[JBoss JIRA] (WFLY-3590) Option to disable processing of authentication tokens on unsecured resources.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFLY-3590?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse updated WFLY-3590:
-----------------------------------
Fix Version/s: 10.0.0.Alpha1
(was: 9.0.0.CR1)
> Option to disable processing of authentication tokens on unsecured resources.
> -----------------------------------------------------------------------------
>
> Key: WFLY-3590
> URL: https://issues.jboss.org/browse/WFLY-3590
> Project: WildFly
> Issue Type: Feature Request
> Components: Web (Undertow)
> Affects Versions: 8.1.0.Final
> Environment: Oracle Java 1.8.0_05, Ubuntu 14.04
> Reporter: Harald Wellmann
> Assignee: Darran Lofthouse
> Fix For: 10.0.0.Alpha1
>
>
> WildFly sends a basic authentication challenge and denies access when it shouldn't in the following simple setup:
> {code:xml}
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>test</realm-name>
> </login-config>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>all</web-resource-name>
> <url-pattern>/hello</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>USER</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-role>
> <role-name>USER</role-name>
> </security-role>
> {code}
> {{/hello}} is the only protected URL (mapped to a servlet), other URLs like {{/index.html}} are public.
> When GETting /index.html with an (unneeded) basic authentication header, access is denied:
> {noformat}
> $ curl -v -u foo:bar http://localhost:8080/auth-basic/index.html
> * Hostname was NOT found in DNS cache
> * Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 8080 (#0)
> * Server auth using Basic with user 'foo'
> > GET /auth-basic/index.html HTTP/1.1
> > Authorization: Basic Zm9vOmJhcg==
> > User-Agent: curl/7.35.0
> > Host: localhost:8080
> > Accept: */*
> >
> < HTTP/1.1 401 Unauthorized
> < Connection: keep-alive
> * Authentication problem. Ignoring this.
> < WWW-Authenticate: Basic realm="test"
> < X-Powered-By: Undertow/1
> * Server WildFly/8 is not blacklisted
> < Server: WildFly/8
> < Content-Type: text/html;charset=ISO-8859-1
> < Content-Length: 71
> < Date: Mon, 07 Jul 2014 17:28:25 GMT
> <
> * Connection #0 to host localhost left intact
> <html><head><title>Error</title></head><body>Unauthorized</body></html>
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
11 years, 2 months
[JBoss JIRA] (WFLY-210) Point to explicit security doc in server.log
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFLY-210?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated WFLY-210:
----------------------------------
Fix Version/s: 10.0.0.Alpha1
(was: 9.0.0.CR1)
> Point to explicit security doc in server.log
> --------------------------------------------
>
> Key: WFLY-210
> URL: https://issues.jboss.org/browse/WFLY-210
> Project: WildFly
> Issue Type: Enhancement
> Components: Server
> Environment: Thinkpad T510 w/ 4 cores, 8Gb, running CSB
> Reporter: Chuck Mosher
> Assignee: Darran Lofthouse
> Priority: Minor
> Labels: eap6-ux
> Fix For: 10.0.0.Alpha1
>
>
> Nice to warn me (in the server.log) that I have a security issue due to the cluster admin/user pwd using the defaults. Warning tells me to look at the docs; would it be possible to put it the hyperlink to the specific doc?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
11 years, 2 months
[JBoss JIRA] (WFLY-2440) Thread pool AccessControlContext Propagation
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFLY-2440?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse updated WFLY-2440:
-----------------------------------
Fix Version/s: 10.0.0.Alpha1
(was: 9.0.0.CR1)
> Thread pool AccessControlContext Propagation
> --------------------------------------------
>
> Key: WFLY-2440
> URL: https://issues.jboss.org/browse/WFLY-2440
> Project: WildFly
> Issue Type: Task
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 10.0.0.Alpha1
>
>
> A decision was made within Java that newly created threads should inherit the access control context of their creator.
> In general this was justified on the basis that if you are creating a thread you want it to inherit the permissions you already have.
> Once we introduce thread pooling that logic no longer makes as much sense and there is not the same relationship between the thread that triggers it's creation and the long term life of that thread.
> This may affect components outside of WildFly but I am raising it here as a top level task.
> Should also note that JBoss Threads does already have some protection built in if a security manager is in use but there are times the AccessControlContext will be used without a security manager so more control is required.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
11 years, 2 months
[JBoss JIRA] (WFLY-483) Allow more control over authentication for server to server communication through remote-outbound-connection
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFLY-483?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated WFLY-483:
----------------------------------
Fix Version/s: 10.0.0.Alpha1
(was: 9.0.0.CR1)
> Allow more control over authentication for server to server communication through remote-outbound-connection
> ------------------------------------------------------------------------------------------------------------
>
> Key: WFLY-483
> URL: https://issues.jboss.org/browse/WFLY-483
> Project: WildFly
> Issue Type: Sub-task
> Components: Remoting, Security
> Reporter: jaikiran pai
> Assignee: Darran Lofthouse
> Labels: authentication_service
> Fix For: 10.0.0.Alpha1
>
>
> Right now for server to server communication via a remote-outbound-connection, we expect a static username to be specified (along with the security realm). User applications which use this remote-outbound-connection, for example an EJB application, do not have much control over the user/pass information, since the username is static. This further acts a drawback since the username that's used to connect to the remote server will be used as the (application) user who invoked the EJB.
> It would be good to allow more control over the authentication for the remote-outbound-connection.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
11 years, 2 months
[JBoss JIRA] (WFLY-431) Revisit enforcement of required file system permissions.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFLY-431?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated WFLY-431:
----------------------------------
Fix Version/s: 10.0.0.Alpha1
(was: 9.0.0.CR1)
> Revisit enforcement of required file system permissions.
> --------------------------------------------------------
>
> Key: WFLY-431
> URL: https://issues.jboss.org/browse/WFLY-431
> Project: WildFly
> Issue Type: Task
> Components: Domain Management
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Labels: management_security,
> Fix For: 10.0.0.Alpha1
>
>
> Now that AS8 has moved to Java 7 we can re-visit the level of control we have over file system permissions, this can be from taking more control of the local authentication mechanism to ensure incorrect permissions are not inherited to verifying sensitive configuration files are not world readable.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
11 years, 2 months