[JBoss JIRA] (JGRP-1914) S3_PING doesn't work with S3 buckets created in Frankfurt region
by Bela Ban (JIRA)
[ https://issues.jboss.org/browse/JGRP-1914?page=com.atlassian.jira.plugin.... ]
Bela Ban updated JGRP-1914:
---------------------------
Fix Version/s: 3.6.5
(was: 3.6.4)
Mark, I need to start the 3.6.4 release, moved this to 3.6.5.
> S3_PING doesn't work with S3 buckets created in Frankfurt region
> -----------------------------------------------------------------
>
> Key: JGRP-1914
> URL: https://issues.jboss.org/browse/JGRP-1914
> Project: JGroups
> Issue Type: Bug
> Reporter: Gleb Leonov
> Assignee: Bela Ban
> Fix For: 3.6.5
>
>
> I tried to use S3_PING with access and secret key pair. However, I got 400 (Bad Request) error. After some investigation, I found that modern S3 buckets created in Frankfurt needs amazon v4 authentication, which needs hmac-sha256. But now S3_PING supports only hmac-sha1, so I see no way to use S3_PING with buckets in Frankfurt region.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
8 years, 10 months
[JBoss JIRA] (SECURITY-897) Unable to authenticate in SPNEGO Login Module with NullPointerException
by RH Bugzilla Integration (JIRA)
[ https://issues.jboss.org/browse/SECURITY-897?page=com.atlassian.jira.plug... ]
RH Bugzilla Integration updated SECURITY-897:
---------------------------------------------
Bugzilla References: https://bugzilla.redhat.com/show_bug.cgi?id=1236606
> Unable to authenticate in SPNEGO Login Module with NullPointerException
> -----------------------------------------------------------------------
>
> Key: SECURITY-897
> URL: https://issues.jboss.org/browse/SECURITY-897
> Project: PicketBox
> Issue Type: Bug
> Components: Negotiation
> Affects Versions: Negotiation_2_3_6_Final, Negotiation_2_3_3_Final
> Environment: Red Hat JBoss EAP 6.3.2
> Reporter: Kunjan Rathod
> Assignee: Darran Lofthouse
> Labels: jboss, jboss-as
>
> Description of problem:
> The configuration with SPNEGO works fine, however from time to time the authentication fails with the following error:
> ERROR (HTTP-341) [org.jboss.security.auth.spi.AbstractServerLoginModule] Unable to authenticate: java.lang.NullPointerException
> at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:420)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:356)
> Version-Release number of selected component (if applicable):
> JBoss Security Negotiation 2.3.3.Final
> How reproducible:
> This happens very rarely (20 times in a day on a system where about 50 users are working) and it is extremely hard to reproduce.
> Additional info:
> At line 420 in [1], the GSSToken is null
> ~~~~
> if (respToken != null)
> {
> NegotiationMessage response;
> if (requestMessage instanceof KerberosMessage)
> {
> response = new KerberosMessage(Constants.KERBEROS_V5, respToken);
> }
> else
> {
> NegTokenTarg negTokenTarg = new NegTokenTarg();
> negTokenTarg.setResponseToken(respToken);
> response = negTokenTarg;
> }
> ~~~~
> It looks like a GSSToken can be or is null, check the line#344 as follows:-
> ~~~~~~~~~
> public Object run()
> {
> try
> {
> // The message type will have already been checked before this point so we know it is
> // a SPNEGO message.
> NegotiationMessage requestMessage = negotiationContext.getRequestMessage();
> // TODO - Ensure no way to fall through with gssToken still null.
> byte[] gssToken = null;
> if (requestMessage instanceof NegTokenInit)
> {
> ...
> ~~~~~~~~~
> [1] : https://github.com/wildfly-security/jboss-negotiation/blob/2.3.3.Final/jb...
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
8 years, 10 months
[JBoss JIRA] (SECURITY-897) Unable to authenticate in SPNEGO Login Module with NullPointerException
by Kunjan Rathod (JIRA)
Kunjan Rathod created SECURITY-897:
--------------------------------------
Summary: Unable to authenticate in SPNEGO Login Module with NullPointerException
Key: SECURITY-897
URL: https://issues.jboss.org/browse/SECURITY-897
Project: PicketBox
Issue Type: Bug
Components: Negotiation
Affects Versions: Negotiation_2_3_3_Final, Negotiation_2_3_6_Final
Environment: Red Hat JBoss EAP 6.3.2
Reporter: Kunjan Rathod
Assignee: Darran Lofthouse
Description of problem:
The configuration with SPNEGO works fine, however from time to time the authentication fails with the following error:
ERROR (HTTP-341) [org.jboss.security.auth.spi.AbstractServerLoginModule] Unable to authenticate: java.lang.NullPointerException
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:420)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:356)
Version-Release number of selected component (if applicable):
JBoss Security Negotiation 2.3.3.Final
How reproducible:
This happens very rarely (20 times in a day on a system where about 50 users are working) and it is extremely hard to reproduce.
Additional info:
At line 420 in [1], the GSSToken is null
~~~~
if (respToken != null)
{
NegotiationMessage response;
if (requestMessage instanceof KerberosMessage)
{
response = new KerberosMessage(Constants.KERBEROS_V5, respToken);
}
else
{
NegTokenTarg negTokenTarg = new NegTokenTarg();
negTokenTarg.setResponseToken(respToken);
response = negTokenTarg;
}
~~~~
It looks like a GSSToken can be or is null, check the line#344 as follows:-
~~~~~~~~~
public Object run()
{
try
{
// The message type will have already been checked before this point so we know it is
// a SPNEGO message.
NegotiationMessage requestMessage = negotiationContext.getRequestMessage();
// TODO - Ensure no way to fall through with gssToken still null.
byte[] gssToken = null;
if (requestMessage instanceof NegTokenInit)
{
...
~~~~~~~~~
[1] : https://github.com/wildfly-security/jboss-negotiation/blob/2.3.3.Final/jb...
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
8 years, 10 months
[JBoss JIRA] (ELY-221) Implement a better X.500 principal mapper
by David Lloyd (JIRA)
David Lloyd created ELY-221:
-------------------------------
Summary: Implement a better X.500 principal mapper
Key: ELY-221
URL: https://issues.jboss.org/browse/ELY-221
Project: WildFly Elytron
Issue Type: Feature Request
Reporter: David Lloyd
We can provide something better than a flat string mapping. Some thoughts on requirements:
* Require that a minimum set of keys are present, else return {{null}}
* Allow piecewise assembly of principal names with the following components:
** Static string
** Single attribute value e.g. {{dc[0]}}
** Joined attribute value (with optional subrange) e.g. {{dc:"."}} would convert {{dc=example,dc=com}} to {{example.com}}
** Joined attribute value in reverse (with optional subrange)
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
8 years, 10 months
[JBoss JIRA] (WFLY-4827) Network Connection leak on client abort connection
by Stuart Douglas (JIRA)
[ https://issues.jboss.org/browse/WFLY-4827?page=com.atlassian.jira.plugin.... ]
Stuart Douglas commented on WFLY-4827:
--------------------------------------
Can you try building the latest version of the undertow 1.1.x branch?
to build:
{code}
git clone git@github.com:undertow-io/undertow.git
cd undertow
mvn install
{code}
> Network Connection leak on client abort connection
> --------------------------------------------------
>
> Key: WFLY-4827
> URL: https://issues.jboss.org/browse/WFLY-4827
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow), Web Sockets
> Affects Versions: 8.2.0.Final
> Environment: On Windows Server 2012, JDK 1.8.0_45, Wildfly 8.2.0.Final in standalone mode.
> Reporter: Andrea Bertolini
> Assignee: Stuart Douglas
>
> We have a classic client-server application, all written in Java. Each client is installed on a forklift which can move all around a large area. This area is under wi-fi coverage.
> Sometimes the clients can have a bad connection quality and the client-server communication is interrupted; in such a case it takes too many seconds to be restored.
> To fix this situation, we add a timeout client-side. After 5 seconds it aborts the call and tries again a second time.
> To achieve this call we use apache httpcomponents library (version 4.4). We use the abort method of httppost to interrupt this call.
> Server-side, we have a group of web-servlets which listen to the incoming calls, manage requests and send a response.
> It appears that sometimes a communication remains stuck in reading or writing from/to the stream. When the client aborts the communication, an exception is thrown on the server caused by the channel being closed.
> It happens that a large number of connections remains stuck in connection status 'established' (only server-side) even if the real connection is actually closed (client doesn't have that connection active anymore).
> When the number of established connections grows up to 200, server stops responding on port 8080, so it cannot accept more connections and it seems to freeze.
> We tried to add tcp-keep-alive=true and no-request-timeout=120000 on http-listener in undertow subsystem, but sometimes it removes idle connections after any incoming requests are received for 2 minutes, some other times it keep connections as established and doesn't close them.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
8 years, 10 months
[JBoss JIRA] (ELY-220) Add a RegExSplittingNameRewriter
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-220?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse resolved ELY-220.
----------------------------------
Resolution: Rejected
Thanks, that last example does the trick ;-)
> Add a RegExSplittingNameRewriter
> ---------------------------------
>
> Key: ELY-220
> URL: https://issues.jboss.org/browse/ELY-220
> Project: WildFly Elytron
> Issue Type: Feature Request
> Components: Utils
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 1.0.0.Alpha2
>
>
> The existing implementations allow for replacing a portion of a name based on a regular expression or validating a name based on a regular expression - however we do not have a form that allows you to easily extract a portion of a name.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
8 years, 10 months
[JBoss JIRA] (WFLY-4766) Filter matching static resource confuses servlet matching logic
by Stuart Douglas (JIRA)
[ https://issues.jboss.org/browse/WFLY-4766?page=com.atlassian.jira.plugin.... ]
Stuart Douglas resolved WFLY-4766.
----------------------------------
Fix Version/s: 9.0.0.Final
10.0.0.Beta1
Resolution: Done
> Filter matching static resource confuses servlet matching logic
> ---------------------------------------------------------------
>
> Key: WFLY-4766
> URL: https://issues.jboss.org/browse/WFLY-4766
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Affects Versions: 8.1.0.Final, 8.2.0.Final, 9.0.0.CR2, 10.0.0.Alpha2
> Reporter: Peter Major
> Assignee: Stuart Douglas
> Fix For: 9.0.0.Final, 10.0.0.Beta1
>
> Attachments: hello.war
>
>
> Imagine the following setup:
> * There are static files stored under the servlet context in the helloworld folder
> * there is a servlet mapped to /hello/*
> * there is a filter configured to match /helloworld/index.html
> For some reason with this set up the end result is that when I request /helloworld or /helloworld/index.html then the servlet is displayed instead of my static files (note that welcome-file-list was configured for index.html). As /hello/* *really* shouldn't match /helloworld I can only think that this is a bug in wildfly, possibly somewhere in undertow.
> Oddly enough, once the filter mapping is removed, suddenly the static file is served correctly, so the filter must have some role in this issue.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
8 years, 10 months
[JBoss JIRA] (ELY-220) Add a RegExSplittingNameRewriter
by David Lloyd (JIRA)
[ https://issues.jboss.org/browse/ELY-220?page=com.atlassian.jira.plugin.sy... ]
David Lloyd commented on ELY-220:
---------------------------------
However this case is better solved by a better PrincipalDecoder that handles structure less naively than simply flattening the X.500 principal to a string. Maybe something that allows you to select components out of the principal, and perhaps require certain components in order to successfully decode.
> Add a RegExSplittingNameRewriter
> ---------------------------------
>
> Key: ELY-220
> URL: https://issues.jboss.org/browse/ELY-220
> Project: WildFly Elytron
> Issue Type: Feature Request
> Components: Utils
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 1.0.0.Alpha2
>
>
> The existing implementations allow for replacing a portion of a name based on a regular expression or validating a name based on a regular expression - however we do not have a form that allows you to easily extract a portion of a name.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
8 years, 10 months
[JBoss JIRA] (ELY-220) Add a RegExSplittingNameRewriter
by David Lloyd (JIRA)
[ https://issues.jboss.org/browse/ELY-220?page=com.atlassian.jira.plugin.sy... ]
David Lloyd commented on ELY-220:
---------------------------------
Ah yes, my mistake:
{code}
NameRewriter transformingRewriter = new RegexNameRewriter(Pattern.compile("^.*?\\bdc=([^,]++).*$"), "$1", false);
{code}
> Add a RegExSplittingNameRewriter
> ---------------------------------
>
> Key: ELY-220
> URL: https://issues.jboss.org/browse/ELY-220
> Project: WildFly Elytron
> Issue Type: Feature Request
> Components: Utils
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 1.0.0.Alpha2
>
>
> The existing implementations allow for replacing a portion of a name based on a regular expression or validating a name based on a regular expression - however we do not have a form that allows you to easily extract a portion of a name.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
8 years, 10 months