiPermission is specified in the wildfly-naming module, you need to specify a module attribute, like this:

<permission 
    module="org.jboss.as.naming" 
    class="org.wildfly.naming.java.permission.JndiPermission" 
    name="-" 
    actions="all"/>