June 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-8876) Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to you another option.

by Hynek Švábek (JIRA)

[ https://issues.jboss.org/browse/WFLY-8876?page=com.atlassian.jira.plugin.... ] Hynek Švábek updated WFLY-8876: ------------------------------- Description: Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to you another option. "Value" and credential-reference are mutually exclusive and one of them must be set. *There must be a way how to update existing server-identity/secret for change "value" to credential-reference and vice versa.* *resource-description* {code:collapse} [domain@localhost:9990 /] /host=master/core-service=management/security-realm=ManagementRealm/server-identity=secret:read-resource-description { "outcome" => "success", "result" => { "description" => "Configuration of the secret/password-based identity of a server or host controller.", "deprecated" => { "since" => "1.7.0", "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions." }, "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}}, "attributes" => { "credential-reference" => { "type" => OBJECT, "description" => "The reference to credential for the secret / password stored in CredentialStore under defined alias or clear text password.", "expressions-allowed" => false, "required" => false, "nillable" => true, "alternatives" => ["value"], "access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}}, "value-type" => { "store" => { "type" => STRING, "description" => "The name of the credential store holding the alias to credential.", "expressions-allowed" => false, "required" => false, "nillable" => true, "alternatives" => ["clear-text"], "requires" => ["alias"], "min-length" => 1L, "max-length" => 2147483647L }, "alias" => { "type" => STRING, "description" => "The alias which denotes stored secret or credential in the store.", "expressions-allowed" => true, "required" => false, "nillable" => true, "requires" => ["store"], "min-length" => 1L, "max-length" => 2147483647L }, "type" => { "type" => STRING, "description" => "The type of credential this reference is denoting.", "expressions-allowed" => true, "required" => false, "nillable" => true, "min-length" => 1L, "max-length" => 2147483647L }, "clear-text" => { "type" => STRING, "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.", "expressions-allowed" => true, "required" => false, "nillable" => true, "alternatives" => ["store"], "min-length" => 1L, "max-length" => 2147483647L } }, "access-type" => "read-write", "storage" => "configuration", "restart-required" => "no-services" }, "value" => { "type" => STRING, "description" => "The secret / password - Base64 Encoded.", "expressions-allowed" => true, "required" => true, "nillable" => true, "alternatives" => ["credential-reference"], "min-length" => 1L, "max-length" => 2147483647L, "access-type" => "read-write", "storage" => "configuration", "restart-required" => "no-services" } }, "operations" => undefined, "notifications" => undefined, "children" => {} } } {code} was: Server-identity/secret has required "value" attribute, but there is now credential-reference too. "Value" and credential-reference are mutually exclusive and one of them must be set. Please keep on mind that there must be a way how to update existing server-identity/secret for change "value" to credential-reference and vice versa. *resource-description* {code:collapse} [domain@localhost:9990 /] /host=master/core-service=management/security-realm=ManagementRealm/server-identity=secret:read-resource-description { "outcome" => "success", "result" => { "description" => "Configuration of the secret/password-based identity of a server or host controller.", "deprecated" => { "since" => "1.7.0", "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions." }, "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}}, "attributes" => { "credential-reference" => { "type" => OBJECT, "description" => "The reference to credential for the secret / password stored in CredentialStore under defined alias or clear text password.", "expressions-allowed" => false, "required" => false, "nillable" => true, "alternatives" => ["value"], "access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}}, "value-type" => { "store" => { "type" => STRING, "description" => "The name of the credential store holding the alias to credential.", "expressions-allowed" => false, "required" => false, "nillable" => true, "alternatives" => ["clear-text"], "requires" => ["alias"], "min-length" => 1L, "max-length" => 2147483647L }, "alias" => { "type" => STRING, "description" => "The alias which denotes stored secret or credential in the store.", "expressions-allowed" => true, "required" => false, "nillable" => true, "requires" => ["store"], "min-length" => 1L, "max-length" => 2147483647L }, "type" => { "type" => STRING, "description" => "The type of credential this reference is denoting.", "expressions-allowed" => true, "required" => false, "nillable" => true, "min-length" => 1L, "max-length" => 2147483647L }, "clear-text" => { "type" => STRING, "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.", "expressions-allowed" => true, "required" => false, "nillable" => true, "alternatives" => ["store"], "min-length" => 1L, "max-length" => 2147483647L } }, "access-type" => "read-write", "storage" => "configuration", "restart-required" => "no-services" }, "value" => { "type" => STRING, "description" => "The secret / password - Base64 Encoded.", "expressions-allowed" => true, "required" => true, "nillable" => true, "alternatives" => ["credential-reference"], "min-length" => 1L, "max-length" => 2147483647L, "access-type" => "read-write", "storage" => "configuration", "restart-required" => "no-services" } }, "operations" => undefined, "notifications" => undefined, "children" => {} } } {code} > Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to you another option. > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: WFLY-8876 > URL: https://issues.jboss.org/browse/WFLY-8876 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > Assignee: Darran Lofthouse > Priority: Blocker > > Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to you another option. > "Value" and credential-reference are mutually exclusive and one of them must be set. > *There must be a way how to update existing server-identity/secret for change "value" to credential-reference and vice versa.* > *resource-description* > {code:collapse} > [domain@localhost:9990 /] /host=master/core-service=management/security-realm=ManagementRealm/server-identity=secret:read-resource-description > { > "outcome" => "success", > "result" => { > "description" => "Configuration of the secret/password-based identity of a server or host controller.", > "deprecated" => { > "since" => "1.7.0", > "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions." > }, > "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}}, > "attributes" => { > "credential-reference" => { > "type" => OBJECT, > "description" => "The reference to credential for the secret / password stored in CredentialStore under defined alias or clear text password.", > "expressions-allowed" => false, > "required" => false, > "nillable" => true, > "alternatives" => ["value"], > "access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}}, > "value-type" => { > "store" => { > "type" => STRING, > "description" => "The name of the credential store holding the alias to credential.", > "expressions-allowed" => false, > "required" => false, > "nillable" => true, > "alternatives" => ["clear-text"], > "requires" => ["alias"], > "min-length" => 1L, > "max-length" => 2147483647L > }, > "alias" => { > "type" => STRING, > "description" => "The alias which denotes stored secret or credential in the store.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "requires" => ["store"], > "min-length" => 1L, > "max-length" => 2147483647L > }, > "type" => { > "type" => STRING, > "description" => "The type of credential this reference is denoting.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "min-length" => 1L, > "max-length" => 2147483647L > }, > "clear-text" => { > "type" => STRING, > "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.", > "expressions-allowed" => true, > "required" => false, > "nillable" => true, > "alternatives" => ["store"], > "min-length" => 1L, > "max-length" => 2147483647L > } > }, > "access-type" => "read-write", > "storage" => "configuration", > "restart-required" => "no-services" > }, > "value" => { > "type" => STRING, > "description" => "The secret / password - Base64 Encoded.", > "expressions-allowed" => true, > "required" => true, > "nillable" => true, > "alternatives" => ["credential-reference"], > "min-length" => 1L, > "max-length" => 2147483647L, > "access-type" => "read-write", > "storage" => "configuration", > "restart-required" => "no-services" > } > }, > "operations" => undefined, > "notifications" => undefined, > "children" => {} > } > } > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2902) Replace ElytronExtension.asStringIfDefined() by asStringOrNull()

by Jan Kalina (JIRA)

Jan Kalina created WFCORE-2902: ---------------------------------- Summary: Replace ElytronExtension.asStringIfDefined() by asStringOrNull() Key: WFCORE-2902 URL: https://issues.jboss.org/browse/WFCORE-2902 Project: WildFly Core Issue Type: Enhancement Components: Security Affects Versions: 3.0.0.Beta23 Reporter: Jan Kalina Assignee: Jan Kalina Priority: Minor -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2502) Legacy ldap realm, entry for non existing user are cached

by Jiri Ondrusek (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2502?page=com.atlassian.jira.plugi... ] Jiri Ondrusek reassigned WFCORE-2502: ------------------------------------- Assignee: Jiri Ondrusek (was: Darran Lofthouse) > Legacy ldap realm, entry for non existing user are cached > --------------------------------------------------------- > > Key: WFCORE-2502 > URL: https://issues.jboss.org/browse/WFCORE-2502 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Martin Choma > Assignee: Jiri Ondrusek > > In case when cache is used for legacy LDAP security realm and any access to secured resource occures, then entry is added into cache even if user has not been authenticated correctly. This can cause that valid entries are evicted due to max-cache-size. This reduce benefit of LDAP cache and impacts performance. > Same behavior can be seen in 7.0.0.GA. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8876) Server-identity/secret resource has required "value" attribute, but there is now credential-reference too.

by Hynek Švábek (JIRA)

Hynek Švábek created WFLY-8876: ---------------------------------- Summary: Server-identity/secret resource has required "value" attribute, but there is now credential-reference too. Key: WFLY-8876 URL: https://issues.jboss.org/browse/WFLY-8876 Project: WildFly Issue Type: Bug Components: Security Reporter: Hynek Švábek Assignee: Darran Lofthouse Priority: Blocker Server-identity/secret has required "value" attribute, but there is now credential-reference too. "Value" and credential-reference are mutually exclusive and one of them must be set. Please keep on mind that there must be a way how to update existing server-identity/secret for change "value" to credential-reference and vice versa. *resource-description* {code:collapse} [domain@localhost:9990 /] /host=master/core-service=management/security-realm=ManagementRealm/server-identity=secret:read-resource-description { "outcome" => "success", "result" => { "description" => "Configuration of the secret/password-based identity of a server or host controller.", "deprecated" => { "since" => "1.7.0", "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions." }, "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}}, "attributes" => { "credential-reference" => { "type" => OBJECT, "description" => "The reference to credential for the secret / password stored in CredentialStore under defined alias or clear text password.", "expressions-allowed" => false, "required" => false, "nillable" => true, "alternatives" => ["value"], "access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}}, "value-type" => { "store" => { "type" => STRING, "description" => "The name of the credential store holding the alias to credential.", "expressions-allowed" => false, "required" => false, "nillable" => true, "alternatives" => ["clear-text"], "requires" => ["alias"], "min-length" => 1L, "max-length" => 2147483647L }, "alias" => { "type" => STRING, "description" => "The alias which denotes stored secret or credential in the store.", "expressions-allowed" => true, "required" => false, "nillable" => true, "requires" => ["store"], "min-length" => 1L, "max-length" => 2147483647L }, "type" => { "type" => STRING, "description" => "The type of credential this reference is denoting.", "expressions-allowed" => true, "required" => false, "nillable" => true, "min-length" => 1L, "max-length" => 2147483647L }, "clear-text" => { "type" => STRING, "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.", "expressions-allowed" => true, "required" => false, "nillable" => true, "alternatives" => ["store"], "min-length" => 1L, "max-length" => 2147483647L } }, "access-type" => "read-write", "storage" => "configuration", "restart-required" => "no-services" }, "value" => { "type" => STRING, "description" => "The secret / password - Base64 Encoded.", "expressions-allowed" => true, "required" => true, "nillable" => true, "alternatives" => ["credential-reference"], "min-length" => 1L, "max-length" => 2147483647L, "access-type" => "read-write", "storage" => "configuration", "restart-required" => "no-services" } }, "operations" => undefined, "notifications" => undefined, "children" => {} } } {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2901) Improve charset usage in CLI tests

by Marek Kopecký (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2901?page=com.atlassian.jira.plugi... ] Marek Kopecký moved JBEAP-11292 to WFCORE-2901: ----------------------------------------------- Project: WildFly Core (was: JBoss Enterprise Application Platform) Key: WFCORE-2901 (was: JBEAP-11292) Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1) Component/s: Test Suite (was: Test Suite) Affects Version/s: 3.0.0.Beta23 (was: 7.1.0.DR19) > Improve charset usage in CLI tests > ---------------------------------- > > Key: WFCORE-2901 > URL: https://issues.jboss.org/browse/WFCORE-2901 > Project: WildFly Core > Issue Type: Bug > Components: Test Suite > Affects Versions: 3.0.0.Beta23 > Reporter: Marek Kopecký > Assignee: Marek Kopecký > Priority: Minor > > Improve charset usage in CLI tests -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (ELY-1218) Elytron sasl-mechanism-selector token #MUTUAL incorrectly requires SSL context

by Ondrej Lukas (JIRA)

[ https://issues.jboss.org/browse/ELY-1218?page=com.atlassian.jira.plugin.s... ] Ondrej Lukas updated ELY-1218: ------------------------------ Affects Version/s: 1.1.0.Beta47 > Elytron sasl-mechanism-selector token #MUTUAL incorrectly requires SSL context > ------------------------------------------------------------------------------ > > Key: ELY-1218 > URL: https://issues.jboss.org/browse/ELY-1218 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta47 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Priority: Critical > > Token #MUTUAL should work as follow: > _{{#MUTUAL}} - matches all mechanisms which authenticate the server in some way (this might just mean, making the server prove that the server knows the password); currently matches {{#FAMILY(SCRAM)}} and {{#FAMILY(GS2)}} but may be adjusted in the future as new mechanisms are available._ [1] > However it also incorrectly requires SSL context to be used, in {{SaslMechanismPredicate.MUTUAL}} [2] see: > {code} > boolean test(final String mechName, final SSLSession sslSession) { > return sslSession != null && SaslMechanismInformation.MUTUAL.test(mechName); > } > {code} > SSL context should not be required for {{#FAMILY(SCRAM)}} or {{#FAMILY(GS2)}}. > [1] https://issues.jboss.org/browse/EAP7-567?focusedCommentId=13408238&page=c... > [2] https://github.com/wildfly-security/wildfly-elytron/blob/03e583dd476dbbdf... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (ELY-1218) Elytron sasl-mechanism-selector token #MUTUAL incorrectly requires SSL context

by Ondrej Lukas (JIRA)

Ondrej Lukas created ELY-1218: --------------------------------- Summary: Elytron sasl-mechanism-selector token #MUTUAL incorrectly requires SSL context Key: ELY-1218 URL: https://issues.jboss.org/browse/ELY-1218 Project: WildFly Elytron Issue Type: Bug Reporter: Ondrej Lukas Assignee: Darran Lofthouse Priority: Critical Token #MUTUAL should work as follow: _{{#MUTUAL}} - matches all mechanisms which authenticate the server in some way (this might just mean, making the server prove that the server knows the password); currently matches {{#FAMILY(SCRAM)}} and {{#FAMILY(GS2)}} but may be adjusted in the future as new mechanisms are available._ [1] However it also incorrectly requires SSL context to be used, in {{SaslMechanismPredicate.MUTUAL}} [2] see: {code} boolean test(final String mechName, final SSLSession sslSession) { return sslSession != null && SaslMechanismInformation.MUTUAL.test(mechName); } {code} SSL context should not be required for {{#FAMILY(SCRAM)}} or {{#FAMILY(GS2)}}. [1] https://issues.jboss.org/browse/EAP7-567?focusedCommentId=13408238&page=c... [2] https://github.com/wildfly-security/wildfly-elytron/blob/03e583dd476dbbdf... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8760) get method of ModuleClassLoaderLocator requires createClassLoader permission

by Lin Gao (JIRA)

[ https://issues.jboss.org/browse/WFLY-8760?page=com.atlassian.jira.plugin.... ] Lin Gao commented on WFLY-8760: ------------------------------- Thanks for the detailed reproduce steps, PR sent. > get method of ModuleClassLoaderLocator requires createClassLoader permission > ---------------------------------------------------------------------------- > > Key: WFLY-8760 > URL: https://issues.jboss.org/browse/WFLY-8760 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Ondrej Lukas > Assignee: Lin Gao > Priority: Critical > > There is missing doPriviliged block in ModuleClassLoaderLocator. Fix of WFLY-7412 for ModuleClassLoaderLocator introduces new CombinedClassLoader innner class which extends SecureClassLoader. Initialization of this class needs to createClassLoader RuntimePermission. > That means: > * All deployment which uses API which internally uses ModuleClassLoaderLocator needs createClassLoader RuntimePermission (which is new in EAP 7.1, the same deployments in EAP 7.0 does not need this permission) > ** i.e. getMappingContext(String mappingType) in org.jboss.security.plugins.mapping.JBossMappingManager works internally with ModuleClassLoaderLocator. > * setting createClassLoader RuntimePermission for deployment can be dangerous and it should probably use own permission -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8760) get method of ModuleClassLoaderLocator requires createClassLoader permission

by Lin Gao (JIRA)

[ https://issues.jboss.org/browse/WFLY-8760?page=com.atlassian.jira.plugin.... ] Lin Gao updated WFLY-8760: -------------------------- Git Pull Request: https://github.com/wildfly/wildfly/pull/10133 > get method of ModuleClassLoaderLocator requires createClassLoader permission > ---------------------------------------------------------------------------- > > Key: WFLY-8760 > URL: https://issues.jboss.org/browse/WFLY-8760 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Ondrej Lukas > Assignee: Lin Gao > Priority: Critical > > There is missing doPriviliged block in ModuleClassLoaderLocator. Fix of WFLY-7412 for ModuleClassLoaderLocator introduces new CombinedClassLoader innner class which extends SecureClassLoader. Initialization of this class needs to createClassLoader RuntimePermission. > That means: > * All deployment which uses API which internally uses ModuleClassLoaderLocator needs createClassLoader RuntimePermission (which is new in EAP 7.1, the same deployments in EAP 7.0 does not need this permission) > ** i.e. getMappingContext(String mappingType) in org.jboss.security.plugins.mapping.JBossMappingManager works internally with ModuleClassLoaderLocator. > * setting createClassLoader RuntimePermission for deployment can be dangerous and it should probably use own permission -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8875) Improve exception when injecting EJB Local Interface Proxy loaded from two different classloaders

by Brad Maxwell (JIRA)

[ https://issues.jboss.org/browse/WFLY-8875?page=com.atlassian.jira.plugin.... ] Brad Maxwell updated WFLY-8875: ------------------------------- Environment: Deploy test-case.ear to reproducer > Improve exception when injecting EJB Local Interface Proxy loaded from two different classloaders > ------------------------------------------------------------------------------------------------- > > Key: WFLY-8875 > URL: https://issues.jboss.org/browse/WFLY-8875 > Project: WildFly > Issue Type: Enhancement > Components: EE, EJB > Affects Versions: 11.0.0.Alpha1 > Environment: Deploy test-case.ear to reproducer > Reporter: Brad Maxwell > Priority: Minor > Attachments: test-case.ear > > > If an EJB client tries to use @EJB to inject an EJB Local Proxy and the Local interface is in two different classloaders/modules/sub-deployments, it throws the error below. It would be helpful for the user to identify the issue if the exception indicated multiple classloaders or class HelloWorld is loaded from multiple modules or class cast exception. > {code} > Caused by: java.lang.IllegalArgumentException: Can not set example.api.HelloWorld field example.client.ClientSingleton.helloWorld to example.api.HelloWorld$$$view1 > at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) > at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) > at sun.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) > at java.lang.reflect.Field.set(Field.java:764) > at org.jboss.as.ee.component.ManagedReferenceFieldInjectionInterceptorFactory$ManagedReferenceFieldInjectionInterceptor.processInvocation(ManagedReferenceFieldInjectionInterceptorFactory.java:106) > at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) > at org.jboss.as.ee.component.AroundConstructInterceptorFactory$1.processInvocation(AroundConstructInterceptorFactory.java:28) > at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) > at org.jboss.as.weld.injection.WeldInterceptorInjectionInterceptor.processInvocation(WeldInterceptorInjectionInterceptor.java:56) > at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) > at org.jboss.as.weld.interceptors.Jsr299BindingsCreateInterceptor.processInvocation(Jsr299BindingsCreateInterceptor.java:100) > at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) > at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) > at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) > at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:275) > ... 26 more > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 7 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira June 2017