[JBoss JIRA] (WFLY-5774) Add Elytron security domain mappings
by Darran Lofthouse (JIRA)
Darran Lofthouse created WFLY-5774:
--------------------------------------
Summary: Add Elytron security domain mappings
Key: WFLY-5774
URL: https://issues.jboss.org/browse/WFLY-5774
Project: WildFly
Issue Type: Task
Components: Web (Undertow)
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: 11.0.0.Alpha1
This is a mapping from the security domain as specified in a deployment to the HTTP authentication definition within Elytron.
This will also need an option to specify if the authentication methods as defined in the web.xml should be honoured or if the Elytron selected mechanisms should be used.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 7 months
[JBoss JIRA] (JGRP-1991) TCP_NIO2: copy on demand
by Bela Ban (JIRA)
[ https://issues.jboss.org/browse/JGRP-1991?page=com.atlassian.jira.plugin.... ]
Bela Ban commented on JGRP-1991:
--------------------------------
When using copying (a user might disable copying altogether if they pass copies to the write() anyway), we need to know which buffers have been copied yet, and which ones haven't. Since we're writing buffers from left to right (and thus copy from left to right, too), we could use a marker {{last_copied}} which is the index of the last copied buffer. All buffer after that index have not yet been copied. The following transitions can happen:
* The contents of the buffers are moved to the left -> the marker moves with the data, possibly to the first index
* We add a buffer -> marker stays in place
* We write a few buffers -> the marker moves just beyond the last _successfully_ written buffer
* A partial write occurs -> copy *all* buffers after the last successful write, up to the end of the buffer list
Whether or not to copy may also be a field of {{WriteBuffers}}.
> TCP_NIO2: copy on demand
> ------------------------
>
> Key: JGRP-1991
> URL: https://issues.jboss.org/browse/JGRP-1991
> Project: JGroups
> Issue Type: Enhancement
> Reporter: Bela Ban
> Assignee: Bela Ban
> Fix For: 3.6.7
>
>
> When TCP_NIO2 writes data, we always pass a copy of data of it, because of JGRP-1961 [1].
> However, if we copied the data only on a *partial write* (full writes don't need a copy), then we could always pass data from reused buffers down to the transport.
> Example: we want to write 3 buffers of 100, 200 and 700 bytes in a gathering write (the buffers are allocated from reusable byte[] arrays).
> If the write returns 1000, we know that all 3 buffers have been written and there is no need to copy any of the buffers. However, if only 500 bytes were written, then we can trash the first 2 buffers, but need to make a copy of the 3rd buffer in range [201 .. 700].
> This allows the sender to reuse previously allocated buffers, as all transports (UDP, TCP, TCP_NIO2) now guarantee that, on return of the send(), either the data was written completely, or a copy was made.
> [1] https://issues.jboss.org/browse/JGRP-1961
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 7 months
[JBoss JIRA] (WFLY-459) correct JPA dependency injection (stop injecting javassist)
by Scott Marlow (JIRA)
[ https://issues.jboss.org/browse/WFLY-459?page=com.atlassian.jira.plugin.s... ]
Scott Marlow commented on WFLY-459:
-----------------------------------
We probably need both (JPADependencyProcessor + static) exports of javassist, to cover all three cases:
1. native Hibernate applications
2. container managed JPA applications
3. container managed JPA applications that embed their own copy of Hibernate jars
> correct JPA dependency injection (stop injecting javassist)
> -----------------------------------------------------------
>
> Key: WFLY-459
> URL: https://issues.jboss.org/browse/WFLY-459
> Project: WildFly
> Issue Type: Task
> Components: JPA / Hibernate
> Reporter: Scott Marlow
> Assignee: Scott Marlow
>
> Rather than export the javassist dependency, see if we can change javassist to generate proxies for the application classes which aren't on the hibernate module class path.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 7 months
[JBoss JIRA] (WFLY-5771) IIOP operations need SerializablePermission("enableSubclassImplementation")
by Ivo Studensky (JIRA)
[ https://issues.jboss.org/browse/WFLY-5771?page=com.atlassian.jira.plugin.... ]
Ivo Studensky commented on WFLY-5771:
-------------------------------------
Similar fix has to be done for Narayana as well, see JBTM-2577.
> IIOP operations need SerializablePermission("enableSubclassImplementation")
> ---------------------------------------------------------------------------
>
> Key: WFLY-5771
> URL: https://issues.jboss.org/browse/WFLY-5771
> Project: WildFly
> Issue Type: Bug
> Components: IIOP, Transactions
> Affects Versions: 10.0.0.CR4
> Reporter: Ivo Studensky
> Assignee: Ivo Studensky
>
> Since JDK 7u25 version {{org.omg.CORBA_2_3.portable.Output/InputStream}} classes need extra permissions if Security Manager is enabled. Because of a previous vulnerability, it now checks {{SerializablePermission("enableSubclassImplementation")}}. There is a property flag to allow subclass instantiations without the security check (jdk.corba.allowOutputStreamSubclass=true), but this system property is subject to removal in the future Java releases, according to my findings.
> At the moment, our IIOP code fails (can be seen in iiop tests of WildFly testsuite) when running with SM enabled.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 7 months
[JBoss JIRA] (WFLY-5521) Tests from IIOP module fails with security manager
by Ivo Studensky (JIRA)
[ https://issues.jboss.org/browse/WFLY-5521?page=com.atlassian.jira.plugin.... ]
Ivo Studensky commented on WFLY-5521:
-------------------------------------
I've filed PR with a fix for IIOPSecurityInvocationTestCase.
Remaining issues in IIOP tests are covered by WFLY-5771 and JBTM-2577.
> Tests from IIOP module fails with security manager
> --------------------------------------------------
>
> Key: WFLY-5521
> URL: https://issues.jboss.org/browse/WFLY-5521
> Project: WildFly
> Issue Type: Bug
> Components: Test Suite
> Affects Versions: 10.0.0.CR2
> Reporter: Marek Kopecký
> Assignee: Ivo Studensky
> Attachments: IIOP.tests.txt
>
>
> *Description of problem:*
> Tests from IIOP module fails with security manager.
> *How reproducible:*
> Always
> *Steps to Reproduce:*
> # ./integration-tests.sh -Dmaven.repo.local=$MAVEN_REPO_LOCAL -fae -Dmaven.test.failure.ignore=true -Dnode0=$MYTESTIP_1 -Dnode1=$MYTESTIP_2 -Dmcast=$MCAST_ADDR -Djboss.dist=$JBOSS_DIST -Dsecurity.manager -Dts.IIOP -Dts.noSmoke
> *Actual results:*
> See attached file
> *Expected results:*
> No errors
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 7 months
[JBoss JIRA] (DROOLS-996) Default Stateless Session in Kie Server
by Justin Goldsmith (JIRA)
[ https://issues.jboss.org/browse/DROOLS-996?page=com.atlassian.jira.plugin... ]
Justin Goldsmith updated DROOLS-996:
------------------------------------
Component/s: kie server
Affects Version/s: 6.3.0.Final
> Default Stateless Session in Kie Server
> ---------------------------------------
>
> Key: DROOLS-996
> URL: https://issues.jboss.org/browse/DROOLS-996
> Project: Drools
> Issue Type: Feature Request
> Components: kie server
> Affects Versions: 6.3.0.Final
> Reporter: Justin Goldsmith
> Assignee: Justin Goldsmith
> Priority: Minor
>
> When executing against a container in kie server if the default session is stateful you do not have to provide a lookup, but if the default session is stateless it throws an exception stating there is no default session. While this is easy to work around its not intuitive.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 7 months
[JBoss JIRA] (DROOLS-996) Default Stateless Session in Kie Server
by Justin Goldsmith (JIRA)
Justin Goldsmith created DROOLS-996:
---------------------------------------
Summary: Default Stateless Session in Kie Server
Key: DROOLS-996
URL: https://issues.jboss.org/browse/DROOLS-996
Project: Drools
Issue Type: Feature Request
Reporter: Justin Goldsmith
Assignee: Justin Goldsmith
Priority: Minor
When executing against a container in kie server if the default session is stateful you do not have to provide a lookup, but if the default session is stateless it throws an exception stating there is no default session. While this is easy to work around its not intuitive.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 7 months
[JBoss JIRA] (WFLY-5771) IIOP operations need SerializablePermission("enableSubclassImplementation")
by Ivo Studensky (JIRA)
[ https://issues.jboss.org/browse/WFLY-5771?page=com.atlassian.jira.plugin.... ]
Ivo Studensky commented on WFLY-5771:
-------------------------------------
stacktrace:
{noformat}
at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:271)
at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
at org.omg.CORBA_2_3.portable.InputStream.checkPermission(InputStream.java:67)
at org.omg.CORBA_2_3.portable.InputStream.<init>(InputStream.java:84)
at com.sun.corba.se.impl.encoding.CDRInputStream.<init>(CDRInputStream.java:116)
at com.sun.corba.se.impl.encoding.EncapsInputStream.<init>(EncapsInputStream.java:66)
at com.sun.corba.se.impl.encoding.EncapsInputStream.<init>(EncapsInputStream.java:120)
at com.sun.corba.se.impl.encoding.EncapsInputStream.<init>(EncapsInputStream.java:98)
at org.wildfly.iiop.openjdk.csiv2.CSIV2IORToSocketInfo.readCompoundSecMechList(CSIV2IORToSocketInfo.java:146)
at org.wildfly.iiop.openjdk.csiv2.CSIV2IORToSocketInfo.selectSSLTransportAddress(CSIV2IORToSocketInfo.java:117)
at org.wildfly.iiop.openjdk.csiv2.CSIV2IORToSocketInfo.getSocketInfo(CSIV2IORToSocketInfo.java:99)
at com.sun.corba.se.impl.transport.CorbaContactInfoListImpl.addRemoteContactInfos(CorbaContactInfoListImpl.java:189)
at com.sun.corba.se.impl.transport.CorbaContactInfoListImpl.createContactInfoList(CorbaContactInfoListImpl.java:178)
at com.sun.corba.se.impl.transport.CorbaContactInfoListImpl.iterator(CorbaContactInfoListImpl.java:80)
- locked <0x359a> (a com.sun.corba.se.impl.transport.CorbaContactInfoListImpl)
at com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.request(CorbaClientDelegateImpl.java:122)
at org.omg.CORBA.portable.ObjectImpl._request(ObjectImpl.java:449)
at org.jboss.as.ejb3.iiop.stub.DynamicIIOPStub.invoke(DynamicIIOPStub.java:123)
at interface org.jboss.as.test.iiop.transaction.IIOPTransactionalStatefulRemote_Stub.sameTransaction(Unknown Source:-1)
at org.jboss.as.test.iiop.transaction.ClientEjb.testSynchronization(ClientEjb.java:61)
{noformat}
> IIOP operations need SerializablePermission("enableSubclassImplementation")
> ---------------------------------------------------------------------------
>
> Key: WFLY-5771
> URL: https://issues.jboss.org/browse/WFLY-5771
> Project: WildFly
> Issue Type: Bug
> Components: IIOP, Transactions
> Affects Versions: 10.0.0.CR4
> Reporter: Ivo Studensky
> Assignee: Ivo Studensky
>
> Since JDK 7u25 version {{org.omg.CORBA_2_3.portable.Output/InputStream}} classes need extra permissions if Security Manager is enabled. Because of a previous vulnerability, it now checks {{SerializablePermission("enableSubclassImplementation")}}. There is a property flag to allow subclass instantiations without the security check (jdk.corba.allowOutputStreamSubclass=true), but this system property is subject to removal in the future Java releases, according to my findings.
> At the moment, our IIOP code fails (can be seen in iiop tests of WildFly testsuite) when running with SM enabled.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
8 years, 7 months