[JBoss JIRA] (WFLY-7651) Session invalidation not reflected when coming from another concurrent request
by Guillermo González de Agüero (JIRA)
[ https://issues.jboss.org/browse/WFLY-7651?page=com.atlassian.jira.plugin.... ]
Guillermo González de Agüero commented on WFLY-7651:
----------------------------------------------------
The workaround I found is to create an HttpServletRequestWrapper fixing the session validation checks:
{code:java}
public class WFLY7651RequestWrapper extends HttpServletRequestWrapper {
private final HttpServletRequest request;
public WFLY7651RequestWrapper(HttpServletRequest request) {
super(request);
this.request = request;
}
@Override
public boolean isRequestedSessionIdValid() {
HttpSession session = request.getSession(false);
if (session == null) {
return false;
}
try {
session.getAttribute("xxx");
return true;
} catch (IllegalStateException e) {
return false;
}
}
@Override
public HttpSession getSession(boolean create) {
HttpSession session = super.getSession(create);
return isRequestedSessionIdValid() ? session : null;
}
}
{code}
{code:java}
@WebFilter("/*")
public class WFLY7651Filter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
ServletRequest wrappedRequest = request;
if (request instanceof HttpServletRequest) {
wrappedRequest = new WFLY7651RequestWrapper((HttpServletRequest) request);
}
chain.doFilter(wrappedRequest, response);
}
@Override
public void destroy() {
}
}
{code}
> Session invalidation not reflected when coming from another concurrent request
> ------------------------------------------------------------------------------
>
> Key: WFLY-7651
> URL: https://issues.jboss.org/browse/WFLY-7651
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Affects Versions: 10.1.0.Final
> Reporter: Guillermo González de Agüero
> Assignee: Stuart Douglas
> Attachments: session-invalidation-1.0-SNAPSHOT.war, session-invalidation-src.zip
>
>
> When a request is being processed, and another concurrent request invalidates the session, invalidation is not reflected in the first request, i.e.: calling HttpServletRequest#isRequestedSessionIdValid() returns true. But trying to get any request attribute shows that the request is effectively destroyed. The same happens when the session expires after initiating the request.
> Related to WFLY-7568 and probably also to WFLY-6744
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months
[JBoss JIRA] (WFLY-7651) Session invalidation not reflected when coming from another concurrent request
by Guillermo González de Agüero (JIRA)
[ https://issues.jboss.org/browse/WFLY-7651?page=com.atlassian.jira.plugin.... ]
Guillermo González de Agüero updated WFLY-7651:
-----------------------------------------------
Description:
When a request is being processed, and another concurrent request invalidates the session, invalidation is not reflected in the first request, i.e.: calling HttpServletRequest#isRequestedSessionIdValid() returns true. But trying to get any request attribute shows that the request is effectively destroyed. The same happens when the session expires after initiating the request.
Related to WFLY-7568 and probably also to WFLY-6744
was:
When a request is being processed, and another concurrent request invalidates the session, invalidation is not reflected in the first request, i.e.: calling HttpServletRequest#isRequestedSessionIdValid() returns true. But trying to get any request attribute shows that the request is effectively destroyed.
Related to WFLY-7568 and probably also to WFLY-6744
> Session invalidation not reflected when coming from another concurrent request
> ------------------------------------------------------------------------------
>
> Key: WFLY-7651
> URL: https://issues.jboss.org/browse/WFLY-7651
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Affects Versions: 10.1.0.Final
> Reporter: Guillermo González de Agüero
> Assignee: Stuart Douglas
> Attachments: session-invalidation-1.0-SNAPSHOT.war, session-invalidation-src.zip
>
>
> When a request is being processed, and another concurrent request invalidates the session, invalidation is not reflected in the first request, i.e.: calling HttpServletRequest#isRequestedSessionIdValid() returns true. But trying to get any request attribute shows that the request is effectively destroyed. The same happens when the session expires after initiating the request.
> Related to WFLY-7568 and probably also to WFLY-6744
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months
[JBoss JIRA] (WFCORE-2035) Enabling RBAC breaks WildFly
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2035?page=com.atlassian.jira.plugi... ]
Brian Stansberry moved WFLY-7656 to WFCORE-2035:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2035 (was: WFLY-7656)
Component/s: JMX
Security
(was: Security)
Affects Version/s: (was: 11.0.0.Alpha1)
> Enabling RBAC breaks WildFly
> ----------------------------
>
> Key: WFCORE-2035
> URL: https://issues.jboss.org/browse/WFCORE-2035
> Project: WildFly Core
> Issue Type: Bug
> Components: JMX, Security
> Reporter: Ingo Weiss
> Assignee: Ingo Weiss
> Priority: Blocker
>
> Enabling RBAC and reload leads to a lot of exceptions in server log in both standalone and domain mode. See attached server log.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months
[JBoss JIRA] (WFLY-7656) Enabling RBAC breaks WildFly
by Ingo Weiss (JIRA)
[ https://issues.jboss.org/browse/WFLY-7656?page=com.atlassian.jira.plugin.... ]
Ingo Weiss updated WFLY-7656:
-----------------------------
Steps to Reproduce:
# Start WildFly
# Enable RBAC: {{/core-service=management/access=authorization:write-attribute(name=provider, value=rbac)}}
# {{reload}}
was:
# Start WildFly
# Enable RBAC: {{/core-service=management/access=authorization:write-attribute(name=provider, value=rbac)}}
# {{reload --host=master}}/{{reload}}
> Enabling RBAC breaks WildFly
> ----------------------------
>
> Key: WFLY-7656
> URL: https://issues.jboss.org/browse/WFLY-7656
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Ingo Weiss
> Assignee: Ingo Weiss
> Priority: Blocker
>
> Enabling RBAC and reload leads to a lot of exceptions in server log in both standalone and domain mode. See attached server log.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months
[JBoss JIRA] (WFLY-7656) Enabling RBAC breaks WildFly
by Ingo Weiss (JIRA)
[ https://issues.jboss.org/browse/WFLY-7656?page=com.atlassian.jira.plugin.... ]
Ingo Weiss updated WFLY-7656:
-----------------------------
Steps to Reproduce:
# Start WildFly
# Enable RBAC: {{/core-service=management/access=authorization:write-attribute(name=provider, value=rbac)}}
# {{reload --host=master}}/{{reload}}
was:
# Run EAP
# Enable RBAC: {{/core-service=management/access=authorization:write-attribute(name=provider, value=rbac)}}
# {{reload --host=master}}/{{reload}}
> Enabling RBAC breaks WildFly
> ----------------------------
>
> Key: WFLY-7656
> URL: https://issues.jboss.org/browse/WFLY-7656
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Ingo Weiss
> Assignee: Ingo Weiss
> Priority: Blocker
>
> Enabling RBAC and reload leads to a lot of exceptions in server log in both standalone and domain mode. See attached server log.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months
[JBoss JIRA] (WFLY-7656) Enabling RBAC brokes EAP
by Ingo Weiss (JIRA)
[ https://issues.jboss.org/browse/WFLY-7656?page=com.atlassian.jira.plugin.... ]
Ingo Weiss moved JBEAP-7463 to WFLY-7656:
-----------------------------------------
Project: WildFly (was: JBoss Enterprise Application Platform)
Key: WFLY-7656 (was: JBEAP-7463)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Security
(was: Security)
Affects Version/s: 11.0.0.Alpha1
(was: 7.1.0.DR8)
> Enabling RBAC brokes EAP
> ------------------------
>
> Key: WFLY-7656
> URL: https://issues.jboss.org/browse/WFLY-7656
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Ingo Weiss
> Assignee: Ingo Weiss
> Priority: Blocker
>
> Enabling RBAC and reload leads to a lot of exceptions in server log in both standalone and domain mode. See attached server log.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months
[JBoss JIRA] (ELY-783) alias-filter from Elytron key-store does not work for non-lower-case alias with JKS
by Ondrej Lukas (JIRA)
Ondrej Lukas created ELY-783:
--------------------------------
Summary: alias-filter from Elytron key-store does not work for non-lower-case alias with JKS
Key: ELY-783
URL: https://issues.jboss.org/browse/ELY-783
Project: WildFly Elytron
Issue Type: Bug
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
In case when {{alias-filter}} attribute from Elytron {{key-store}} references non-lower-case alias (e.g. elytronAppServer) then SSL is not working. In case when this alias is set to lower-case in alias-filter (e.g. elytronappserver), then SSL works correctly.
It seems JKS always transforms aliases to lower-case (even if they are created with some upper-case characters). However legacy security solution was able to use alias filter with non-lower-case characters to assign key from JKS keystore (probably through some internal {{.toLowerCase()}}).
In case it is intended to do not use alias-filter with some upper-case for JKS then this issue can be changed to documentation issue. This is different behavior than was provided by legacy solution.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months