September 2018 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFCORE-4131) Upgrade jboss-logmanager from 2.1.4.Final to 2.1.5.Final

by James Perkins (JIRA)

James Perkins created WFCORE-4131: ------------------------------------- Summary: Upgrade jboss-logmanager from 2.1.4.Final to 2.1.5.Final Key: WFCORE-4131 URL: https://issues.jboss.org/browse/WFCORE-4131 Project: WildFly Core Issue Type: Component Upgrade Reporter: James Perkins -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years

1
0
0 / 0

[JBoss JIRA] (ELY-1684) Release WildFly Elytron 1.7.0.CR2

by Darran Lofthouse (JIRA)

Darran Lofthouse created ELY-1684: ------------------------------------- Summary: Release WildFly Elytron 1.7.0.CR2 Key: ELY-1684 URL: https://issues.jboss.org/browse/ELY-1684 Project: WildFly Elytron Issue Type: Bug Reporter: Darran Lofthouse Assignee: Darran Lofthouse Fix For: 1.7.0.CR2 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years

1
0
0 / 0

[JBoss JIRA] (ELY-1663) BC FIPS, Management Interface, ELY04001: No algorithm found matching TLS/SSL protocol selection criteria

by Farah Juma (JIRA)

[ https://issues.jboss.org/browse/ELY-1663?page=com.atlassian.jira.plugin.s... ] Farah Juma commented on ELY-1663: --------------------------------- [~mchoma] Just noticed a small difference between the "not ok" and "ok" logs: For the "not ok" case: {code} 08:01:49,728 TRACE [org.wildfly.security] (MSC service thread 1-1) Supported protocols are: [TLSv1.2] {code} For the "ok" case: {code} 07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Supported protocols are: [TLSV1.2] {code} So "TLSv1.2" vs "TLSV1.2". > BC FIPS, Management Interface, ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > -------------------------------------------------------------------------------------------------------- > > Key: ELY-1663 > URL: https://issues.jboss.org/browse/ELY-1663 > Project: WildFly Elytron > Issue Type: Bug > Components: SSL > Affects Versions: 1.6.0.Final > Reporter: Martin Choma > Priority: Critical > > Rarely 1:30 it happens there occures error accessing http management interface secured with TLS with BC FIPS > {code} > Operation {"operation" => "add","address" => [("subsystem" => "elytron"),("server-ssl-context" => "test-server-ssl-context")],"key-manager" => "key-manager-name_test-server-ssl-context","cipher-suite-filter" => "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256","trust-manager" => "trust-manager-name_test-server-ssl-context","protocols" => ["TLSv1.2"],"need-client-auth" => true} failed: {"outcome" => "failed","failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.test-server-ssl-context" => "java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria"}},"rolled-back" => true} > ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service org.wildfly.security.ssl-context.test-server-ssl-context: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.test-server-ssl-context: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:982) > at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698) > at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556) > at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > at java.lang.Thread.run(Thread.java:748) > Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria > at org.wildfly.security.ssl.SSLUtils.lambda$createSslContextFactory$1(SSLUtils.java:130) > at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:340) > at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53) > at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:980) > ... 9 more > {code} > Some facts > * It happens only on management interface BC FIPS TLS tests > * It does not occur on Undertow secured with BC FIPS > * Previously there was issue with similar error but that happened everywhere https://issues.jboss.org/browse/ELY-1618 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years

1
0
0 / 0

[JBoss JIRA] (DROOLS-2522) [DMN Designer] Palette aesthetics

by Michael Anstis (JIRA)

[ https://issues.jboss.org/browse/DROOLS-2522?page=com.atlassian.jira.plugi... ] Michael Anstis updated DROOLS-2522: ----------------------------------- Sprint: 2018 Week 39-41 > [DMN Designer] Palette aesthetics > --------------------------------- > > Key: DROOLS-2522 > URL: https://issues.jboss.org/browse/DROOLS-2522 > Project: Drools > Issue Type: Bug > Components: DMN Editor > Affects Versions: 7.8.0.Final > Reporter: Jozef Marko > Assignee: Michael Anstis > Labels: drools-tools > Attachments: palette.png > > > The palette css styling has changed. There appeared margins between items in palette, what is probably not problem, however even when user click to this margin (to space between two item in palette) still some palette item is selected. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years

1
0
0 / 0

[JBoss JIRA] (ELY-1672) MechanismDatabase should not use AEAD to describe digest (PRF)

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1672?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated ELY-1672: ---------------------------------- Fix Version/s: 1.7.0.CR2 > MechanismDatabase should not use AEAD to describe digest (PRF) > -------------------------------------------------------------- > > Key: ELY-1672 > URL: https://issues.jboss.org/browse/ELY-1672 > Project: WildFly Elytron > Issue Type: Bug > Components: SSL > Reporter: David Lloyd > Assignee: David Lloyd > Fix For: 1.7.0.CR2 > > > AEAD is not a digest (PRF) function, it's a description of a message authentication strategy. We should only use the actual digest names in the mechanism database. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years

1
0
0 / 0

[JBoss JIRA] (ELY-1674) MechanismDatabase ECDHE_PSK ciphers use PSK authentication, not ECDHE

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1674?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated ELY-1674: ---------------------------------- Fix Version/s: 1.7.0.CR2 > MechanismDatabase ECDHE_PSK ciphers use PSK authentication, not ECDHE > --------------------------------------------------------------------- > > Key: ELY-1674 > URL: https://issues.jboss.org/browse/ELY-1674 > Project: WildFly Elytron > Issue Type: Bug > Components: SSL > Reporter: David Lloyd > Assignee: David Lloyd > Fix For: 1.7.0.CR2 > > > AFAICT the ECHDE_PSK suites use PSK authentication, not ECDHE key authentication. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years

1
0
0 / 0

[JBoss JIRA] (ELY-1673) Draft ciphers in mechanism database

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1673?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated ELY-1673: ---------------------------------- Fix Version/s: 1.7.0.CR2 > Draft ciphers in mechanism database > ----------------------------------- > > Key: ELY-1673 > URL: https://issues.jboss.org/browse/ELY-1673 > Project: WildFly Elytron > Issue Type: Bug > Components: SSL > Reporter: David Lloyd > Assignee: David Lloyd > Fix For: 1.7.0.CR2 > > > We should exclude the list of draft ciphers from the mechanism database. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years

1
0
0 / 0

[JBoss JIRA] (ELY-1675) Merge roles from entry and entry attributes

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1675?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated ELY-1675: ---------------------------------- Fix Version/s: 1.7.0.CR2 > Merge roles from entry and entry attributes > ------------------------------------------- > > Key: ELY-1675 > URL: https://issues.jboss.org/browse/ELY-1675 > Project: WildFly Elytron > Issue Type: Bug > Components: Realms > Affects Versions: 1.7.0.CR1 > Reporter: Martin Choma > Priority: Critical > Fix For: 1.7.0.CR2 > > > Double check Elytron ldap realm is capable doing this: > Having ldap entries like this > {code} > dn: cn=jduke,ou=Roles,ou=example2,${dnSuffix} > objectClass: top > objectClass: organizationalRole > description: cn=Echo,ou=Roles,ou=example2,${dnSuffix} > description: cn=TheDuke,ou=Roles,ou=example2,${dnSuffix} > cn: jduke > {code} > User will have roles jduke, Echo and TheDuke. > This was possible with Picketbox with this configuration > {code} > EapSetupTask roleAttributesConfiguration = > new LdapExtSecurityDomainBuilder(SECURITY_DOMAIN_NAME_PREFIX + DEP2) > .prepareDefaultForLdapServer(ldapServer) > .baseCtxDN("ou=People,ou=example2," + ldapServer.getDNSuffix()) > .rolesCtxDN("ou=Roles,ou=example2," + ldapServer.getDNSuffix()) > .referral("ignore") > .roleFilter("(|(objectClass=referral)(cn={0}))") > .roleAttributeID("description") > .roleAttributeIsDN("true") > .roleNameAttributeID("cn") > .roleRecursion("0") > .configure(); > {code} -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years

1
0
0 / 0

[JBoss JIRA] (ELY-1676) Add missing ARIA encryption to CipherSuiteSelector

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1676?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated ELY-1676: ---------------------------------- Fix Version/s: 1.7.0.CR2 > Add missing ARIA encryption to CipherSuiteSelector > -------------------------------------------------- > > Key: ELY-1676 > URL: https://issues.jboss.org/browse/ELY-1676 > Project: WildFly Elytron > Issue Type: Enhancement > Reporter: Martin Mazanek > Assignee: Martin Mazanek > Fix For: 1.7.0.CR2 > > -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years

1
0
0 / 0

[JBoss JIRA] (ELY-1677) Elytron Bearer Token Authentication - Return a 401 on Invalid Token

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1677?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse reassigned ELY-1677: ------------------------------------- Assignee: Darran Lofthouse > Elytron Bearer Token Authentication - Return a 401 on Invalid Token > ------------------------------------------------------------------- > > Key: ELY-1677 > URL: https://issues.jboss.org/browse/ELY-1677 > Project: WildFly Elytron > Issue Type: Feature Request > Components: Authentication Mechanisms > Affects Versions: 1.7.0.CR1 > Reporter: Edward Stathopoulos > Assignee: Darran Lofthouse > Fix For: 1.7.0.CR2 > > > *Issue* > Currently, Elytron will send back a 403 Response when an invalid bearer token is sent. For the built-in JWT validator (the token validation we are using), this [includes a few checks like signature, expiration time, audience and issuer|https://github.com/wildfly-security/wildfly-elytron/blob/1.7.0.CR1...]. > It seems that the current [BearerTokenAuthenticationMechanism|https://github.com/wildfly-security/wi...] does not differentiate between failed authentication and failed authorization, returning a 403 in both cases. This produces conflicting and erroneous results. Did I fail to authenticate (say, expired JWT) or did I authenticate but do not have access to the resource in question? > This would also be closer in line with [RFC 6750 (The OAuth 2.0 Authorization Framework: Bearer Token Usage)|https://tools.ietf.org/html/rfc6750#section-3] which includes an example of an expired (invalid) token. > {quote} > And in response to a protected resource request with an > authentication attempt using an expired access token: > HTTP/1.1 401 Unauthorized > WWW-Authenticate: Bearer realm="example", > error="invalid_token", > error_description="The access token expired" > {quote} > *Potential Solution* > Perhaps this could be ameliorated by something akin to the following change in BearerTokenAuthenticationMechanism::evaluateRequest by differentiating between failure to authorize and failure to authenticate the token. Merely a quick, unvetted example as I haven't had enough time to dig in to the source. > {code} > if (verifyCallback.isVerified()) { > AuthorizeCallback authorizeCallback = new AuthorizeCallback(null, null); > handleCallback(authorizeCallback); > if (authorizeCallback.isAuthorized()) { > httpBearer.debugf("Token authentication successful."); > handleCallback(new IdentityCredentialCallback(new BearerTokenCredential(tokenEvidence.getToken()), true)); > handleCallback(AuthenticationCompleteCallback.SUCCEEDED); > request.authenticationComplete(); > return; > } > else{ > httpBearer.debugf("Token authorization failed message."); > request.authenticationFailed("Some token unauthorized message", response -> response.setStatusCode(FORBIDDEN)); > return; > } > } > httpBearer.debugf("Token authentication failed."); > request.authenticationFailed("Invalid bearer token", response -> response.setStatusCode(UNAUTHORIZED)); > return; > {code} -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira September 2018