July 2016 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-5739) Subject not populated with groups/roles when authenticated via JASPIC

by Guillermo González de Agüero (JIRA)

[ https://issues.jboss.org/browse/WFLY-5739?page=com.atlassian.jira.plugin.... ] Guillermo González de Agüero commented on WFLY-5739: ---------------------------------------------------- Hi [~stoty2]. I don't know too much about WildFly Security internals. I checked my example application again and it now works as expected. From what I can see, it seems like a valid approach, but maybe [~atijms] could provide some more insight. Anyway, I propose you to send the pull request since WF10.1 is around the corner, and this is our last opportunity to make it into the next release. > Subject not populated with groups/roles when authenticated via JASPIC > --------------------------------------------------------------------- > > Key: WFLY-5739 > URL: https://issues.jboss.org/browse/WFLY-5739 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 10.0.0.CR4 > Reporter: Arjan t > Assignee: Darran Lofthouse > Labels: jacc, jaspic > Attachments: CustomAuth.zip, picketbox.zip > > > After having authenticated via JASPIC, requesting the current {{Subject}} via JACC and then using that for permission checks fails. > For instance the following code will always set {{hasAccess}} to false given that "/protected/*" requires a role and the authenticated user is in that role: > {code:java} > Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container"); > > boolean hasAccess = Policy.getPolicy().implies( > new ProtectionDomain( > new CodeSource(null, (Certificate[]) null), > null, null, > subject.getPrincipals().toArray(new Principal[subject.getPrincipals().size()]) > ), > new WebResourcePermission("/protected/Servlet", "GET")) > ; > {code} > As it appears, the problem originates from the fact that {{subject.getPrincipals()}} does not contain the roles. > This can be traced back to {{org.jboss.security.auth.callback.JASPICallbackHandler.handleCallBack}}, where it becomes clear that the roles are only put into the "util", but not in the "authenticatedSubject": > {code:java} > String[] rolesArray = groupPrincipalCallback.getGroups(); > int sizeOfRoles = rolesArray != null ? rolesArray.length : 0; > > if( sizeOfRoles > 0 ) > { > List<Role> rolesList = new ArrayList<Role>(); > for( int i = 0; i < sizeOfRoles ; i++ ) > { > Role role = new SimpleRole( rolesArray[ i ] ); > rolesList.add( role ); > } > RoleGroup roles = new SimpleRoleGroup( SecurityConstants.ROLES_IDENTIFIER, rolesList ); > // if the current security context already has roles, we merge them with the incoming roles. > RoleGroup currentRoles = currentSC.getUtil().getRoles(); > // *** ROLES ARE ONLY SET HERE *** > if (currentRoles != null) { > currentRoles.addAll(roles.getRoles()); > } > else { > currentSC.getUtil().setRoles( roles ); > } > } > // *** BELOW THIS LINE ROLES ARE NOT REFERENCED ANYMORE > // *** SUBJECT IS NOT POPULATED WITH ANY ROLE INFO > Subject subject = groupPrincipalCallback.getSubject(); > if( subject != null ) > { > // if the current security context already has an associated subject, we merge it with the incoming subject. > Subject currentSubject = currentSC.getSubjectInfo().getAuthenticatedSubject(); > if (currentSubject != null) { > subject.getPrincipals().addAll(currentSubject.getPrincipals()); > subject.getPublicCredentials().addAll(currentSubject.getPublicCredentials()); > subject.getPrivateCredentials().addAll(currentSubject.getPrivateCredentials()); > } > currentSC.getSubjectInfo().setAuthenticatedSubject(subject); > } > {code} -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-1636) --<description-property> are no more supported by ls command

by Jean-Francois Denise (JIRA)

[ https://issues.jboss.org/browse/WFCORE-1636?page=com.atlassian.jira.plugi... ] Jean-Francois Denise updated WFCORE-1636: ----------------------------------------- Git Pull Request: https://github.com/wildfly/wildfly-core/pull/1671 > --<description-property> are no more supported by ls command > ------------------------------------------------------------ > > Key: WFCORE-1636 > URL: https://issues.jboss.org/browse/WFCORE-1636 > Project: WildFly Core > Issue Type: Bug > Components: CLI > Reporter: Jean-Francois Denise > Assignee: Jean-Francois Denise > > - ls -l --storage will make the CLI to throw an exception. storage being not known by the Command runtime. > - Furthermore completion is not offered for these options. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFLY-2441) Make Servlet container the default in Arquillian WildFly

by Tomaz Cerar (JIRA)

[ https://issues.jboss.org/browse/WFLY-2441?page=com.atlassian.jira.plugin.... ] Tomaz Cerar resolved WFLY-2441. ------------------------------- Fix Version/s: 8.0.0.Final Resolution: Done > Make Servlet container the default in Arquillian WildFly > -------------------------------------------------------- > > Key: WFLY-2441 > URL: https://issues.jboss.org/browse/WFLY-2441 > Project: WildFly > Issue Type: Feature Request > Components: Test Suite > Affects Versions: 8.0.0.Beta1 > Reporter: Karel Piwko > Assignee: Karel Piwko > Priority: Critical > Fix For: 8.0.0.Final > > > Current setting of jmx-as7 as default protocol complicated setup for consumers of Arquillian platform. > JMX-AS7 protocol should be used for testing container implementation, not for testing applications deployed on WildFly. > For that reason, WildFly testsuite should be the place where protocol is overridden to jmx-as7, not the other way around. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFLY-2441) Make Servlet container the default in Arquillian WildFly

by Tomaz Cerar (JIRA)

[ https://issues.jboss.org/browse/WFLY-2441?page=com.atlassian.jira.plugin.... ] Tomaz Cerar reopened WFLY-2441: ------------------------------- > Make Servlet container the default in Arquillian WildFly > -------------------------------------------------------- > > Key: WFLY-2441 > URL: https://issues.jboss.org/browse/WFLY-2441 > Project: WildFly > Issue Type: Feature Request > Components: Test Suite > Affects Versions: 8.0.0.Beta1 > Reporter: Karel Piwko > Assignee: Karel Piwko > Priority: Critical > > Current setting of jmx-as7 as default protocol complicated setup for consumers of Arquillian platform. > JMX-AS7 protocol should be used for testing container implementation, not for testing applications deployed on WildFly. > For that reason, WildFly testsuite should be the place where protocol is overridden to jmx-as7, not the other way around. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 6 months

1
0
0 / 0

[JBoss JIRA] (JGRP-2088) ArrayIndexOutOfBoundsException on ClassConfigurator.get()

by Manuel Dominguez Sarmiento (JIRA)

[ https://issues.jboss.org/browse/JGRP-2088?page=com.atlassian.jira.plugin.... ] Manuel Dominguez Sarmiento commented on JGRP-2088: -------------------------------------------------- All peers are using 3.6.10 and this issue was not present when using 3.6.8 or any previous version. I did not suggest this check should be removed, but rather that there is regression somewhere else which is causing this. I thoroughly checked the changelogs for 3.6.9 and 3.6.8 and although I am not that faimiliar with JGroups internals, I can see that there have been some serialization and credit handling changes which might be related to this. > ArrayIndexOutOfBoundsException on ClassConfigurator.get() > --------------------------------------------------------- > > Key: JGRP-2088 > URL: https://issues.jboss.org/browse/JGRP-2088 > Project: JGroups > Issue Type: Bug > Affects Versions: 3.6.10 > Reporter: Manuel Dominguez Sarmiento > Assignee: Bela Ban > Fix For: 3.6.11, 4.0 > > Attachments: jgroups.xml > > > See the following stack trace: > [ERROR] 2016-07-09 14:26:05 [UDP-multicast receiver,shared=jgroups-shared-transport] - JGRP000030: null: failed handling incoming message: java.lang.ArrayIndexOutOfBoundsException: -1 > java.lang.ArrayIndexOutOfBoundsException: -1 > at org.jgroups.conf.ClassConfigurator.get(ClassConfigurator.java:161) > at org.jgroups.Message.readHeader(Message.java:936) > at org.jgroups.Message.readFrom(Message.java:811) > at org.jgroups.protocols.TP.handleSingleMessage(TP.java:1712) > at org.jgroups.protocols.TP.receive(TP.java:1654) > at org.jgroups.protocols.UDP$PacketReceiver.run(UDP.java:701) > at java.lang.Thread.run(Thread.java:745) > Stepping through the code with the debugger shows that the following line is failing at ClassConfigurator.get() with magic = -1 thus the java.lang.ArrayIndexOutOfBoundsException > return magic < 1024 ? magicMap[magic] : (Class)magicMapUser.get(Short.valueOf(magic)); > See attached jgroups.xml for configuration. This showed up when upgrading to 3.6.10 from 3.6.8 which worked fine. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFLY-2441) Make Servlet container the default in Arquillian WildFly

by Karel Piwko (JIRA)

[ https://issues.jboss.org/browse/WFLY-2441?page=com.atlassian.jira.plugin.... ] Karel Piwko closed WFLY-2441. ----------------------------- > Make Servlet container the default in Arquillian WildFly > -------------------------------------------------------- > > Key: WFLY-2441 > URL: https://issues.jboss.org/browse/WFLY-2441 > Project: WildFly > Issue Type: Feature Request > Components: Test Suite > Affects Versions: 8.0.0.Beta1 > Reporter: Karel Piwko > Assignee: Karel Piwko > Priority: Critical > > Current setting of jmx-as7 as default protocol complicated setup for consumers of Arquillian platform. > JMX-AS7 protocol should be used for testing container implementation, not for testing applications deployed on WildFly. > For that reason, WildFly testsuite should be the place where protocol is overridden to jmx-as7, not the other way around. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFLY-2768) Redundant code hosted in arquillian directory

by Karel Piwko (JIRA)

[ https://issues.jboss.org/browse/WFLY-2768?page=com.atlassian.jira.plugin.... ] Karel Piwko closed WFLY-2768. ----------------------------- > Redundant code hosted in arquillian directory > --------------------------------------------- > > Key: WFLY-2768 > URL: https://issues.jboss.org/browse/WFLY-2768 > Project: WildFly > Issue Type: Bug > Affects Versions: 8.0.0.CR1 > Reporter: Karel Piwko > Assignee: Karel Piwko > Fix For: 8.0.0.Final > > > There are two Maven modules that are not part of the codebase since mid 2011. It would be better to remove them. > These modules are: > * arquillian/protocol-servlet > * arquillian/processor-jsfunit -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 6 months

1
0
0 / 0

[JBoss JIRA] (SECURITY-947) could not spécify version 3 for ldap connection

by cyril leclerc (JIRA)

[ https://issues.jboss.org/browse/SECURITY-947?page=com.atlassian.jira.plug... ] cyril leclerc commented on SECURITY-947: ---------------------------------------- HI, any version of JDK, wildfly version 9.0.2 but for the moment version 8 of JDK (same with JRE) > could not spécify version 3 for ldap connection > ----------------------------------------------- > > Key: SECURITY-947 > URL: https://issues.jboss.org/browse/SECURITY-947 > Project: PicketBox > Issue Type: Feature Request > Components: JBossSX > Reporter: cyril leclerc > > HI, > in case of using LDAPExtLoginModule and ldap realm if in active directory there is more than 1000 groups it returns an error : > Caused by: javax.naming.SizeLimitExceededException: [LDAP: error code 4 - Sizelimit Exceeded]; remaining name 'CN=Users,DC=realad,DC=ad' > i can't change in AD the MAXPAGESIZE parameter and i can't specify the module to use version 3 of ldap how i can do ? > it is a big issue for me -) -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFLY-6638) EJB view service allows invocations through before component has started resulting in potential race

by RH Bugzilla Integration (JIRA)

[ https://issues.jboss.org/browse/WFLY-6638?page=com.atlassian.jira.plugin.... ] RH Bugzilla Integration commented on WFLY-6638: ----------------------------------------------- Jiří Bílek <jbilek(a)redhat.com> changed the Status of [bug 1330677|https://bugzilla.redhat.com/show_bug.cgi?id=1330677] from ON_QA to VERIFIED > EJB view service allows invocations through before component has started resulting in potential race > ---------------------------------------------------------------------------------------------------- > > Key: WFLY-6638 > URL: https://issues.jboss.org/browse/WFLY-6638 > Project: WildFly > Issue Type: Bug > Components: EJB > Reporter: Stuart Douglas > Assignee: Stuart Douglas > Fix For: 10.1.0.Final > > > The EJB view service does not suspend invocations when a component is not started, but instead forwards to the view interceptor chain. The view interceptors may not be ready yet, which can result in a race. -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFLY-904) The property AuthorizationManager is null exceptions and NPE on SimpleSecurityManager when connecting firstly from a remote client

by RH Bugzilla Integration (JIRA)

[ https://issues.jboss.org/browse/WFLY-904?page=com.atlassian.jira.plugin.s... ] RH Bugzilla Integration commented on WFLY-904: ---------------------------------------------- Jiří Bílek <jbilek(a)redhat.com> changed the Status of [bug 1330677|https://bugzilla.redhat.com/show_bug.cgi?id=1330677] from ON_QA to VERIFIED > The property AuthorizationManager is null exceptions and NPE on SimpleSecurityManager when connecting firstly from a remote client > ---------------------------------------------------------------------------------------------------------------------------------- > > Key: WFLY-904 > URL: https://issues.jboss.org/browse/WFLY-904 > Project: WildFly > Issue Type: Bug > Components: Security > Environment: Eclipse Juno SR2 with JBoss Tools, Mac OS X, Sun JDK 6 > Reporter: Fernando Nasser > Assignee: Darran Lofthouse > Labels: eap6, investigation_required > Fix For: 9.0.0.CR1 > > Attachments: NPEinSimpleSecurityManager, PBOX000075, QSecuredEJB.jar, QSecuredEJB.zip, SecurityRelatedSettings > > > Description of problem: > If one tries and use security enabled EJBs from a remote client (authenticated connection) before connecting first from a servlet both a Server NPE and an erroneous exception are thrown. However, if one uses some servlet-based authentication first, the missing field is "primed" and from that point on the remote application can use the secure EJBs normally, proper Role authorization is checked and enforced etc. With absolutely no changes in configuration, code (incl. annotation) whatsoever. Any number of remote client connections will succeed until you restart the server. Then the errors are back, until you "prime" the Server by connecting using a Servlet. > More complete data is attached, but here are some info: > NPE is thrown at: > org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:394) > Bean method invocation fails with exceptions containing the message: > JBAS011048: Failed to construct component instance > I am using the "other" security context for testing. > I am running the Server in standalone mode. > When I say remote I mean not in the Server, but I am running my client from localhost. > Version-Release number of selected component (if applicable): Seen on EAP 6.1.0 alpha (apparently present on AS 7.1.1 as well). > -- This message was sent by Atlassian JIRA (v6.4.11#64026)

9 years, 6 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira July 2016