[JBoss JIRA] (WFLY-3766) Enhance DST changes handling by EJB CalendarBasedTimeout
by Eduardo Martins (JIRA)
Eduardo Martins created WFLY-3766:
-------------------------------------
Summary: Enhance DST changes handling by EJB CalendarBasedTimeout
Key: WFLY-3766
URL: https://issues.jboss.org/browse/WFLY-3766
Project: WildFly
Issue Type: Enhancement
Security Level: Public (Everyone can see)
Components: EJB
Reporter: Eduardo Martins
Assignee: Eduardo Martins
EJB schedule expressions were designed to match UNIX Cron, but WildFly currently does not includes modern Cron handling of DST changes, i.e., on DST rollback avoid duplicate timeouts, and on DST forward avoid skipping timeouts on the skipped time period, running the related timeouts later.
This issue should add such behaviour to WildFly EJB CalendarBasedTimeout and add tests to ensure its correctness.
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
11 years, 10 months
[JBoss JIRA] (SECURITY-851) Base64Utils class cuts leading zeroes from encoded bytes
by Peter Skopek (JIRA)
[ https://issues.jboss.org/browse/SECURITY-851?page=com.atlassian.jira.plug... ]
Peter Skopek resolved SECURITY-851.
-----------------------------------
Resolution: Done
PR merged
> Base64Utils class cuts leading zeroes from encoded bytes
> --------------------------------------------------------
>
> Key: SECURITY-851
> URL: https://issues.jboss.org/browse/SECURITY-851
> Project: PicketBox
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Affects Versions: PicketBox_4_0_21.Beta2
> Reporter: Josef Cacek
> Assignee: Josef Cacek
> Priority: Blocker
>
> Vault util is failing for some password/salt/iteration combinations because Base64Utils class strips zeroes from provided byte array.
> So if a user encodes a key with length 8 and the leading byte of the key is zero, then after decoding he only gets 7 (or less) bytes.
> For instance:
> {code}
> encode ( { 0, 81, 121, -37, 46, -64, 20, 114 } ) -> "1HUTikm1Ho"
> decode ("1HUTikm1Ho") -> { 81, 121, -37, 46, -64, 20, 114 }
> {code}
> As a result the PBEUtil will fail with javax.crypto.IllegalBlockSizeException.
> IMHO the same problem can occur on other places where the Base64Utils class is used (not only the Vault).
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
11 years, 10 months
[JBoss JIRA] (WFLY-3761) Security realms does not validate JAAS references to security domains
by Nicky Mølholm (JIRA)
[ https://issues.jboss.org/browse/WFLY-3761?page=com.atlassian.jira.plugin.... ]
Nicky Mølholm commented on WFLY-3761:
-------------------------------------
Hi [~dlofthouse] - I recently created a security related community discussion regarding JMS's authentication in Wildfly (https://community.jboss.org/thread/248235)
It turned out i needed to send a certain plaintext property from the client before it began to work successfully. Again here the behavior was utterly complete silence.
Also, in my company's real-world codebase we faced the same complete silence because the "Custom Login module in our security domain" had classloading issues when used from the remoting subsystem (through a jaas based security realm).
I mention these "war stories" too - to supply with my personal perspective that:
* the silent security behavior in Wildly is making it really difficult for us to get "customized security mechanisms" right.
It is by no means a show stopper. But it is really really troublesome from time to time when one doesn't get the entire end-to-end security configuration correct the first time.
> Security realms does not validate JAAS references to security domains
> ---------------------------------------------------------------------
>
> Key: WFLY-3761
> URL: https://issues.jboss.org/browse/WFLY-3761
> Project: WildFly
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Domain Management, Security
> Affects Versions: 8.1.0.Final
> Environment: Development Mac
> Test Linux (Debian)
> Reporter: Nicky Mølholm
> Labels: jaas, logging, security, trace
> Fix For: Awaiting Volunteers
>
>
> *Problem*
> In the server configuration file (standalone.xml) it is possible to define a security realm that points to a security domain that does not exist - and there is no error reporting of this at all. There is no trace information of this at all, either.
> *Example*
> * Download a stock Wildfly 8.1.0.Final
> * Replace standalone.xml with this gist: https://gist.githubusercontent.com/nickymoelholm/4908092afdcd519361df/raw...
> Run it and you will see now errors at all. Despite the fact that the _FlawedRealm_ points to a bogus security domain called _ThisDomainDoesntExistAtAll_ . I have captured my logoutput too. Find it here: https://gist.githubusercontent.com/nickymoelholm/4908092afdcd519361df/raw...
> *What is wrong with this behavior?*
> The bootstrapping process must validate that the configuration is valid indeed. It really doesn't - not semantically that is. Only XSD compliance / XML syntax wise. And if, for some weird reason, that silence is "security" - then at least let us know of the errors on loglevel = TRACE.
> *Why is this issue created?*
> The silent behavior makes security configuration in Wildfly an _extremely expensive operation_ in terms of time spent by the average Java EE developer / administrator. I have created this issue because I want wildfly to help developers/administrators become better at spotting our errors - because, in the end, that is a tangible productivity booster.
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
11 years, 10 months
[JBoss JIRA] (WFLY-1264) Create a test to get notifications when hosts join/leave a domain
by Panagiotis Sotiropoulos (JIRA)
[ https://issues.jboss.org/browse/WFLY-1264?page=com.atlassian.jira.plugin.... ]
Panagiotis Sotiropoulos reassigned WFLY-1264:
---------------------------------------------
Assignee: Panagiotis Sotiropoulos
> Create a test to get notifications when hosts join/leave a domain
> -----------------------------------------------------------------
>
> Key: WFLY-1264
> URL: https://issues.jboss.org/browse/WFLY-1264
> Project: WildFly
> Issue Type: Task
> Security Level: Public(Everyone can see)
> Components: Test Suite
> Reporter: Andrew Rubinger
> Assignee: Panagiotis Sotiropoulos
>
> Should be implemented by using the mechanism provided by AS7-1415, injection of the ManagementClient into the test. Verify this is working to fulfill the feature request from QE to get notifications on hosts joining/leaving the Domain. May depend upon the presence of an AS7 Domain Controller Container.
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
11 years, 10 months
[JBoss JIRA] (WFLY-3765) Runtime modifications in static files of exploded WARs of exploded EARs aren't reflected.
by Avor Nadal (JIRA)
Avor Nadal created WFLY-3765:
--------------------------------
Summary: Runtime modifications in static files of exploded WARs of exploded EARs aren't reflected.
Key: WFLY-3765
URL: https://issues.jboss.org/browse/WFLY-3765
Project: WildFly
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Web (Undertow)
Affects Versions: 8.1.0.Final
Environment: OS: Xubuntu 14.04 64-bit (Linux)
JDK: 1.8.0 Update 20
Reporter: Avor Nadal
Assignee: Stuart Douglas
If you put a exploded WAR in $WILDFLY/standalone/deployments/ and modify a static file once the application is deployed and running, such as an HTML or JPEG file, the changes are reflected in the output to the client. However, if the exploded WAR is contained at the same time in a exploded EAR, they aren't.
--
This message was sent by Atlassian JIRA
(v6.3.1#6329)
11 years, 10 months