[JBoss JIRA] (WFLY-4065) Warning about private module use issued twice
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFLY-4065?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse commented on WFLY-4065:
----------------------------------------
CXF is mentioned - do you have any webservices in your deployment?
> Warning about private module use issued twice
> ---------------------------------------------
>
> Key: WFLY-4065
> URL: https://issues.jboss.org/browse/WFLY-4065
> Project: WildFly
> Issue Type: Bug
> Components: Class Loading
> Affects Versions: 10.0.0.CR5
> Reporter: Frank Langelage
> Assignee: David Lloyd
> Priority: Minor
>
> My web app is using some modules of WildFly AS which are not public.
> The warning about using private modules is issued twice for every module:
> 09.11. 22:07:34,088 WARN [org.jboss.as.dependency.private#start] WFLYSRV0018: Deployment "deployment.web-maj2e-langfr-dev.war" is using a private module ("org.jboss.common-core:main") which may be changed or removed in future versions without notice.
> 09.11. 22:07:34,090 WARN [org.jboss.as.dependency.private#start] WFLYSRV0018: Deployment "deployment.web-maj2e-langfr-dev.war" is using a private module ("org.jboss.common-core:main") which may be changed or removed in future versions without notice.
> 09.11. 22:07:34,091 WARN [org.jboss.as.dependency.private#start] WFLYSRV0018: Deployment "deployment.web-maj2e-langfr-dev.war" is using a private module ("org.apache.commons.collections:main") which may be changed or removed in future versions without notice.
> 09.11. 22:07:34,091 WARN [org.jboss.as.dependency.private#start] WFLYSRV0018: Deployment "deployment.web-maj2e-langfr-dev.war" is using a private module ("org.apache.commons.collections:main") which may be changed or removed in future versions without notice.
> 09.11. 22:07:34,092 WARN [org.jboss.as.dependency.private#start] WFLYSRV0018: Deployment "deployment.web-maj2e-langfr-dev.war" is using a private module ("org.apache.cxf.impl:main") which may be changed or removed in future versions without notice.
> 09.11. 22:07:34,094 WARN [org.jboss.as.dependency.private#start] WFLYSRV0018: Deployment "deployment.web-maj2e-langfr-dev.war" is using a private module ("org.apache.cxf.impl:main") which may be changed or removed in future versions without notice.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
10 years, 7 months
[JBoss JIRA] (WFLY-4065) Warning about private module use issued twice
by Frank Langelage (JIRA)
[ https://issues.jboss.org/browse/WFLY-4065?page=com.atlassian.jira.plugin.... ]
Frank Langelage commented on WFLY-4065:
---------------------------------------
I checked. No, there's no dependency anymore in MANIFEST.MF.
All are of size 106 bytes, containing these lines only:
{noformat}
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.9.5
Created-By: 1.8.0_72-ea-b05 (Oracle Corporation)
{noformat}
> Warning about private module use issued twice
> ---------------------------------------------
>
> Key: WFLY-4065
> URL: https://issues.jboss.org/browse/WFLY-4065
> Project: WildFly
> Issue Type: Bug
> Components: Class Loading
> Affects Versions: 10.0.0.CR5
> Reporter: Frank Langelage
> Assignee: David Lloyd
> Priority: Minor
>
> My web app is using some modules of WildFly AS which are not public.
> The warning about using private modules is issued twice for every module:
> 09.11. 22:07:34,088 WARN [org.jboss.as.dependency.private#start] WFLYSRV0018: Deployment "deployment.web-maj2e-langfr-dev.war" is using a private module ("org.jboss.common-core:main") which may be changed or removed in future versions without notice.
> 09.11. 22:07:34,090 WARN [org.jboss.as.dependency.private#start] WFLYSRV0018: Deployment "deployment.web-maj2e-langfr-dev.war" is using a private module ("org.jboss.common-core:main") which may be changed or removed in future versions without notice.
> 09.11. 22:07:34,091 WARN [org.jboss.as.dependency.private#start] WFLYSRV0018: Deployment "deployment.web-maj2e-langfr-dev.war" is using a private module ("org.apache.commons.collections:main") which may be changed or removed in future versions without notice.
> 09.11. 22:07:34,091 WARN [org.jboss.as.dependency.private#start] WFLYSRV0018: Deployment "deployment.web-maj2e-langfr-dev.war" is using a private module ("org.apache.commons.collections:main") which may be changed or removed in future versions without notice.
> 09.11. 22:07:34,092 WARN [org.jboss.as.dependency.private#start] WFLYSRV0018: Deployment "deployment.web-maj2e-langfr-dev.war" is using a private module ("org.apache.cxf.impl:main") which may be changed or removed in future versions without notice.
> 09.11. 22:07:34,094 WARN [org.jboss.as.dependency.private#start] WFLYSRV0018: Deployment "deployment.web-maj2e-langfr-dev.war" is using a private module ("org.apache.cxf.impl:main") which may be changed or removed in future versions without notice.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
10 years, 7 months
[JBoss JIRA] (WFLY-5725) Attribute "secure" not migrated to Undertow subsystem
by Francesco Marchioni (JIRA)
[ https://issues.jboss.org/browse/WFLY-5725?page=com.atlassian.jira.plugin.... ]
Francesco Marchioni edited comment on WFLY-5725 at 11/26/15 12:10 PM:
----------------------------------------------------------------------
Hi,
I just wanted to mention that I have tested the certificate-forwarding=true on the http-listener but it didn't work.
Here is the Apache configuration:
{code:java}
SSLOptions +StdEnvVars
RewriteCond %{SSL:SSL_SESSION_ID} (.+)
RewriteRule . - [E=SESSID:%1]
RequestHeader set SSL_SESSION_ID %{SESSID}e
RewriteCond %{SSL:SSL_CLIENT_CERT} (.+)
RewriteRule . - [E=SSLCERT:%1]
RequestHeader set SSL_CLIENT_CERT %{SSLCERT}e
RewriteCond %{SSL:SSL_CIPHER} (.+)
RewriteRule . - [E=SSLCIP:%1]
RequestHeader set SSL_CIPHER %{SSLCIP}e
{code}
tcpdump reveals that the SSL_SESSION_ID is correclty exchanged with the application server:
GET /jboss/vault/ HTTP/1.1
Host: 10.110.229.140:9280
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: Apache=a16d66d6.5256fc17642ba
*SSL_SESSION_ID: e60aac145c1e1c0070663db70f575b642a1f531edfdbd53624b5a48d7f2ab394*
SSL_CLIENT_CERT: (null)
SSL_CIPHER: ECDHE-RSA-AES128-GCM-SHA256
X-Forwarded-For: xx.xx.xx.xx
X-Forwarded-Host: xxxxx
X-Forwarded-Server: xxxxx.xxxxx.xxxxxx.it
Connection: Keep-Alive
However the certificate-forwarding seem not able to propagate the https to Undertow as the application (deployed with CONFIDENTIAL in web.xml). Since the connection is unsecure, the application refuses to proceed and issue a redirect to an https fallback address.
was (Author: f_marchioni):
Hi,
I just wanted to mention that I have tested the certificate-forwarding=true on the http-listener but it didn't work.
Here is the Apache configuration:
{code:java}
SSLOptions +StdEnvVars
RewriteCond %{SSL:SSL_SESSION_ID} (.+)
RewriteRule . - [E=SESSID:%1]
RequestHeader set SSL_SESSION_ID %{SESSID}e
RewriteCond %{SSL:SSL_CLIENT_CERT} (.+)
RewriteRule . - [E=SSLCERT:%1]
RequestHeader set SSL_CLIENT_CERT %{SSLCERT}e
RewriteCond %{SSL:SSL_CIPHER} (.+)
RewriteRule . - [E=SSLCIP:%1]
RequestHeader set SSL_CIPHER %{SSLCIP}e
{code}
tcpdump reveals that the SSL_SESSION_ID is correclty received by the application server:
GET /jboss/vault/ HTTP/1.1
Host: 10.110.229.140:9280
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: Apache=a16d66d6.5256fc17642ba
*SSL_SESSION_ID: e60aac145c1e1c0070663db70f575b642a1f531edfdbd53624b5a48d7f2ab394*
SSL_CLIENT_CERT: (null)
SSL_CIPHER: ECDHE-RSA-AES128-GCM-SHA256
X-Forwarded-For: xx.xx.xx.xx
X-Forwarded-Host: xxxxx
X-Forwarded-Server: xxxxx.xxxxx.xxxxxx.it
Connection: Keep-Alive
However the certificate-forwarding seem not able to propagate the https to Undertow as the application (deployed with CONFIDENTIAL in web.xml). Since the connection is unsecure, the application refuses to proceed and issue a redirect to an https fallback address.
> Attribute "secure" not migrated to Undertow subsystem
> -----------------------------------------------------
>
> Key: WFLY-5725
> URL: https://issues.jboss.org/browse/WFLY-5725
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Environment: RHEL 7.1
> Reporter: Francesco Marchioni
> Assignee: Stuart Douglas
> Labels: ea, undertow
>
> We need to migrate the following EAP 6 configuration from the web subsystem:
> <subsystem xmlns="urn:jboss:domain:web:2.1" default-virtual-server="default-host" native="false">
> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
> <connector name="httpconfidential" protocol="HTTP/1.1" scheme="http" socket-binding="httpsecure" secure="true" enabled="true"/>
> <virtual-server name="default-host" enable-welcome-root="true">
> <alias name="localhost"/>
> <alias name="example.com"/>
> </virtual-server>
> </subsystem>
> This configuration uses the *secure="true" * attribute to support the transport-guarantee to CONFIDENTIAL which is required by our applications. (We don't use https in EAP which is configured only on the Apache Web server that serves request to EAP 6)
> The configuration has been migrated into EAP 7.0.0 Alpha using the CLI /subsystem=web:migrate command. Although no warnings are shown, the resulting configuration *does not contain the attribute "secure"* :
> <subsystem xmlns="urn:jboss:domain:undertow:3.0">
> <buffer-cache name="default"/>
> <server name="default-server">
> <http-listener name="http" socket-binding="http"/>
> <http-listener name="httpconfidential" socket-binding="httpsecure"/>
> <host name="default-host" alias="localhost, example.com">
> <location name="/" handler="welcome-content"/>
> </host>
> </server>
> <servlet-container name="default">
> <jsp-config/>
> </servlet-container>
> <handlers>
> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
> </handlers>
> </subsystem>
> Is there any plan to provide backward compatiblity for the secure attribute in EAP 7 ?
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
10 years, 7 months
[JBoss JIRA] (WFLY-5725) Attribute "secure" not migrated to Undertow subsystem
by Francesco Marchioni (JIRA)
[ https://issues.jboss.org/browse/WFLY-5725?page=com.atlassian.jira.plugin.... ]
Francesco Marchioni edited comment on WFLY-5725 at 11/26/15 12:09 PM:
----------------------------------------------------------------------
Hi,
I just wanted to mention that I have tested the certificate-forwarding=true on the http-listener but it didn't work.
Here is the Apache configuration:
{{ SSLOptions +StdEnvVars
RewriteCond %{SSL:SSL_SESSION_ID} (.+)
RewriteRule . - [E=SESSID:%1]
RequestHeader set SSL_SESSION_ID %{SESSID}e
RewriteCond %{SSL:SSL_CLIENT_CERT} (.+)
RewriteRule . - [E=SSLCERT:%1]
RequestHeader set SSL_CLIENT_CERT %{SSLCERT}e
RewriteCond %{SSL:SSL_CIPHER} (.+)
RewriteRule . - [E=SSLCIP:%1]
RequestHeader set SSL_CIPHER %{SSLCIP}e}}
tcpdump reveals that the SSL_SESSION_ID is correclty received by the application server:
GET /jboss/vault/ HTTP/1.1
Host: 10.110.229.140:9280
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: Apache=a16d66d6.5256fc17642ba
*SSL_SESSION_ID: e60aac145c1e1c0070663db70f575b642a1f531edfdbd53624b5a48d7f2ab394*
SSL_CLIENT_CERT: (null)
SSL_CIPHER: ECDHE-RSA-AES128-GCM-SHA256
X-Forwarded-For: xx.xx.xx.xx
X-Forwarded-Host: xxxxx
X-Forwarded-Server: xxxxx.xxxxx.xxxxxx.it
Connection: Keep-Alive
However the certificate-forwarding seem not able to propagate the https to Undertow as the application (deployed with CONFIDENTIAL in web.xml). Since the connection is unsecure, the application refuses to proceed and issue a redirect to an https fallback address.
was (Author: f_marchioni):
Hi,
I just wanted to mention that I have tested the certificate-forwarding=true on the http-listener but it didn't work.
Here is the Apache configuration:
SSLOptions +StdEnvVars
RewriteCond %{SSL:SSL_SESSION_ID} (.+)
RewriteRule . - [E=SESSID:%1]
RequestHeader set SSL_SESSION_ID %{SESSID}e
RewriteCond %{SSL:SSL_CLIENT_CERT} (.+)
RewriteRule . - [E=SSLCERT:%1]
RequestHeader set SSL_CLIENT_CERT %{SSLCERT}e
RewriteCond %{SSL:SSL_CIPHER} (.+)
RewriteRule . - [E=SSLCIP:%1]
RequestHeader set SSL_CIPHER %{SSLCIP}e
tcpdump reveals that the SSL_SESSION_ID is correclty received by the application server:
GET /jboss/vault/ HTTP/1.1
Host: 10.110.229.140:9280
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: Apache=a16d66d6.5256fc17642ba
*SSL_SESSION_ID: e60aac145c1e1c0070663db70f575b642a1f531edfdbd53624b5a48d7f2ab394*
SSL_CLIENT_CERT: (null)
SSL_CIPHER: ECDHE-RSA-AES128-GCM-SHA256
X-Forwarded-For: xx.xx.xx.xx
X-Forwarded-Host: xxxxx
X-Forwarded-Server: xxxxx.xxxxx.xxxxxx.it
Connection: Keep-Alive
However the certificate-forwarding seem not able to propagate the https to Undertow as the application (deployed with CONFIDENTIAL in web.xml). Since the connection is unsecure, the application refuses to proceed and issue a redirect to an https fallback address.
> Attribute "secure" not migrated to Undertow subsystem
> -----------------------------------------------------
>
> Key: WFLY-5725
> URL: https://issues.jboss.org/browse/WFLY-5725
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Environment: RHEL 7.1
> Reporter: Francesco Marchioni
> Assignee: Stuart Douglas
> Labels: ea, undertow
>
> We need to migrate the following EAP 6 configuration from the web subsystem:
> <subsystem xmlns="urn:jboss:domain:web:2.1" default-virtual-server="default-host" native="false">
> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
> <connector name="httpconfidential" protocol="HTTP/1.1" scheme="http" socket-binding="httpsecure" secure="true" enabled="true"/>
> <virtual-server name="default-host" enable-welcome-root="true">
> <alias name="localhost"/>
> <alias name="example.com"/>
> </virtual-server>
> </subsystem>
> This configuration uses the *secure="true" * attribute to support the transport-guarantee to CONFIDENTIAL which is required by our applications. (We don't use https in EAP which is configured only on the Apache Web server that serves request to EAP 6)
> The configuration has been migrated into EAP 7.0.0 Alpha using the CLI /subsystem=web:migrate command. Although no warnings are shown, the resulting configuration *does not contain the attribute "secure"* :
> <subsystem xmlns="urn:jboss:domain:undertow:3.0">
> <buffer-cache name="default"/>
> <server name="default-server">
> <http-listener name="http" socket-binding="http"/>
> <http-listener name="httpconfidential" socket-binding="httpsecure"/>
> <host name="default-host" alias="localhost, example.com">
> <location name="/" handler="welcome-content"/>
> </host>
> </server>
> <servlet-container name="default">
> <jsp-config/>
> </servlet-container>
> <handlers>
> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
> </handlers>
> </subsystem>
> Is there any plan to provide backward compatiblity for the secure attribute in EAP 7 ?
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
10 years, 7 months
[JBoss JIRA] (WFLY-5725) Attribute "secure" not migrated to Undertow subsystem
by Francesco Marchioni (JIRA)
[ https://issues.jboss.org/browse/WFLY-5725?page=com.atlassian.jira.plugin.... ]
Francesco Marchioni edited comment on WFLY-5725 at 11/26/15 12:09 PM:
----------------------------------------------------------------------
Hi,
I just wanted to mention that I have tested the certificate-forwarding=true on the http-listener but it didn't work.
Here is the Apache configuration:
{code:java}
SSLOptions +StdEnvVars
RewriteCond %{SSL:SSL_SESSION_ID} (.+)
RewriteRule . - [E=SESSID:%1]
RequestHeader set SSL_SESSION_ID %{SESSID}e
RewriteCond %{SSL:SSL_CLIENT_CERT} (.+)
RewriteRule . - [E=SSLCERT:%1]
RequestHeader set SSL_CLIENT_CERT %{SSLCERT}e
RewriteCond %{SSL:SSL_CIPHER} (.+)
RewriteRule . - [E=SSLCIP:%1]
RequestHeader set SSL_CIPHER %{SSLCIP}e
{code}
tcpdump reveals that the SSL_SESSION_ID is correclty received by the application server:
GET /jboss/vault/ HTTP/1.1
Host: 10.110.229.140:9280
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: Apache=a16d66d6.5256fc17642ba
*SSL_SESSION_ID: e60aac145c1e1c0070663db70f575b642a1f531edfdbd53624b5a48d7f2ab394*
SSL_CLIENT_CERT: (null)
SSL_CIPHER: ECDHE-RSA-AES128-GCM-SHA256
X-Forwarded-For: xx.xx.xx.xx
X-Forwarded-Host: xxxxx
X-Forwarded-Server: xxxxx.xxxxx.xxxxxx.it
Connection: Keep-Alive
However the certificate-forwarding seem not able to propagate the https to Undertow as the application (deployed with CONFIDENTIAL in web.xml). Since the connection is unsecure, the application refuses to proceed and issue a redirect to an https fallback address.
was (Author: f_marchioni):
Hi,
I just wanted to mention that I have tested the certificate-forwarding=true on the http-listener but it didn't work.
Here is the Apache configuration:
{{ SSLOptions +StdEnvVars
RewriteCond %{SSL:SSL_SESSION_ID} (.+)
RewriteRule . - [E=SESSID:%1]
RequestHeader set SSL_SESSION_ID %{SESSID}e
RewriteCond %{SSL:SSL_CLIENT_CERT} (.+)
RewriteRule . - [E=SSLCERT:%1]
RequestHeader set SSL_CLIENT_CERT %{SSLCERT}e
RewriteCond %{SSL:SSL_CIPHER} (.+)
RewriteRule . - [E=SSLCIP:%1]
RequestHeader set SSL_CIPHER %{SSLCIP}e}}
tcpdump reveals that the SSL_SESSION_ID is correclty received by the application server:
GET /jboss/vault/ HTTP/1.1
Host: 10.110.229.140:9280
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: Apache=a16d66d6.5256fc17642ba
*SSL_SESSION_ID: e60aac145c1e1c0070663db70f575b642a1f531edfdbd53624b5a48d7f2ab394*
SSL_CLIENT_CERT: (null)
SSL_CIPHER: ECDHE-RSA-AES128-GCM-SHA256
X-Forwarded-For: xx.xx.xx.xx
X-Forwarded-Host: xxxxx
X-Forwarded-Server: xxxxx.xxxxx.xxxxxx.it
Connection: Keep-Alive
However the certificate-forwarding seem not able to propagate the https to Undertow as the application (deployed with CONFIDENTIAL in web.xml). Since the connection is unsecure, the application refuses to proceed and issue a redirect to an https fallback address.
> Attribute "secure" not migrated to Undertow subsystem
> -----------------------------------------------------
>
> Key: WFLY-5725
> URL: https://issues.jboss.org/browse/WFLY-5725
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Environment: RHEL 7.1
> Reporter: Francesco Marchioni
> Assignee: Stuart Douglas
> Labels: ea, undertow
>
> We need to migrate the following EAP 6 configuration from the web subsystem:
> <subsystem xmlns="urn:jboss:domain:web:2.1" default-virtual-server="default-host" native="false">
> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
> <connector name="httpconfidential" protocol="HTTP/1.1" scheme="http" socket-binding="httpsecure" secure="true" enabled="true"/>
> <virtual-server name="default-host" enable-welcome-root="true">
> <alias name="localhost"/>
> <alias name="example.com"/>
> </virtual-server>
> </subsystem>
> This configuration uses the *secure="true" * attribute to support the transport-guarantee to CONFIDENTIAL which is required by our applications. (We don't use https in EAP which is configured only on the Apache Web server that serves request to EAP 6)
> The configuration has been migrated into EAP 7.0.0 Alpha using the CLI /subsystem=web:migrate command. Although no warnings are shown, the resulting configuration *does not contain the attribute "secure"* :
> <subsystem xmlns="urn:jboss:domain:undertow:3.0">
> <buffer-cache name="default"/>
> <server name="default-server">
> <http-listener name="http" socket-binding="http"/>
> <http-listener name="httpconfidential" socket-binding="httpsecure"/>
> <host name="default-host" alias="localhost, example.com">
> <location name="/" handler="welcome-content"/>
> </host>
> </server>
> <servlet-container name="default">
> <jsp-config/>
> </servlet-container>
> <handlers>
> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
> </handlers>
> </subsystem>
> Is there any plan to provide backward compatiblity for the secure attribute in EAP 7 ?
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
10 years, 7 months
[JBoss JIRA] (WFLY-5725) Attribute "secure" not migrated to Undertow subsystem
by Francesco Marchioni (JIRA)
[ https://issues.jboss.org/browse/WFLY-5725?page=com.atlassian.jira.plugin.... ]
Francesco Marchioni commented on WFLY-5725:
-------------------------------------------
Hi,
I just wanted to mention that I have tested the certificate-forwarding=true on the http-listener but it didn't work.
Here is the Apache configuration:
SSLOptions +StdEnvVars
RewriteCond %{SSL:SSL_SESSION_ID} (.+)
RewriteRule . - [E=SESSID:%1]
RequestHeader set SSL_SESSION_ID %{SESSID}e
RewriteCond %{SSL:SSL_CLIENT_CERT} (.+)
RewriteRule . - [E=SSLCERT:%1]
RequestHeader set SSL_CLIENT_CERT %{SSLCERT}e
RewriteCond %{SSL:SSL_CIPHER} (.+)
RewriteRule . - [E=SSLCIP:%1]
RequestHeader set SSL_CIPHER %{SSLCIP}e
tcpdump reveals that the SSL_SESSION_ID is correclty received by the application server:
GET /jboss/vault/ HTTP/1.1
Host: 10.110.229.140:9280
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: Apache=a16d66d6.5256fc17642ba
*SSL_SESSION_ID: e60aac145c1e1c0070663db70f575b642a1f531edfdbd53624b5a48d7f2ab394*
SSL_CLIENT_CERT: (null)
SSL_CIPHER: ECDHE-RSA-AES128-GCM-SHA256
X-Forwarded-For: xx.xx.xx.xx
X-Forwarded-Host: xxxxx
X-Forwarded-Server: xxxxx.xxxxx.xxxxxx.it
Connection: Keep-Alive
However the certificate-forwarding seem not able to propagate the https to Undertow as the application (deployed with CONFIDENTIAL in web.xml). Since the connection is unsecure, the application refuses to proceed and issue a redirect to an https fallback address.
> Attribute "secure" not migrated to Undertow subsystem
> -----------------------------------------------------
>
> Key: WFLY-5725
> URL: https://issues.jboss.org/browse/WFLY-5725
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Environment: RHEL 7.1
> Reporter: Francesco Marchioni
> Assignee: Stuart Douglas
> Labels: ea, undertow
>
> We need to migrate the following EAP 6 configuration from the web subsystem:
> <subsystem xmlns="urn:jboss:domain:web:2.1" default-virtual-server="default-host" native="false">
> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
> <connector name="httpconfidential" protocol="HTTP/1.1" scheme="http" socket-binding="httpsecure" secure="true" enabled="true"/>
> <virtual-server name="default-host" enable-welcome-root="true">
> <alias name="localhost"/>
> <alias name="example.com"/>
> </virtual-server>
> </subsystem>
> This configuration uses the *secure="true" * attribute to support the transport-guarantee to CONFIDENTIAL which is required by our applications. (We don't use https in EAP which is configured only on the Apache Web server that serves request to EAP 6)
> The configuration has been migrated into EAP 7.0.0 Alpha using the CLI /subsystem=web:migrate command. Although no warnings are shown, the resulting configuration *does not contain the attribute "secure"* :
> <subsystem xmlns="urn:jboss:domain:undertow:3.0">
> <buffer-cache name="default"/>
> <server name="default-server">
> <http-listener name="http" socket-binding="http"/>
> <http-listener name="httpconfidential" socket-binding="httpsecure"/>
> <host name="default-host" alias="localhost, example.com">
> <location name="/" handler="welcome-content"/>
> </host>
> </server>
> <servlet-container name="default">
> <jsp-config/>
> </servlet-container>
> <handlers>
> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
> </handlers>
> </subsystem>
> Is there any plan to provide backward compatiblity for the secure attribute in EAP 7 ?
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
10 years, 7 months
[JBoss JIRA] (WFLY-5740) ContextPolicy checks purely based on names, ignores Principal types
by Arjan t (JIRA)
Arjan t created WFLY-5740:
-----------------------------
Summary: ContextPolicy checks purely based on names, ignores Principal types
Key: WFLY-5740
URL: https://issues.jboss.org/browse/WFLY-5740
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 10.0.0.CR4
Reporter: Arjan t
Assignee: Darran Lofthouse
In {{org.jboss.security.jacc.ContextPolicy}} the {{implies}} method only looks at the names of each {{Principal}} from the passed in {{ProtectionDomain}}, without checking if they're actually a role.
The collection of these names is then used to check against role based permissions.
If a user now has a name "expert" and there's also a role called "expert", access will be granted purely based on the user (caller) name. This is of course not correct.
See the following code:
{code:java}
// Check principal to role permissions
Principal[] principals = domain.getPrincipals();
int length = principals != null ? principals.length : 0;
ArrayList<String> principalNames = new ArrayList<String>();
for (int n = 0; n < length; n ++) {
Principal p = principals[n];
if( p instanceof Group ) {
Group g = (Group) p;
Enumeration<? extends Principal> iter = g.members();
while(iter.hasMoreElements()) {
p = iter.nextElement();
// *** ONLY NAME IS USED. TYPE IS IGNORED
String name = p.getName();
principalNames.add(name);
}
}
else {
String name = p.getName();
// *** ONLY NAME IS USED. TYPE IS IGNORED
principalNames.add(name);
}
}
principalNames.add(ANY_AUTHENTICATED_USER_ROLE);
for (int n = 0; implied == false && n < principalNames.size(); n ++) {
String name = principalNames.get(n);
// *** "name", WHICH CAN BE ANYTHING, USED FOR ROLE NAME HERE
Permissions perms = rolePermissions.get(name);
if( perms == null )
continue;
implied = perms.implies(permission);
}
{code}
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
10 years, 7 months
[JBoss JIRA] (WFLY-5739) Subject not populated with groups/roles when authenticated via JASPIC
by Arjan t (JIRA)
Arjan t created WFLY-5739:
-----------------------------
Summary: Subject not populated with groups/roles when authenticated via JASPIC
Key: WFLY-5739
URL: https://issues.jboss.org/browse/WFLY-5739
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 10.0.0.CR4
Reporter: Arjan t
Assignee: Darran Lofthouse
After having authenticated via JASPIC, requesting the current {{Subject}} via JACC and then using that for permission checks fails.
For instance the following code will always set {{hasAccess}} to false given that "/protected/*" requires a role and the authenticated user is in that role:
{code:java}
Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
boolean hasAccess = Policy.getPolicy().implies(
new ProtectionDomain(
new CodeSource(null, (Certificate[]) null),
null, null,
subject.getPrincipals().toArray(new Principal[subject.getPrincipals().size()])
),
new WebResourcePermission("/protected/Servlet", "GET"))
;
{code}
As it appears, the problem originates from the fact that {{subject.getPrincipals()}} does not contain the roles.
This can be traced back to {{org.jboss.security.auth.callback.JASPICallbackHandler.handleCallBack}}, where it becomes clear that the roles are only put into the "util", but not in the "authenticatedSubject":
{code:java}
String[] rolesArray = groupPrincipalCallback.getGroups();
int sizeOfRoles = rolesArray != null ? rolesArray.length : 0;
if( sizeOfRoles > 0 )
{
List<Role> rolesList = new ArrayList<Role>();
for( int i = 0; i < sizeOfRoles ; i++ )
{
Role role = new SimpleRole( rolesArray[ i ] );
rolesList.add( role );
}
RoleGroup roles = new SimpleRoleGroup( SecurityConstants.ROLES_IDENTIFIER, rolesList );
// if the current security context already has roles, we merge them with the incoming roles.
RoleGroup currentRoles = currentSC.getUtil().getRoles();
// *** ROLES ARE ONLY SET HERE ***
if (currentRoles != null) {
currentRoles.addAll(roles.getRoles());
}
else {
currentSC.getUtil().setRoles( roles );
}
}
// *** BELOW THIS LINE ROLES ARE NOT REFERENCED ANYMORE
// *** SUBJECT IS NOT POPULATED WITH ANY ROLE INFO
Subject subject = groupPrincipalCallback.getSubject();
if( subject != null )
{
// if the current security context already has an associated subject, we merge it with the incoming subject.
Subject currentSubject = currentSC.getSubjectInfo().getAuthenticatedSubject();
if (currentSubject != null) {
subject.getPrincipals().addAll(currentSubject.getPrincipals());
subject.getPublicCredentials().addAll(currentSubject.getPublicCredentials());
subject.getPrivateCredentials().addAll(currentSubject.getPrivateCredentials());
}
currentSC.getSubjectInfo().setAuthenticatedSubject(subject);
}
{code}
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
10 years, 7 months
[JBoss JIRA] (WFLY-5738) Update transformers & tests for EAP 6.2, 6.3 & 6.4
by Tomaz Cerar (JIRA)
Tomaz Cerar created WFLY-5738:
---------------------------------
Summary: Update transformers & tests for EAP 6.2, 6.3 & 6.4
Key: WFLY-5738
URL: https://issues.jboss.org/browse/WFLY-5738
Project: WildFly
Issue Type: Task
Components: Domain Management
Reporter: Tomaz Cerar
Assignee: Tomaz Cerar
Transformers tests need to be updated to test for compatibility of:
- EAP 6.2
- EAP 6.3
- EAP 6.4
And possibly also micro releases of each. But that should be handled as separate task.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
10 years, 7 months