[JBoss JIRA] (AS7-3112) Better integration of service based ServerAuthenticationProviders
by Darran Lofthouse (Created) (JIRA)
Better integration of service based ServerAuthenticationProviders
-----------------------------------------------------------------
Key: AS7-3112
URL: https://issues.jboss.org/browse/AS7-3112
Project: Application Server 7
Issue Type: Task
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: 7.1.0.Final
The security configuration of Remoting within AS7 is based on supplying three things: -
- The ServerAuthenticationProvider to obtain mechanism specific CallbackHanlders
- The OptionMap to control the security mechanisms made available / mandated.
- Possibly an initialised SSLContext for XnioSsl if SSL is being enabled.
For domain management the capabilities of the backing realm are used to define the security offered i.e. if we have no SSL configuration we can not enable SSL, if the backing store can not return the plain text passwords we can not enable DIGEST. This has been achieved so far by using an intermediary service to define the configuration based on capabilities alone.
This task it to take it one step further and allow this intermediary to be defined within the Remoting subsystem and maybe an equivalent for pure domain management to act as both a intermediary to define configuration based on the realm and also to allow additional configuration overrides. i.e. we need to support the additional SASL options available and SSL options available - this will somehow need to be merged / validated with the realm capabilities e.g. if a Realm is incompatible with Digest a user can not force the use of Digest.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 4 months
[JBoss JIRA] (AS7-4982) add-user.sh script use weakeness hashing algorithm (MD5) that is broken for a long time
by Yannick LE NY (JIRA)
Yannick LE NY created AS7-4982:
----------------------------------
Summary: add-user.sh script use weakeness hashing algorithm (MD5) that is broken for a long time
Key: AS7-4982
URL: https://issues.jboss.org/browse/AS7-4982
Project: Application Server 7
Issue Type: Bug
Components: Console
Affects Versions: 7.1.2.Final (EAP)
Environment: Jboss EAP 6.0 Beta2
Jboss AS 7.1.1
Linux RHEL 5.4
JDK 1.6.0_24
Reporter: Yannick LE NY
Assignee: Heiko Braun
Fix For: 7.1.3.Final (EAP)
In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, we need to use the bin/add-user.sh script to add user access to the Jboss console.
And in the the bin/add-user.sh script, you can find that the org.jboss.as.domain-add-user java class is used to :
1) add the login in the files standalone/configuration/mgmt-users.properties and domain/configuration/mgmt-users.properties
2) first hash the password with MD5 hash algorithm and then copy it hashed in the files standalone/configuration/mgmt-users.properties and domain/configuration/mgmt-users.properties
When you search about the org.jboss.as.domain-add-user java class on the Internet, you find this source file
http://grepcode.com/file/repo1.maven.org/maven2/org.jboss.as/jboss-as-dom...
and this file use an import of the org.jboss.sasl.util.UsernamePasswordHashUtil class that is in the file
http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/...
In the file UsernamePasswordHashUtil.java, we can see that this is the weakness MD5 hash algorithm that is used and that is broken for a long time :
At http://en.wikipedia.org/wiki/MD5, the wikipedia article said :
"In 1996, a flaw was found with the design of MD5, and while it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1—which has since been found also to be vulnerable. In 2004, more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable...In December 2008, a group of researchers used this technique to fake SSL certificate validity,[7][8] and
US-CERT now says that MD5 "should be considered cryptographically broken and unsuitable for further use."[9]
and most U.S. government applications now require the SHA-2 family of hash functions."
org.jboss.sasl.util.UsernamePasswordHashUtil class use java.security.MessageDigest class.
As you can see at : http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html,
getAlgorithm function can use several hash or Message Digest Algorithms.
The hash or Message Digest Algorithms available are :
MD2 (weak), MD5 (weak), SHA-1 (weak), SHA-256, SHA-384, and SHA-512
http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA
http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/Cry...
Then can you replace the weakness MD5 Message Digest Algorithm used by add-user.sh by
SHA-256 or AES-256.
The security team in my big company want now that all the application servers used in the company use strong
cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic 11.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 4 months
[JBoss JIRA] Created: (JBAS-8198) DomainController discovery system
by Brian Stansberry (JIRA)
DomainController discovery system
---------------------------------
Key: JBAS-8198
URL: https://jira.jboss.org/browse/JBAS-8198
Project: JBoss Application Server
Issue Type: Task
Security Level: Public (Everyone can see)
Components: Domain Management
Reporter: Brian Stansberry
Fix For: 7.0.0.M1
Mechanism(s) by which a ServerManager finds a DomainController so it can begin the process of integrating into the domain.
Task includes the host.xml schema elements to configure this, the domain object model classes behind those elements, and the actual implementation of discovery from both the ServerManager and DomainController sides.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 4 months
[JBoss JIRA] (AS7-5077) "JBAS014101: Failed to find SFSB instance with session ID" calling @javax.ejb.Remove method
by Marek Schmidt (JIRA)
Marek Schmidt created AS7-5077:
----------------------------------
Summary: "JBAS014101: Failed to find SFSB instance with session ID" calling @javax.ejb.Remove method
Key: AS7-5077
URL: https://issues.jboss.org/browse/AS7-5077
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.2.Final (EAP)
Reporter: Marek Schmidt
Assignee: jaikiran pai
Calling a SFSB @javax.ejb.Remove method results an ugly INFO message in the logs:
e.g. (modified helloworld-jsf quickstart):
{code}
@Named
@Stateless
public class RichBean {
@Resource
SessionContext sessionContext;
public void greet() {
TestEjb testEjb = (TestEjb)sessionContext.lookup("java:app/jboss-as-helloworld-jsf/TestEjb");
System.out.println(testEjb.greet());
testEjb.remove();
}
}
{code}
{code}
@Stateful
public class TestEjb
{
@Remove
public void remove() {
}
public String greet() {
return "Hello";
}
}
{code}
{code}
<h:form id="helloWorld">
<h:commandButton action="#{richBean.greet()}" value="Greet" />
</h:form>
{code}
{noformat}
14:35:46,105 INFO [stdout] (http-/127.0.0.1:8080-1) Hello
14:35:46,106 INFO [org.jboss.as.ejb3] (http-/127.0.0.1:8080-1) JBAS014101: Failed to find SFSB instance with session ID {[95, 12, 97, -35, -110, -123, 79, -16, -116, -95, -99, -57, 52, 38, 81, 85]} in cache
{noformat}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 4 months