[Elasticsearch Plugin] AccessControlException on jackson.databind

So as I understand, com.fasterxml.jackson.databind is provided by elasticsearch and we cannot add it in our plugins as it'll lead to jarhell. Now my application is trying to parse JWT tokens but when I try to do so in doPrivileged block, I get greeted with:-

java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_131]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_131]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_131]
at java.lang.Class.checkMemberAccess(Class.java:2348) ~[?:1.8.0_131]
at java.lang.Class.getDeclaredConstructors(Class.java:2019) ~[?:1.8.0_131]
at com.fasterxml.jackson.databind.util.ClassUtil.getConstructors(ClassUtil.java:966) ~[?:?]
at com.fasterxml.jackson.databind.introspect.AnnotatedClass.resolveCreators(AnnotatedClass.java:443) ~[?:?]
at com.fasterxml.jackson.databind.introspect.AnnotatedClass.getStaticMethods(AnnotatedClass.java:314) ~[?:?]
at com.fasterxml.jackson.databind.introspect.BasicBeanDescription.getFactoryMethods(BasicBeanDescription.java:486) ~[?:?]
at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory._addDeserializerFactoryMethods(BasicDeserializerFactory.java:669) ~[?:?]
at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory._constructDefaultValueInstantiator(BasicDeserializerFactory.java:320) ~[?:?]
at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.findValueInstantiator(BasicDeserializerFactory.java:253) ~[?:?]
at com.fasterxml.jackson.databind.deser.BasicDeserializerFactory.createMapDeserializer(BasicDeserializerFactory.java:1159) ~[?:?]
at com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer2(DeserializerCache.java:377) ~[?:?]
at com.fasterxml.jackson.databind.deser.DeserializerCache._createDeserializer(DeserializerCache.java:349) ~[?:?]
at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCache2(DeserializerCache.java:264) ~[?:?]
at com.fasterxml.jackson.databind.deser.DeserializerCache._createAndCacheValueDeserializer(DeserializerCache.java:244) ~[?:?]
at com.fasterxml.jackson.databind.deser.DeserializerCache.findValueDeserializer(DeserializerCache.java:142) ~[?:?]
at com.fasterxml.jackson.databind.DeserializationContext.findRootValueDeserializer(DeserializationContext.java:476) ~[?:?]
at com.fasterxml.jackson.databind.ObjectMapper._findRootDeserializer(ObjectMapper.java:3899) ~[?:?]
at com.fasterxml.jackson.databind.ObjectMapper._readValue(ObjectMapper.java:3765) ~[?:?]
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:2123) ~[?:?]
at com.fasterxml.jackson.core.JsonParser.readValueAs(JsonParser.java:1650) ~[jackson-core-2.8.6.jar:2.8.6]
at com.auth0.jwt.impl.JsonNodeClaim.asMap(JsonNodeClaim.java:109) ~[?:?]
at com.fico.elasticsearch.authenticate.accesscontrol.User.lambda$fetchRolesFromToken$0(User.java:23) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]

Code :-

Map<String, Object> someMap = AccessController.doPrivileged((PrivilegedAction<Map<String, Object>>) () -> {
  Map<String, Object> temp1 = ((Claim) token.getClaim("some_claim")).asMap();
  return temp1 ;
});

Now I do have,
permission java.lang.RuntimePermission "accessDeclaredMembers";

In my plugin-security.policy and other code which relies on "accessDeclaredMembers" works fine but this one doesn't.
I suppose this is because the package is not loaded by my Classloader but the parent one. Any insight on this would be great.

Can't you use the one (jackson lib I mean) provided in elasticsearch core?

The main issue is that:- The library is being referenced by Auth0's java-jwt and I'm running into AccessControlException despite being inside doPrivileged block.

Edit:
Btw, if I exclude jackson.databind while building by plugin. I run into :-

java.lang.NoClassDefFoundError: com/fasterxml/jackson/databind/JsonDeserializer
at com.auth0.jwt.JWTDecoder.(JWTDecoder.java:28) ~[?:?]
at com.auth0.jwt.JWT.decode(JWT.java:21) ~[?:?]
at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:352) ~[?:?]

Did you check that plugin-security.policy is correctly packaged within your plugin zip?

I do have,
permission java.lang.RuntimePermission "accessDeclaredMembers";

In my plugin-security.policy and other code which relies on "accessDeclaredMembers" works fine but this one doesn't.

For now, I have found a workaround to using .asMap() method so I don't need any solution anymore but "accessDeclaredMembers" issue still exists.

Here is an example where we are doing that:

And a call here:

Which uses:

May be it could help...

You need to check the entire stack trace for the AccessControlException very carefully. If there is anything on the stack which does not have the accessDeclaredMembers permission, it will fail.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.