[JBoss JIRA] (WFLY-7554) Singleton: @AccessTimeout and @Lock on superclass method not
by Stefan Lindner (JIRA)
[ https://issues.jboss.org/browse/WFLY-7554?page=com.atlassian.jira.plugin.... ]
Stefan Lindner commented on WFLY-7554:
--------------------------------------
The problem arises if MySuperClass is not part of the deplomyment unit of MyClass.
This means:
# MySuperClass is part of say "common-lib.jar". This is a module in .../modules/my/common-lib/...
# MyClass is part of a deployment unit, say "my-deployment.jar", in standalone/deployments
# my-deplymnet.jar references common-lib.jar
The question is: is this intended by the standard that only says something about
{quote}@AccessTimeout can be specified on a business method or on a bean class (or super-class){quote}
and
{quote}Access timeouts for a singleton session bean only apply to methods eligible for concurrency locks.{quote}
So the methods of MySuperClass might not be "eligible" but the annotations at class level sould be. Or did I missunderstood this totally?
> Singleton: @AccessTimeout and @Lock on superclass method not
> -------------------------------------------------------------
>
> Key: WFLY-7554
> URL: https://issues.jboss.org/browse/WFLY-7554
> Project: WildFly
> Issue Type: Bug
> Components: EJB
> Affects Versions: 9.0.2.Final, 10.1.0.Final
> Environment: Win7_64, Oracle Java 8/102
> Reporter: Stefan Lindner
> Assignee: Stuart Douglas
>
> {code:java}
> @AccessTimeout(value=54321)
> class MySuperclass {
> @AccessTimeout(value=1200000000000L)
> public void whileBlocked() {....}
> }
> @Singleton
> @Startup
> @ConcurrencyManagement(ConcurrencyManagementType.CONTAINER)
> @DependsOn("BenutzerControllerImpl")
> @AccessTimeout(value=54321)
> @Lock(LockType.READ)
> class MyClass extends MySuperclass {
> @Lock(LockType.WRITE)
> public void myBlocker() {....}
> }
> {code}
> Calling method {code:java}whileBlocked{code} when another thread has called {code:java}myBlocker{code} leads to Exception
> javax.ejb.ConcurrentAccessTimeoutException: WFLYEJB0241: EJB 3.1 PFD2 4.8.5.5.1 concurrent access timeout on MyClass - could not obtain lock within 5000MILLISECONDS
> The standard says:
> {quote}The AccessTimeout annotation can be specified on a business method or on a bean class (or superclass).
> {quote}
> In short:
> # @AccessTimeout annotations on bean's class or method work as expected
> # Annotations on superclass do not
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 8 months
[JBoss JIRA] (ELY-756) Elytron ldap-realm does not support recursive role search
by Ondrej Lukas (JIRA)
[ https://issues.jboss.org/browse/ELY-756?page=com.atlassian.jira.plugin.sy... ]
Ondrej Lukas updated ELY-756:
-----------------------------
Component/s: Realms
> Elytron ldap-realm does not support recursive role search
> ---------------------------------------------------------
>
> Key: ELY-756
> URL: https://issues.jboss.org/browse/ELY-756
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0.Beta13
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Critical
>
> Scenario:
> LDAP can include some roles which are members of other roles. I try to assigned also these "nested roles" to user during authentication/authorization process.
> In EAP 7.0 (with PicketBox) I am able to set configuration, which allows to assign these roles to user. LdapExtLoginModule with module option {{roleRecursion}} serves for this. It uses int value which determines how many levels should be searched and assigned to user. I am not able to achieve this scenario with Elytron and its ldap-realm.
> Missing this feature in Elytron can lead to situation when migration from PicketBox to Elytron will not be possible since LDAP structure for role assignment used by legacy solution will not be able to work correctly with Elytron.
> See example of LDIF for LDAP server:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=jduke,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: jduke
> cn: Java Duke
> sn: Duke
> userPassword: Password1
> dn: ou=Roles,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: Roles
> dn: cn=R1,ou=Roles,dc=jboss,dc=org
> objectclass: top
> objectclass: groupOfNames
> cn: R1
> member: uid=jduke,ou=People,dc=jboss,dc=org
> description: the R1 group
> dn: cn=R2,ou=Roles,dc=jboss,dc=org
> objectclass: top
> objectclass: groupOfNames
> cn: R2
> member: cn=R1,ou=Roles,dc=jboss,dc=org
> description: the R2 group
> dn: cn=R3,ou=Roles,dc=jboss,dc=org
> objectclass: top
> objectclass: groupOfNames
> cn: R3
> member: cn=R2,ou=Roles,dc=jboss,dc=org
> description: the R3 group
> {code}
> In Elytron I am able to assigned only {{R1}} role to user jduke. Legacy solution is able to use for example {{roleRecursion=1}} which results to assign roles {{R1}} and {{R2}} to user jduke.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 8 months
[JBoss JIRA] (ELY-756) Elytron ldap-realm does not support recursive role search
by Ondrej Lukas (JIRA)
Ondrej Lukas created ELY-756:
--------------------------------
Summary: Elytron ldap-realm does not support recursive role search
Key: ELY-756
URL: https://issues.jboss.org/browse/ELY-756
Project: WildFly Elytron
Issue Type: Bug
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Priority: Critical
Scenario:
LDAP can include some roles which are members of other roles. I try to assigned also these "nested roles" to user during authentication/authorization process.
In EAP 7.0 (with PicketBox) I am able to set configuration, which allows to assign these roles to user. LdapExtLoginModule with module option {{roleRecursion}} serves for this. It uses int value which determines how many levels should be searched and assigned to user. I am not able to achieve this scenario with Elytron and its ldap-realm.
Missing this feature in Elytron can lead to situation when migration from PicketBox to Elytron will not be possible since LDAP structure for role assignment used by legacy solution will not be able to work correctly with Elytron.
See example of LDIF for LDAP server:
{code}
dn: ou=People,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People
dn: uid=jduke,ou=People,dc=jboss,dc=org
objectclass: top
objectclass: person
objectclass: inetOrgPerson
uid: jduke
cn: Java Duke
sn: Duke
userPassword: Password1
dn: ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: organizationalUnit
ou: Roles
dn: cn=R1,ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: groupOfNames
cn: R1
member: uid=jduke,ou=People,dc=jboss,dc=org
description: the R1 group
dn: cn=R2,ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: groupOfNames
cn: R2
member: cn=R1,ou=Roles,dc=jboss,dc=org
description: the R2 group
dn: cn=R3,ou=Roles,dc=jboss,dc=org
objectclass: top
objectclass: groupOfNames
cn: R3
member: cn=R2,ou=Roles,dc=jboss,dc=org
description: the R3 group
{code}
In Elytron I am able to assigned only {{R1}} role to user jduke. Legacy solution is able to use for example {{roleRecursion=1}} which results to assign roles {{R1}} and {{R2}} to user jduke.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 8 months
[JBoss JIRA] (ELY-756) Elytron ldap-realm does not support recursive role search
by Ondrej Lukas (JIRA)
[ https://issues.jboss.org/browse/ELY-756?page=com.atlassian.jira.plugin.sy... ]
Ondrej Lukas updated ELY-756:
-----------------------------
Affects Version/s: 1.1.0.Beta13
> Elytron ldap-realm does not support recursive role search
> ---------------------------------------------------------
>
> Key: ELY-756
> URL: https://issues.jboss.org/browse/ELY-756
> Project: WildFly Elytron
> Issue Type: Bug
> Affects Versions: 1.1.0.Beta13
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Critical
>
> Scenario:
> LDAP can include some roles which are members of other roles. I try to assigned also these "nested roles" to user during authentication/authorization process.
> In EAP 7.0 (with PicketBox) I am able to set configuration, which allows to assign these roles to user. LdapExtLoginModule with module option {{roleRecursion}} serves for this. It uses int value which determines how many levels should be searched and assigned to user. I am not able to achieve this scenario with Elytron and its ldap-realm.
> Missing this feature in Elytron can lead to situation when migration from PicketBox to Elytron will not be possible since LDAP structure for role assignment used by legacy solution will not be able to work correctly with Elytron.
> See example of LDIF for LDAP server:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=jduke,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: jduke
> cn: Java Duke
> sn: Duke
> userPassword: Password1
> dn: ou=Roles,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: Roles
> dn: cn=R1,ou=Roles,dc=jboss,dc=org
> objectclass: top
> objectclass: groupOfNames
> cn: R1
> member: uid=jduke,ou=People,dc=jboss,dc=org
> description: the R1 group
> dn: cn=R2,ou=Roles,dc=jboss,dc=org
> objectclass: top
> objectclass: groupOfNames
> cn: R2
> member: cn=R1,ou=Roles,dc=jboss,dc=org
> description: the R2 group
> dn: cn=R3,ou=Roles,dc=jboss,dc=org
> objectclass: top
> objectclass: groupOfNames
> cn: R3
> member: cn=R2,ou=Roles,dc=jboss,dc=org
> description: the R3 group
> {code}
> In Elytron I am able to assigned only {{R1}} role to user jduke. Legacy solution is able to use for example {{roleRecursion=1}} which results to assign roles {{R1}} and {{R2}} to user jduke.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 8 months
[JBoss JIRA] (WFLY-7588) embed-server does not start with standalone-elytron.xml
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFLY-7588?page=com.atlassian.jira.plugin.... ]
Martin Choma moved JBEAP-7277 to WFLY-7588:
-------------------------------------------
Project: WildFly (was: JBoss Enterprise Application Platform)
Key: WFLY-7588 (was: JBEAP-7277)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: CLI
Security
(was: CLI)
(was: Security)
Affects Version/s: 11.0.0.Alpha1
(was: 7.1.0.DR8)
> embed-server does not start with standalone-elytron.xml
> -------------------------------------------------------
>
> Key: WFLY-7588
> URL: https://issues.jboss.org/browse/WFLY-7588
> Project: WildFly
> Issue Type: Bug
> Components: CLI, Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Martin Choma
>
> I am unable to start embed-server with standalone-elytron.xml
> 1){{./jboss-cli.sh}}
> 2) {{embed-server --std-out=echo -c=standalone-elytron.xml}}
> 3) server is missing org.wildfly.security.security-domain.ManagementDomain, which is however registered in elytron subsystem.
> Starting {{./standalone.sh -c=standalone-elytron.xml}} works fine.
> Full log:
> {code}
> [mchoma@localhost bin]$ ./jboss-cli.sh
> You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
> [disconnected /] embed-server --std-out=echo -c=standalone-elytron.xml
> 08:15:40,801 INFO [org.jboss.modules] (AeshProcess: 1) JBoss Modules version 1.6.0.Beta3
> 08:15:40,845 INFO [org.jboss.msc] (AeshProcess: 1) JBoss MSC version 1.2.7.Final-redhat-1
> 08:15:40,916 INFO [org.jboss.as] (MSC service thread 1-6) WFLYSRV0049: JBoss EAP 7.1.0.Alpha1 (WildFly Core 3.0.0.Alpha12-redhat-1) starting
> 08:15:41,088 INFO [org.jboss.as.domain.management] (MSC service thread 1-5) WFLYDM0136: Registered OpenSSL provider
> 08:15:41,804 INFO [org.wildfly.security] (Controller Boot Thread) ELY00001: WildFly Elytron version 1.1.0.Beta13
> 08:15:41,805 INFO [org.wildfly.extension.elytron] (Controller Boot Thread) WFLYELY00001: Activating Elytron Subsystem Elytron Version=1.1.0.Beta13, Subsystem Version=1.0.0.Alpha13
> 08:15:41,811 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
> 08:15:41,859 INFO [org.jboss.as.patching] (MSC service thread 1-6) WFLYPAT0050: JBoss EAP cumulative patch ID is: base, one-off patches include: none
> 08:15:42,024 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
> ("core-service" => "management"),
> ("access" => "identity")
> ]) - failure description: {
> "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.security-domain.ManagementDomain"],
> "WFLYCTL0180: Services with missing/unavailable dependencies" => ["org.wildfly.management.identity is missing [org.wildfly.security.security-domain.ManagementDomain]"]
> }
> 08:16:19,546 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0050: JBoss EAP 7.1.0.Alpha1 (WildFly Core 3.0.0.Alpha12-redhat-1) stopped in 3ms
> Cannot start embedded server: WFLYEMB0021: Cannot start embedded process: java.lang.InterruptedException
> [disconnected /]
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 8 months
[JBoss JIRA] (WFLY-7587) Complicated failure-description for referral-mode in Elytron dir-context
by Ondrej Lukas (JIRA)
[ https://issues.jboss.org/browse/WFLY-7587?page=com.atlassian.jira.plugin.... ]
Ondrej Lukas updated WFLY-7587:
-------------------------------
Labels: user_experience (was: )
> Complicated failure-description for referral-mode in Elytron dir-context
> ------------------------------------------------------------------------
>
> Key: WFLY-7587
> URL: https://issues.jboss.org/browse/WFLY-7587
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Labels: user_experience
>
> In case when attribute {{referral-mode}} is added to {{dir-context}} with wrong value then failure-description includes IllegalArgumentException instead of some non-Java admin friendly description:
> {code}
> /subsystem=elytron/dir-context=dirContext:add(url=localhost,referral-mode=abc)
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException: No enum constant org.wildfly.security.auth.realm.ldap.DirContextFactory.ReferralMode.abc",
> "rolled-back" => true
> }
> {code}
> Suggestion for improvement:
> Use the same type of failure-description as e.g. {{logical-role-mapper}}, see:
> {code}
> /subsystem=elytron/logical-role-mapper=logicalRoleMapper:add(logical-operation=abc)
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0248: Invalid value abc for logical-operation; legal values are [OR, AND, XOR, MINUS]",
> "rolled-back" => true
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 8 months
[JBoss JIRA] (WFLY-7587) Complicated failure-description for referral-mode in Elytron dir-context
by Ondrej Lukas (JIRA)
Ondrej Lukas created WFLY-7587:
----------------------------------
Summary: Complicated failure-description for referral-mode in Elytron dir-context
Key: WFLY-7587
URL: https://issues.jboss.org/browse/WFLY-7587
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
In case when attribute {{referral-mode}} is added to {{dir-context}} with wrong value then failure-description includes IllegalArgumentException instead of some non-Java admin friendly description:
{code}
/subsystem=elytron/dir-context=dirContext:add(url=localhost,referral-mode=abc)
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException: No enum constant org.wildfly.security.auth.realm.ldap.DirContextFactory.ReferralMode.abc",
"rolled-back" => true
}
{code}
Suggestion for improvement:
Use the same type of failure-description as e.g. {{logical-role-mapper}}, see:
{code}
/subsystem=elytron/logical-role-mapper=logicalRoleMapper:add(logical-operation=abc)
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0248: Invalid value abc for logical-operation; legal values are [OR, AND, XOR, MINUS]",
"rolled-back" => true
}
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 8 months
[JBoss JIRA] (WFLY-7587) Complicated failure-description for referral-mode in Elytron dir-context
by Ondrej Lukas (JIRA)
[ https://issues.jboss.org/browse/WFLY-7587?page=com.atlassian.jira.plugin.... ]
Ondrej Lukas updated WFLY-7587:
-------------------------------
Affects Version/s: 11.0.0.Alpha1
> Complicated failure-description for referral-mode in Elytron dir-context
> ------------------------------------------------------------------------
>
> Key: WFLY-7587
> URL: https://issues.jboss.org/browse/WFLY-7587
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Labels: user_experience
>
> In case when attribute {{referral-mode}} is added to {{dir-context}} with wrong value then failure-description includes IllegalArgumentException instead of some non-Java admin friendly description:
> {code}
> /subsystem=elytron/dir-context=dirContext:add(url=localhost,referral-mode=abc)
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException: No enum constant org.wildfly.security.auth.realm.ldap.DirContextFactory.ReferralMode.abc",
> "rolled-back" => true
> }
> {code}
> Suggestion for improvement:
> Use the same type of failure-description as e.g. {{logical-role-mapper}}, see:
> {code}
> /subsystem=elytron/logical-role-mapper=logicalRoleMapper:add(logical-operation=abc)
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0248: Invalid value abc for logical-operation; legal values are [OR, AND, XOR, MINUS]",
> "rolled-back" => true
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 8 months
[JBoss JIRA] (WFLY-7586) Wrong options for auto-completion in realms of Elytron security-domain in CLI
by Ondrej Lukas (JIRA)
[ https://issues.jboss.org/browse/WFLY-7586?page=com.atlassian.jira.plugin.... ]
Ondrej Lukas updated WFLY-7586:
-------------------------------
Labels: user_experience (was: )
> Wrong options for auto-completion in realms of Elytron security-domain in CLI
> -----------------------------------------------------------------------------
>
> Key: WFLY-7586
> URL: https://issues.jboss.org/browse/WFLY-7586
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Labels: user_experience
>
> Auto-completion for realm in realms of security-domain provides wrong options. In case when ldap-realm with name ldapName is defined in configuration then also option {{rity-realm.ldapName}} occurs in auto-completion options. I am not able to reproduce this issue with properties-realm. Take a look at Steps to Reproduce for more details.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 8 months