January 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFCORE-1963) Clean up the 'TODO Elytron' issues.

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-1963?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-1963: ------------------------------- Fix Version/s: 3.0.0.Alpha19 (was: 3.0.0.Alpha18) > Clean up the 'TODO Elytron' issues. > ----------------------------------- > > Key: WFCORE-1963 > URL: https://issues.jboss.org/browse/WFCORE-1963 > Project: WildFly Core > Issue Type: Task > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: 3.0.0.Alpha19 > > > A few classes have 'TODO Elytron' comments that need addressing. > Current List: - > {noformat} > ./core-model-test/tests/src/test/java/org/jboss/as/core/model/test/access/RoleMappingTestCase.java > ./jmx/src/test/java/org/jboss/as/jmx/rbac/JmxRbacTestCase.java > ./remoting/subsystem/src/main/java/org/jboss/as/remoting/RemotingHttpUpgradeService.java > ./remoting/subsystem/src/main/java/org/jboss/as/remoting/AbstractStreamServerService.java > ./testsuite/standalone/src/test/java/org/wildfly/core/test/standalone/mgmt/api/core/ConfigurationChangesHistoryTestCase.java > ./host-controller/src/main/java/org/jboss/as/domain/controller/plan/AbstractServerGroupRolloutTask.java > ./controller/src/main/java/org/jboss/as/controller/remote/TransactionalProtocolOperationHandler.java > ./controller/src/main/java/org/jboss/as/controller/ParallelBootOperationStepHandler.java > ./controller/src/main/java/org/jboss/as/controller/access/management/ManagementSecurityIdentitySupplier.java > ./server/src/main/java/org/jboss/as/server/mgmt/domain/HostControllerConnectionService.java > ./domain-management/src/main/java/org/jboss/as/domain/management/security/UserDomainCallbackHandler.java > ./domain-management/src/main/java/org/jboss/as/domain/management/security/WhoAmIOperation.java > ./domain-management/src/main/java/org/jboss/as/domain/management/security/PlugInAuthenticationCallbackHandler.java > ./domain-management/src/main/java/org/jboss/as/domain/management/security/JaasCallbackHandler.java > ./domain-management/src/main/java/org/jboss/as/domain/management/security/KerberosCallbackHandler.java > ./domain-management/src/main/java/org/jboss/as/domain/management/security/ClientCertCallbackHandler.java > {noformat} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-1956) Audit logging post migration to WildFly Elytron

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-1956?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-1956: ------------------------------- Fix Version/s: 3.0.0.Alpha19 (was: 3.0.0.Alpha18) > Audit logging post migration to WildFly Elytron > ----------------------------------------------- > > Key: WFCORE-1956 > URL: https://issues.jboss.org/browse/WFCORE-1956 > Project: WildFly Core > Issue Type: Task > Components: Domain Management, Security > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: 3.0.0.Alpha19 > > > Also re-enable the following test: - > * org.jboss.as.test.integration.domain.suites.AuditLogTestCase -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-1955) Wrap Kerberos behaviour of legacy realms with Elytron components

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-1955?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-1955: ------------------------------- Fix Version/s: 3.0.0.Alpha19 (was: 3.0.0.Alpha18) > Wrap Kerberos behaviour of legacy realms with Elytron components > ---------------------------------------------------------------- > > Key: WFCORE-1955 > URL: https://issues.jboss.org/browse/WFCORE-1955 > Project: WildFly Core > Issue Type: Task > Components: Domain Management, Security > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: 3.0.0.Alpha19 > > > An re-enable the following test: - > * org.jboss.as.test.integration.domain.KerberosServerIdentityTestCase -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2068) HTTPSConnectionWithCLITestCase and HTTPSManagementInterfaceTestCase Failing Due To Native Protocol Issue

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2068?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-2068: ------------------------------- Fix Version/s: 3.0.0.Alpha19 (was: 3.0.0.Alpha18) > HTTPSConnectionWithCLITestCase and HTTPSManagementInterfaceTestCase Failing Due To Native Protocol Issue > -------------------------------------------------------------------------------------------------------- > > Key: WFCORE-2068 > URL: https://issues.jboss.org/browse/WFCORE-2068 > Project: WildFly Core > Issue Type: Bug > Components: Remoting, Test Suite > Reporter: Darran Lofthouse > Assignee: Jean-Francois Denise > Priority: Blocker > Fix For: 3.0.0.Alpha19 > > > The listed test case is failing during clean up with the following error: - > {noformat} > java.io.IOException: java.io.IOException: WFLYPRT0054: Channel closed > at org.jboss.as.protocol.mgmt.ManagementClientChannelStrategy$Establishing.getChannel(ManagementClientChannelStrategy.java:166) > at org.jboss.as.controller.client.impl.RemotingModelControllerClient.getOrCreateChannel(RemotingModelControllerClient.java:135) > at org.jboss.as.controller.client.impl.RemotingModelControllerClient$1.getChannel(RemotingModelControllerClient.java:59) > at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:135) > at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:110) > at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeRequest(AbstractModelControllerClient.java:263) > at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:168) > at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:147) > at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:80) > {noformat} > The stage of the test using HTTP Upgrade over a HTTPS connection appears to be working fine, the issue is with the native management interface used for test clean up. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2046) KeyManager synchronization issue when using IBM JDK

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2046?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-2046: ------------------------------- Fix Version/s: 3.0.0.Alpha19 (was: 3.0.0.Alpha18) > KeyManager synchronization issue when using IBM JDK > --------------------------------------------------- > > Key: WFCORE-2046 > URL: https://issues.jboss.org/browse/WFCORE-2046 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Josef Cacek > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: 3.0.0.Alpha19 > > Attachments: test-app-ibm-jdk-keymanager-sync.zip > > > We hit a {{KeyManagerFactory}} related synchronization issue in {{org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(boolean)}} method on IBM JDK. The issue occurs if there are more security realms with SSL identities in EAP and they have keystores with different passwords. > As the ApplicationRealm (in EAP 7.1) has preconfigured ssl identity configuration, the risk customers will hit this when they add their own security realm with a ssl identity is big. The frequency we hit this issue is more than 10% cases on our machines. > Our debugging suggests the problem is located in IBM JDK implementation of {{javax.net.ssl.KeyManagerFactorySpi}} (class {{com.ibm.jsse2.ae$a}}). > The workflow: > # user calls {{keyManagerFactory.init(keyStore, keystorePassword)}} which invokes {{com.ibm.jsse2.ae$a.engineInit(Keystore keyStore, char[] password)}} > # the password (from the second method parameter) is stored into static field {{com.ibm.jsse2.ae.d}} and in the next step the field is used as parameter for creating new object {{new com.ibm.jsse2.aw(keyStore, d)}} > # the previous step is not synchronized and when more threads call {{keyManagerFactory.init()}} with different passwords, wrong password may be used for retrieving a key from keystore. > *Possible workaround* > We could workaround this issue on EAP side (until it's fixed in the JDK) by synchronizing {{keyManagerFactory.init()}} call in {{AbstractKeyManagerService.createKeyManagers(boolean)}} when IBM JDK is used. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2025) CLI SSLContext Priority

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2025?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-2025: ------------------------------- Fix Version/s: 3.0.0.Alpha19 (was: 3.0.0.Alpha18) > CLI SSLContext Priority > ----------------------- > > Key: WFCORE-2025 > URL: https://issues.jboss.org/browse/WFCORE-2025 > Project: WildFly Core > Issue Type: Task > Components: CLI, Security > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Priority: Critical > Fix For: 3.0.0.Alpha19 > > > We have three different places an SSLContext could come from for the CLI: - > # CLI Configuration > # AuthenticationClient Configuration > # Default interactive SSLContext > We need to ensure they are prioritised as above. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2059) Deprecate management role mappings

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2059?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-2059: ------------------------------- Fix Version/s: 3.0.0.Alpha19 (was: 3.0.0.Alpha18) > Deprecate management role mappings > ---------------------------------- > > Key: WFCORE-2059 > URL: https://issues.jboss.org/browse/WFCORE-2059 > Project: WildFly Core > Issue Type: Task > Components: Domain Management > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Fix For: 3.0.0.Alpha19 > > > The Elytron SecurityDomain becomes the common point where policy information such as role mapping should be handled. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2071) Properly handle unknown roles instead of throwing exception

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2071?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-2071: ------------------------------- Fix Version/s: 3.0.0.Alpha19 (was: 3.0.0.Alpha18) > Properly handle unknown roles instead of throwing exception > ----------------------------------------------------------- > > Key: WFCORE-2071 > URL: https://issues.jboss.org/browse/WFCORE-2071 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Pedro Igor > Assignee: Darran Lofthouse > Fix For: 3.0.0.Alpha19 > > > When mapping roles directly from the identity: > {code} > <access-control provider="rbac" use-identity-roles="true"/> > {code} > If the identity has a role that is not known, a {{UnknowRoleException}} is thrown. > Ideally, we should just ignore unknown roles. Or is there any reason for this check ? -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2162) Authentication against HTTP management interface with empty username causes Internal Server Error (status 500)

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2162?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-2162: ------------------------------- Fix Version/s: 3.0.0.Alpha19 (was: 3.0.0.Alpha18) > Authentication against HTTP management interface with empty username causes Internal Server Error (status 500) > -------------------------------------------------------------------------------------------------------------- > > Key: WFCORE-2162 > URL: https://issues.jboss.org/browse/WFCORE-2162 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: 3.0.0.Alpha19 > > > In case when empty username is passed during authentication to Management Console then exception is thrown to server log and Internal Server Error (status 500) is returned to user (which leads to displaying "Connect to Management Interface" page. User is not able to try to login again. > In WildFly 10.1.0 this scenario works fine - after passing empty username during authentication, authentication failed and login window is displayed again. I request blocker due to regression. > Exception thrown to server log: > {code} > ERROR [io.undertow.request] (management task-3) UT005071: Undertow request failed HttpServerExchange{ GET /management request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8], Accept-Language=[en-US,en;q=0.5], Accept-Encoding=[gzip, deflate], User-Agent=[Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0], Connection=[keep-alive], Authorization=[Digest username="", realm="ManagementRealm", nonce="AAAAAwAAAlzTPVPLC0qPi6CaEhTCHZa+QjsuAjn3OsQXcuDYAxrOtc+rRMs=", uri="/management", algorithm=MD5, response="cbd764e6c09577625476340f7bcfc84d", opaque="00000000000000000000000000000000"], Content-Type=[text/plain; charset=utf-8], Cookie=[__utma=111872281.1874867570.1477040206.1479886566.1479982414.11; __utmz=111872281.1477040206.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=111872281.5.10.1479982414; __utmt=1; __utmc=111872281], Referer=[http://localhost:9990/console/App.html], Host=[localhost:9990]} response {X-Frame-Options=[SAMEORIGIN]}}: java.lang.IllegalArgumentException > at javax.security.auth.callback.NameCallback.<init>(NameCallback.java:90) > at org.wildfly.security.http.impl.DigestAuthenticationMechanism.getH_A1(DigestAuthenticationMechanism.java:233) > at org.wildfly.security.http.impl.DigestAuthenticationMechanism.validateResponse(DigestAuthenticationMechanism.java:189) > at org.wildfly.security.http.impl.DigestAuthenticationMechanism.evaluateRequest(DigestAuthenticationMechanism.java:121) > at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115) > at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77) > at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:106) > at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:90) > at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:74) > at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:82) > at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:207) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2161) username-load attribute of legacy LDAP Realm stop to work

by Kabir Khan (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2161?page=com.atlassian.jira.plugi... ] Kabir Khan updated WFCORE-2161: ------------------------------- Fix Version/s: 3.0.0.Alpha19 (was: 3.0.0.Alpha18) > username-load attribute of legacy LDAP Realm stop to work > --------------------------------------------------------- > > Key: WFCORE-2161 > URL: https://issues.jboss.org/browse/WFCORE-2161 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: 3.0.0.Alpha19 > > > {{username-load}} attribute of legacy LDAP Realm stop to work. This attribute is used for assigning username from some LDAP entry attribute. In current behavior username passed in credential is used as username even if username-load attribute is configured. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira January 2017