January 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (JGRP-2152) ASYM_ENCRYPT failure on Wildfly 10.1.0

by Richard Achmatowicz (JIRA)

[ https://issues.jboss.org/browse/JGRP-2152?page=com.atlassian.jira.plugin.... ] Richard Achmatowicz commented on JGRP-2152: ------------------------------------------- I added an ASYM_ENCRYT layer to the server configuration for the clustering testsuite and turned on TRACE logging for the ASYM_ENCRYPT protocol. Here is the stack: {noformat} <stack name="tcp"> <transport type="TCP" socket-binding="jgroups-tcp"/> <protocol type="MPING" socket-binding="jgroups-mping"> <property name="ip_ttl">0</property> </protocol> <protocol type="MERGE3"/> <protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/> <protocol type="FD"/> <protocol type="VERIFY_SUSPECT"/> <protocol type="ASYM_ENCRYPT"> <property name="encrypt_entire_message">true</property> <property name="asym_keylength">512</property> <property name="asym_algorithm">RSA</property> </protocol> <protocol type="pbcast.NAKACK2"/> <protocol type="UNICAST3"/> <protocol type="pbcast.STABLE"/> <protocol type="pbcast.GMS"/> <protocol type="MFC"/> <protocol type="FRAG2"/> </stack> {noformat} The clustering tests pass with the old config and fail with the new config. One such test, CdiFailoverTestCase, fails with the same error message as in this issue. In this test, two servers, node-0 and node-1, are started. Then node-1 is stopped and then restarted, followed by node-0 which is stolled and then retsrated. Looking at the logs, encryption seems to be progressing normally until the time at which node-1 is restarted. Then messages start getting enqueued and the cipher is reported as being null. I am attaching the files containing the server logs. So this might be a JGroups issue. > ASYM_ENCRYPT failure on Wildfly 10.1.0 > -------------------------------------- > > Key: JGRP-2152 > URL: https://issues.jboss.org/browse/JGRP-2152 > Project: JGroups > Issue Type: Bug > Affects Versions: 3.6.10 > Reporter: Matt Wringe > Assignee: Bela Ban > Fix For: 4.0, 3.6.13 > > Attachments: hawkular-metrics-1.log, hawkular-metrics-2.log, standalone.xml > > > Using ASYM_ENCRYPT on Wildfly 10.1.0 seems to be broken. > I am using the parameters for ASYM_ENCRYPT specified in http://www.jgroups.org/manual/index.html#Security > Note: running with SYM_ENCRYPT doesn't cause any issues and it works fine with my setup. Its only ASYM_ENCRYPT which is currently failing. > Note: running this on EAP fails in a similar manner. > Eg: > <protocol type="ASYM_ENCRYPT"> > <property name="encrypt_entire_message">true</property> > <property name="sym_keylength">128</property> > <property name="sym_algorithm">AES/ECB/PKCS5Padding</property> > <property name="asym_keylength">512</property> > <property name="asym_algorithm">RSA</property> > </protocol> > If I run a single instance, then I don't see any problems appear in the logs. Its when I start a second instance that I start to see errors about unrecognised ciphers and timeouts. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7884) SecurityDomainContextRealm needs to implement getRealmIdentityPrincipal()

by Darran Lofthouse (JIRA)

Darran Lofthouse created WFLY-7884: -------------------------------------- Summary: SecurityDomainContextRealm needs to implement getRealmIdentityPrincipal() Key: WFLY-7884 URL: https://issues.jboss.org/browse/WFLY-7884 Project: WildFly Issue Type: Enhancement Components: Security Reporter: Darran Lofthouse Assignee: Darran Lofthouse Fix For: 11.0.0.Alpha1 -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7883) Upgrade to Elytron Subsystem 1.0.0.Alpha19

by Darran Lofthouse (JIRA)

Darran Lofthouse created WFLY-7883: -------------------------------------- Summary: Upgrade to Elytron Subsystem 1.0.0.Alpha19 Key: WFLY-7883 URL: https://issues.jboss.org/browse/WFLY-7883 Project: WildFly Issue Type: Component Upgrade Components: Security Reporter: Darran Lofthouse Assignee: Darran Lofthouse Fix For: 11.0.0.Alpha1 -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7828) Coverity static analysis: Resource leaks in ProviderLoaderService (Elytron subsystem)

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7828?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7828: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Coverity static analysis: Resource leaks in ProviderLoaderService (Elytron subsystem) > ------------------------------------------------------------------------------------- > > Key: WFLY-7828 > URL: https://issues.jboss.org/browse/WFLY-7828 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Josef Cacek > Assignee: Ilia Vassilev > Priority: Critical > Labels: static_analysis > Fix For: 11.0.0.Alpha1 > > > Coverity static-analysis scan found 2 resource leaks in {{ProviderLoaderService}} class. > 1) > https://scan7.coverity.com/reports.htm#v16159/p12663/fileInstanceId=68921... > Following code is used in `load` method: > {code:java} > if (provider == null) { > provider = providerClazz.newInstance(); > if (configurationStreamSupplier != null) { > try (InputStream is = configurationStreamSupplier.get()) { > provider.load(configurationStreamSupplier.get()); > } > } > } > {code} > The load method should use `is` instance instead of calling the supplier again. > 2) > https://scan7.coverity.com/reports.htm#v16159/p12663/fileInstanceId=68921... > Following code is used in `toInputStream` method: > {code:java} > SecurityActions.doPrivileged((PrivilegedExceptionAction<InputStream>) () -> new FileInputStream(file) ); > return new FileInputStream(file); > {code} > There should be probably just: > {code:java} > return SecurityActions.doPrivileged((PrivilegedExceptionAction<InputStream>) () -> new FileInputStream(file) ); > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7866) Elytron ldap-realm allows access with empty password

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7866?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7866: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Elytron ldap-realm allows access with empty password > ---------------------------------------------------- > > Key: WFLY-7866 > URL: https://issues.jboss.org/browse/WFLY-7866 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Jan Kalina > Assignee: Jan Kalina > Priority: Blocker > Fix For: 11.0.0.Alpha1 > > > An empty password is treated as an anonymous login by some LDAP servers (e.g. by Microsoft Active Directory). In case when Elytron ldap-realm is configured for that type of LDAP server then access with empty password to secured web resource guarded by that ldap-realm is always granted. > There should be some attribute for configuring whether empty password should be accepted by ldap-realm. > Similar issue occurs in previous versions of application server, see: > * https://bugzilla.redhat.com/show_bug.cgi?id=901251 > * https://bugzilla.redhat.com/show_bug.cgi?id=885569 -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7720) Expose generic options for elytron dir-context

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7720?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7720: ----------------------------------- Affects Version/s: (was: 11.0.0.Alpha1) > Expose generic options for elytron dir-context > ---------------------------------------------- > > Key: WFLY-7720 > URL: https://issues.jboss.org/browse/WFLY-7720 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Martin Choma > Assignee: Jan Kalina > Priority: Critical > Fix For: 11.0.0.Alpha1 > > > Expose generic options like in case of legacy ldap outbound connection. Users relying on them can't migrate to elytron. > As [~tfonteyn] has already [pointed out|https://issues.jboss.org/browse/JBEAP-6480?focusedCommentId=13312043&...] customers use generic options exposed by legacy ldap outbound connection. > Here are references to possible properties to be configured > * [General properties|http://docs.oracle.com/javase/jndi/tutorial/beyond/env/overvie...] > * Service-specific > ** e.g. java.naming.ldap.* , for example for [connection pool configuration|http://docs.oracle.com/javase/jndi/tutorial/ldap/connect/co...] > * Feature-specific > ** e.g. [java.naming.security.sasl.*|http://docs.oracle.com/javase/jndi/tutorial/l...] > * Provider-specific > ** e.g. com.sun.jndi.ldap.trace.ber > > AFAICT it is already prepared in elytron, just elytron-subsystem part is missing. > {code:title=SimpleDirContextFactoryBuilder.java} > // set any additional connection property > if (connectionProperties != null) { > for (Object key : connectionProperties.keySet()) { > Object value = connectionProperties.get(key.toString()); > if (value != null) { > env.put(key.toString(), value.toString()); > } > } > } > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7720) Expose generic options for elytron dir-context

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7720?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7720: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Expose generic options for elytron dir-context > ---------------------------------------------- > > Key: WFLY-7720 > URL: https://issues.jboss.org/browse/WFLY-7720 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Martin Choma > Assignee: Jan Kalina > Priority: Critical > Fix For: 11.0.0.Alpha1 > > > Expose generic options like in case of legacy ldap outbound connection. Users relying on them can't migrate to elytron. > As [~tfonteyn] has already [pointed out|https://issues.jboss.org/browse/JBEAP-6480?focusedCommentId=13312043&...] customers use generic options exposed by legacy ldap outbound connection. > Here are references to possible properties to be configured > * [General properties|http://docs.oracle.com/javase/jndi/tutorial/beyond/env/overvie...] > * Service-specific > ** e.g. java.naming.ldap.* , for example for [connection pool configuration|http://docs.oracle.com/javase/jndi/tutorial/ldap/connect/co...] > * Feature-specific > ** e.g. [java.naming.security.sasl.*|http://docs.oracle.com/javase/jndi/tutorial/l...] > * Provider-specific > ** e.g. com.sun.jndi.ldap.trace.ber > > AFAICT it is already prepared in elytron, just elytron-subsystem part is missing. > {code:title=SimpleDirContextFactoryBuilder.java} > // set any additional connection property > if (connectionProperties != null) { > for (Object key : connectionProperties.keySet()) { > Object value = connectionProperties.get(key.toString()); > if (value != null) { > env.put(key.toString(), value.toString()); > } > } > } > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7829) Coverity: wrong condition in ProviderLoaderService.unregisterProviders (Elytron subsystem)

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7829?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7829: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Coverity: wrong condition in ProviderLoaderService.unregisterProviders (Elytron subsystem) > ------------------------------------------------------------------------------------------ > > Key: WFLY-7829 > URL: https://issues.jboss.org/browse/WFLY-7829 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Josef Cacek > Assignee: Ilia Vassilev > Priority: Critical > Fix For: 11.0.0.Alpha1 > > > Coverity static-analysis scan found an issue in a loop within the {{ProviderLoaderService.unregisterProviders}} method. > https://scan7.coverity.com/reports.htm#v16159/p12663/fileInstanceId=68921... > The condition is wrong in the code > {code:java} > for (int i = providers.length - 1; i < 0; i--) { > Security.removeProvider(providers[i].getName()); > } > {code} > There should be {{i >= 0}} instead of {{i < 0}}. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7844) Elytron dir-context supports only plaintext password

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7844?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7844: ----------------------------------- Affects Version/s: (was: 11.0.0.Alpha1) > Elytron dir-context supports only plaintext password > ---------------------------------------------------- > > Key: WFLY-7844 > URL: https://issues.jboss.org/browse/WFLY-7844 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Ondrej Lukas > Assignee: Jan Kalina > Priority: Blocker > Fix For: 11.0.0.Alpha1 > > > Only plaintext password is currently able to be configured in Elytron dir-context resource. Any integration with Credential store is missing. > We request blocker since it seems that there is currently no option how to provide non-plaintext password for dir-context to server configuration. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 4 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7844) Elytron dir-context supports only plaintext password

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7844?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7844: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Elytron dir-context supports only plaintext password > ---------------------------------------------------- > > Key: WFLY-7844 > URL: https://issues.jboss.org/browse/WFLY-7844 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Ondrej Lukas > Assignee: Jan Kalina > Priority: Blocker > Fix For: 11.0.0.Alpha1 > > > Only plaintext password is currently able to be configured in Elytron dir-context resource. Any integration with Credential store is missing. > We request blocker since it seems that there is currently no option how to provide non-plaintext password for dir-context to server configuration. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 4 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira January 2017