[JBoss JIRA] (WFLY-7437) Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm
by Ondrej Lukas (JIRA)
Ondrej Lukas created WFLY-7437:
----------------------------------
Summary: Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm
Key: WFLY-7437
URL: https://issues.jboss.org/browse/WFLY-7437
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
Priority: Minor
Attribute {{identity-mapping.otp-credential-mapper}} from Elytron ldap-realm should include Object which should contain four required attributes - algorithm-from, hash-from, seed-from, sequence-from. All of these attributes are set as nillable=false.
However CLI allows to run command where otp-credential-mapper attribute is added without any attributes which is inconsistent with their nillable=false. See following command:
{code}
/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={}})
{code}
Moreover, this command results to configuration xml without any otp-credential-mapper:
{code}
<ldap-realm name="ldap-realm" dir-context="ldap">
<identity-mapping rdn-identifier="uid"/>
</ldap-realm>
{code}
In case when at least one of otp-credential-mapper required attribute is added, then CLI command correctly fails:
{code}
/subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={algorithm-from=atr}})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0155: hash-from may not be null",
"rolled-back" => true
}
{code}
Suggestion:
Do not allow to add {{identity-mapping.otp-credential-mapper}} without required attributes.
--
This message was sent by Atlassian JIRA
(v7.2.2#72004)
9 years, 8 months
[JBoss JIRA] (WFLY-7437) Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm
by Ondrej Lukas (JIRA)
[ https://issues.jboss.org/browse/WFLY-7437?page=com.atlassian.jira.plugin.... ]
Ondrej Lukas updated WFLY-7437:
-------------------------------
Affects Version/s: 11.0.0.Alpha1
> Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm
> ------------------------------------------------------------------------
>
> Key: WFLY-7437
> URL: https://issues.jboss.org/browse/WFLY-7437
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Minor
> Labels: user_experience
>
> Attribute {{identity-mapping.otp-credential-mapper}} from Elytron ldap-realm should include Object which should contain four required attributes - algorithm-from, hash-from, seed-from, sequence-from. All of these attributes are set as nillable=false.
> However CLI allows to run command where otp-credential-mapper attribute is added without any attributes which is inconsistent with their nillable=false. See following command:
> {code}
> /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={}})
> {code}
> Moreover, this command results to configuration xml without any otp-credential-mapper:
> {code}
> <ldap-realm name="ldap-realm" dir-context="ldap">
> <identity-mapping rdn-identifier="uid"/>
> </ldap-realm>
> {code}
> In case when at least one of otp-credential-mapper required attribute is added, then CLI command correctly fails:
> {code}
> /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={algorithm-from=atr}})
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0155: hash-from may not be null",
> "rolled-back" => true
> }
> {code}
> Suggestion:
> Do not allow to add {{identity-mapping.otp-credential-mapper}} without required attributes.
--
This message was sent by Atlassian JIRA
(v7.2.2#72004)
9 years, 8 months
[JBoss JIRA] (WFLY-7437) Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm
by Ondrej Lukas (JIRA)
[ https://issues.jboss.org/browse/WFLY-7437?page=com.atlassian.jira.plugin.... ]
Ondrej Lukas updated WFLY-7437:
-------------------------------
Labels: user_experience (was: )
> Inconsistencies in otp-credential-mapper attribute of Elytron ldap-realm
> ------------------------------------------------------------------------
>
> Key: WFLY-7437
> URL: https://issues.jboss.org/browse/WFLY-7437
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Minor
> Labels: user_experience
>
> Attribute {{identity-mapping.otp-credential-mapper}} from Elytron ldap-realm should include Object which should contain four required attributes - algorithm-from, hash-from, seed-from, sequence-from. All of these attributes are set as nillable=false.
> However CLI allows to run command where otp-credential-mapper attribute is added without any attributes which is inconsistent with their nillable=false. See following command:
> {code}
> /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={}})
> {code}
> Moreover, this command results to configuration xml without any otp-credential-mapper:
> {code}
> <ldap-realm name="ldap-realm" dir-context="ldap">
> <identity-mapping rdn-identifier="uid"/>
> </ldap-realm>
> {code}
> In case when at least one of otp-credential-mapper required attribute is added, then CLI command correctly fails:
> {code}
> /subsystem=elytron/ldap-realm=ldap-realm:add(dir-context=ldap,identity-mapping={rdn-identifier=uid,otp-credential-mapper={algorithm-from=atr}})
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0155: hash-from may not be null",
> "rolled-back" => true
> }
> {code}
> Suggestion:
> Do not allow to add {{identity-mapping.otp-credential-mapper}} without required attributes.
--
This message was sent by Atlassian JIRA
(v7.2.2#72004)
9 years, 8 months
[JBoss JIRA] (ELY-697) Add client authentication method to authenticate a TLS peer using a security domain
by David Lloyd (JIRA)
[ https://issues.jboss.org/browse/ELY-697?page=com.atlassian.jira.plugin.sy... ]
David Lloyd resolved ELY-697.
-----------------------------
Assignee: David Lloyd
Resolution: Out of Date
This is now done via the SSL context builder and does not directly involve the authentication client anymore.
> Add client authentication method to authenticate a TLS peer using a security domain
> -----------------------------------------------------------------------------------
>
> Key: ELY-697
> URL: https://issues.jboss.org/browse/ELY-697
> Project: WildFly Elytron
> Issue Type: Enhancement
> Components: Authentication Client
> Reporter: David Lloyd
> Assignee: David Lloyd
> Priority: Minor
>
> When a client connects to a remote peer, the authentication protocol in use may support true mutual authentication, where the remote peer (server) has to authenticate itself to the client. Specifically, in the TLS case the client may want to perform client-cert-style authentication with the server certificate, acquiring a SecurityIdentity in return.
> The client authentication API should have a way to specify that TLS certificate authentication should happen against a specific security domain. It should provide a means to acquire the SecurityIdentity from the SSL session (the same way as a server does, if possible).
> A server authenticating to a client does not require LoginPermission.
--
This message was sent by Atlassian JIRA
(v7.2.2#72004)
9 years, 8 months
[JBoss JIRA] (ELY-698) Rework the constructor exclusion logic for authentication rules and configurations
by David Lloyd (JIRA)
[ https://issues.jboss.org/browse/ELY-698?page=com.atlassian.jira.plugin.sy... ]
David Lloyd resolved ELY-698.
-----------------------------
Fix Version/s: 1.1.0.Beta12
Resolution: Done
> Rework the constructor exclusion logic for authentication rules and configurations
> ----------------------------------------------------------------------------------
>
> Key: ELY-698
> URL: https://issues.jboss.org/browse/ELY-698
> Project: WildFly Elytron
> Issue Type: Task
> Components: Authentication Client
> Reporter: David Lloyd
> Assignee: David Lloyd
> Priority: Minor
> Fix For: 1.1.0.Beta12
>
>
> The current authentication rule and configuration classes are designed to ensure that mutually incompatible rules and configurations cannot coexist. However the implementation is applied a bit erratically. There may be problems with commutatively applying checks. Some checks may be missing or extraneous.
> We need a new approach where the mutual exclusion set is somehow enforced centrally. One option is to have literal sets, and each class that is a member of one or more sets must remove all other handlers that are also within the set(s). A predicate could be used to make this efficient by only sweeping the list one time, in contrast to the current mechanism which sweeps the list once per exclusive type.
> Another option is to have a marker interface for each capability, and to remove all peers with the same capability. A predicate can also be used in this case.
--
This message was sent by Atlassian JIRA
(v7.2.2#72004)
9 years, 8 months
[JBoss JIRA] (WFLY-7395) Allow to provide deployment dependency to JNDI resource
by Miroslav Novak (JIRA)
[ https://issues.jboss.org/browse/WFLY-7395?page=com.atlassian.jira.plugin.... ]
Miroslav Novak updated WFLY-7395:
---------------------------------
Labels: user_experience (was: )
> Allow to provide deployment dependency to JNDI resource
> -------------------------------------------------------
>
> Key: WFLY-7395
> URL: https://issues.jboss.org/browse/WFLY-7395
> Project: WildFly
> Issue Type: Feature Request
> Components: Server
> Affects Versions: 10.1.0.Final
> Reporter: Miroslav Novak
> Assignee: Jason Greene
> Labels: user_experience
>
> For JBoss AS 6 there was ejb annotation @org.jboss.annotation.ejb.Depends which allowed to set dependency to JNDI resource. Currently there seems to be no replacement in Wildfly 10.x
> For example if EJB contains dependency to queue registered in JNDI:
> {code}
> @Resource(mappedName = "java:/jms/queue/OutQueue")
> private Queue outQueue;
> {code}
> then it would not get deployed when OutQueue is not present. Purpose of this feature request is to add possibility to provide such dependency in the way as @org.jboss.annotation.ejb.Depends did.
--
This message was sent by Atlassian JIRA
(v7.2.2#72004)
9 years, 8 months