Elytron jdbc-realm *-index attributes validation ------------------------------------------------ Key: WFLY-7268 URL: https://issues.jboss.org/browse/WFLY-7268 Project: WildFly Issue Type: Bug Components: Security Reporter: Martin Choma Priority: Minor If I try to set any of password mapper (e.g. {{clear-password-mapper}}) and any of *-index attribute (e.g. {{password-index}}) with 0 value I get error from elytron {code} [standalone@localhost:9990 /] /subsystem=elytron/jdbc-realm=d:add(principal-query=[{sql="a",data-source="ExampleDS", bcrypt-mapper={password-index=0, salt-index=1, iteration-count-index=2}}]) { "outcome" => "failed", "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException: COM00001: Parameter 'hashColumn' must not be less than 1", "rolled-back" => true } {code} and exception in server log {code} 07:16:47,608 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 8) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "elytron"), ("jdbc-realm" => "b") ]): java.lang.IllegalArgumentException: COM00001: Parameter 'hashColumn' must not be less than 1 at org.wildfly.common.Assert.checkMinimumParameter(Assert.java:132) at org.wildfly.security.auth.realm.jdbc.mapper.PasswordKeyMapper.<init>(PasswordKeyMapper.java:63) at org.wildfly.security.auth.realm.jdbc.mapper.PasswordKeyMapper$Builder.build(PasswordKeyMapper.java:389) at org.wildfly.extension.elytron.JdbcRealmDefinition$ClearPasswordObjectDefinition.toPasswordKeyMapper(JdbcRealmDefinition.java:133) at org.wildfly.extension.elytron.JdbcRealmDefinition$RealmAddHandler.resolveKeyMappers(JdbcRealmDefinition.java:571) at org.wildfly.extension.elytron.JdbcRealmDefinition$RealmAddHandler.performRuntime(JdbcRealmDefinition.java:534) at org.jboss.as.controller.AbstractAddStepHandler.performRuntime(AbstractAddStepHandler.java:337) at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:151) at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:940) at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:683) at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:382) at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1363) at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:410) at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:232) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:213) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$300(ModelControllerClientOperationHandler.java:136) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:153) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:149) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:153) at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70) at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) {code} Could that be validated in subsystem? There would be 2 benefits: * no exception is thrown in log. Exception seems like something suprised us. * message contains more proper attribute name, e.g. hashColumn -> password-index.