[JBoss JIRA] (SECURITY-712) Variable expansion and Vault are not supported in the module-option of the LdapRolesMappingProvider mapping-module
by Anil Saldhana (JIRA)
[ https://issues.jboss.org/browse/SECURITY-712?page=com.atlassian.jira.plug... ]
Anil Saldhana reassigned SECURITY-712:
--------------------------------------
Assignee: Peter Skopek (was: Anil Saldhana)
> Variable expansion and Vault are not supported in the module-option of the LdapRolesMappingProvider mapping-module
> ------------------------------------------------------------------------------------------------------------------
>
> Key: SECURITY-712
> URL: https://issues.jboss.org/browse/SECURITY-712
> Project: PicketBox
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: PicketBox_v4_0_9.Final
> Environment: RHEL 6.3
> Reporter: guillaume cornet
> Assignee: Peter Skopek
>
> When using LdapRolesMappingProviders mapping-module, I don't want to put the bindCredential/password in clear in the configuration file.
> So I'm trying to use vault, this way :
> <mapping-module code="org.jboss.security.mapping.providers.role.LdapRolesMappingProvider" type="role">
> <module-option name="java.naming.provider.url" value="ldap://192.168.122.101:389" />
> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
> <module-option name="java.naming.security.authentication" value="simple" />
> <module-option name="bindDN" value="CN=Administrator,CN=users,DC=cloud,DC=local" />
> <module-option name="bindCredential" value="${VAULT::AD::addspass::YTgyMDI0ZjUtOWQwZi00MWZlLTkzMjMtMTM0YzRjZTY3ZWZmTElORV9CUkVBS3ZhdWx0}" />
> <module-option name="rolesCtxDN" value="CN=users,DC=cloud,DC=local" />
> <module-option name="roleFilter" value="(userPrincipalName={0})" />
> <module-option name="roleAttributeID" value="memberOf" />
> <module-option name="roleNameAttributeID" value="CN" />
> <module-option name="roleAttributeIsDN" value="true" />
> <module-option name="parseRoleNameFromDN" value="false" />
> <module-option name="roleRecursion" value="0" />
> <module-option name="searchScope" value="ONELEVEL_SCOPE" />
> </mapping-module>
> Unfortunatly, with this configuration, I cannot connect anymore to my Active Directory Directory Service....
> I get the following error message in the jboss log :
> 14:59:35,019 ERROR [org.jboss.security.mapping.providers.role.LdapRolesMappingProvider] (http-/0.0.0.0:8080-1) Error connecting to LDAP server: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) [rt.jar:1.7.0_09-icedtea]
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) [rt.jar:1.7.0_09-icedtea]
> at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) [rt.jar:1.7.0_09-icedtea]
> at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) [rt.jar:1.7.0_09-icedtea]
> at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) [rt.jar:1.7.0_09-icedtea]
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) [rt.jar:1.7.0_09-icedtea]
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) [rt.jar:1.7.0_09-icedtea]
> at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) [rt.jar:1.7.0_09-icedtea]
> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) [rt.jar:1.7.0_09-icedtea]
> at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) [rt.jar:1.7.0_09-icedtea]
> at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) [rt.jar:1.7.0_09-icedtea]
> at javax.naming.InitialContext.init(InitialContext.java:242) [rt.jar:1.7.0_09-icedtea]
> at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) [rt.jar:1.7.0_09-icedtea]
> at org.jboss.security.mapping.providers.role.LdapRolesMappingProvider.constructInitialLdapContext(LdapRolesMappingProvider.java:256)
> at org.jboss.security.mapping.providers.role.LdapRolesMappingProvider.performMapping(LdapRolesMappingProvider.java:192)
> at org.jboss.security.mapping.providers.role.LdapRolesMappingProvider.performMapping(LdapRolesMappingProvider.java:53)
> at org.jboss.security.mapping.MappingContext.performMapping(MappingContext.java:54)
> at org.jboss.security.plugins.JBossAuthorizationManager.getCurrentRoles(JBossAuthorizationManager.java:397)
> at org.jboss.security.plugins.JBossAuthorizationManager.getSubjectRoles(JBossAuthorizationManager.java:324)
> at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:230)
> at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455)
> at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931)
> at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_09-icedtea]
> I do some remote debug and I beleive that the vault expression is not resolved ....
> package org.jboss.security.mapping.providers.role, class LdapRolesMappingProvider, method init(Map<String, Object> options).
> This method don't perform any Variable expansion and nor Vault expansion.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 9 months
[JBoss JIRA] (AS7-6154) Inconsistent expression support
by Tomaz Cerar (JIRA)
[ https://issues.jboss.org/browse/AS7-6154?page=com.atlassian.jira.plugin.s... ]
Tomaz Cerar commented on AS7-6154:
----------------------------------
Original issue still stands! We should be more rigid with testing if expressions are supported the whole way not just marked as such in meta-model.
> Inconsistent expression support
> -------------------------------
>
> Key: AS7-6154
> URL: https://issues.jboss.org/browse/AS7-6154
> Project: Application Server 7
> Issue Type: Feature Request
> Components: Domain Management
> Reporter: Heiko Braun
> Assignee: Stefano Maestri
> Fix For: 7.2.0.CR1
>
>
> Although some subsystem declare support for expression on certain attributes, they actually don't support it.
> As en example see datasources > pool > max-pool-size.
> The DMR description says it supports expressions on this attribute:
> {noformat}
> "max-pool-size" => {
> "type" => INT,
> "description" => "The max-pool-size element specifies the maximum number of connections for a pool. No more connections will be created in each sub-pool",
> "expressions-allowed" => true,
> "nillable" => true,
> "default" => 20,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> {noformat}
> But then writing an expression value yields an exception
> {noformat}
> Request
> [ERROR] {
> [ERROR] "operation" => "composite",
> [ERROR] "address" => [],
> [ERROR] "steps" => [{
> [ERROR] "address" => [
> [ERROR] ("profile" => "full"),
> [ERROR] ("subsystem" => "datasources"),
> [ERROR] ("data-source" => "ExampleDS")
> [ERROR] ],
> [ERROR] "operation" => "write-attribute",
> [ERROR] "name" => "max-pool-size",
> [ERROR] "value" => expression "${pool:15}"
> [ERROR] }]
> [ERROR] }
> {noformat}
> {noformat}
> 08:48:23,965 DEBUG [org.jboss.as.controller.management-operation] (HttpManagementService-threads - 5) JBAS014616: Operation ("write-attribute") failed - address: ([
> ("subsystem" => "datasources"),
> ("data-source" => "ExampleDS")
> ]) - failure description: "JBAS014688: Wrong type for value. Expected [INT] but was EXPRESSION"
> {noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 9 months