January 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-7830) Coverity: Logically dead code in PermissionMapperDefinitions (Elytron subsystem)

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7830?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7830: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Coverity: Logically dead code in PermissionMapperDefinitions (Elytron subsystem) > -------------------------------------------------------------------------------- > > Key: WFLY-7830 > URL: https://issues.jboss.org/browse/WFLY-7830 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Josef Cacek > Assignee: Ilia Vassilev > Labels: static_analysis > Fix For: 11.0.0.Alpha1 > > > Coverity static-analysis scan found a logically dead code in the {{PermissionMapperDefinitions.getSimplePermissionMapper}} method. > https://scan7.coverity.com/reports.htm#v16159/p12663/fileInstanceId=68921... > https://scan7.coverity.com/reports.htm#v16159/p12663/fileInstanceId=68921... > Following code > {code:java} > permissionMappings.add(new Mapping(principals != null ? principals : Collections.emptySet(), > roles != null ? roles : Collections.emptySet(), permissions)); > {code} > should rather be > {code:java} > permissionMappings.add(new Mapping(principals, roles, permissions)); > {code} > because both {{principals}} and {{roles}} local variables are initialized ({{new HashSet...}}) before this piece of code. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-350) Domain reflects jboss.server.xy properties

by ehsavoie Hugonnet (JIRA)

[ https://issues.jboss.org/browse/WFCORE-350?page=com.atlassian.jira.plugin... ] ehsavoie Hugonnet reassigned WFCORE-350: ---------------------------------------- Assignee: ehsavoie Hugonnet > Domain reflects jboss.server.xy properties > ------------------------------------------ > > Key: WFCORE-350 > URL: https://issues.jboss.org/browse/WFCORE-350 > Project: WildFly Core > Issue Type: Bug > Components: Domain Management > Reporter: Rostislav Svoboda > Assignee: ehsavoie Hugonnet > Priority: Minor > > Domain reflects jboss.server.xy properties, tested with jboss.server.log.dir property. > The same server.log file is used for both server-one and server-two. Only file boot.log is created in domain/servers/server-one/log and domain/servers/server-two/log directory. In my case file server.log contains log only for server-one, there is no log for server-two. > I think jboss.server.xy properties shouldn't be reflected in domain instances. > Even structure of https://docs.jboss.org/author/display/AS71/Command+line+parameters implies that jboss.server.xy properties are used for Standalone. > Reproducer of my steps: > {code} > rm -rf domain/servers > bin/domain.sh -Djboss.server.log.dir=/tmp/ > ls -aR domain/servers/server-one/log > ls -aR domain/servers/server-two/log > ls -l /tmp/server* > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7677) Missing validation for write-attribute operation for introspection-url from Elytron token-realm

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7677?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7677: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Missing validation for write-attribute operation for introspection-url from Elytron token-realm > ----------------------------------------------------------------------------------------------- > > Key: WFLY-7677 > URL: https://issues.jboss.org/browse/WFLY-7677 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Ondrej Lukas > Assignee: Ilia Vassilev > Labels: user_experience > Fix For: 11.0.0.Alpha1 > > > {{add}} operation for Elytron {{token-realm}} checks whether {{oauth2-introspection.introspection-url}} includes valid URL. However, in case when invalid URL is added with write-attribute operation then there is no validation. It results to failures during reloading/restarting server. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7677) Missing validation for write-attribute operation for introspection-url from Elytron token-realm

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7677?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7677: ----------------------------------- Affects Version/s: (was: 11.0.0.Alpha1) > Missing validation for write-attribute operation for introspection-url from Elytron token-realm > ----------------------------------------------------------------------------------------------- > > Key: WFLY-7677 > URL: https://issues.jboss.org/browse/WFLY-7677 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Ondrej Lukas > Assignee: Ilia Vassilev > Labels: user_experience > Fix For: 11.0.0.Alpha1 > > > {{add}} operation for Elytron {{token-realm}} checks whether {{oauth2-introspection.introspection-url}} includes valid URL. However, in case when invalid URL is added with write-attribute operation then there is no validation. It results to failures during reloading/restarting server. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7849) Missing input username wildcard for role/attribute search in Elytron ldap-realm

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7849?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7849: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Missing input username wildcard for role/attribute search in Elytron ldap-realm > ------------------------------------------------------------------------------- > > Key: WFLY-7849 > URL: https://issues.jboss.org/browse/WFLY-7849 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Jan Kalina > Assignee: Jan Kalina > Priority: Critical > Fix For: 11.0.0.Alpha1 > > > Scenario: I am trying to assign role from LDAP to user. I would like to use input username (e.g. admin) in filter, not full user DN (e.g. uid=admin,ou=People,dc=jboss,dc=org). It seems Elytron ldap-realm does not provide any wildcard which can be used for input username. > In EAP 7.0 (with PicketBox), LdapExtLoginModule provides roleFilter option which filter can contain following wildcards: > * {{\{0\}}} - for input username > * {{\{1\}}} - for authenticated full user DN > It seems that Elytron supports only wildcard for authenticated full user DN (through {{\{0\}}} wildcard). Wildcard for input username should be added. > It would be useful, when order of wildcards will be the same as in EAP 7.0 - i.e. not just add the new {{\{1\}}} for input username, but use {{\{0\}}} for input username and {{\{1\}}} for authenticated full user DN. This order is also better due to wildcard {{\{0\}}} will mean the same in identity filter and in role/attribute filter. > Missing this feature in Elytron can lead to situation when migration from PicketBox to Elytron will not be possible since LDAP structure for role assignment used by legacy solution will not be able to work correctly with Elytron. > Example of usage: > I would like to use filter like {{(description=SOME_INPUT_USERNAME_WILDCARD)}} for assigning role JBossAdmin to user jduke in following ldif: > {code} > dn: ou=People,dc=jboss,dc=org > objectclass: top > objectclass: organizationalUnit > ou: People > dn: uid=jduke,ou=People,dc=jboss,dc=org > objectclass: top > objectclass: person > objectclass: inetOrgPerson > uid: jduke > cn: Java Duke > sn: Duke > userPassword: Password > dn: uid=notUsedUser,ou=People,dc=jboss,dc=org > objectclass: top > objectclass: person > objectclass: inetOrgPerson > uid: notUsedUser > cn: not used user > sn: notUsedUser > userPassword: Password > dn: ou=Roles,dc=jboss,dc=org > objectclass: top > objectclass: organizationalUnit > ou: Roles > dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org > objectclass: top > objectclass: groupOfNames > cn: JBossAdmin > member: uid=notUsedUser,ou=People,dc=jboss,dc=org > description: jduke > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7848) Elytron ldap-realm does not support principal to group mapping (memberOf)

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7848?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7848: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Elytron ldap-realm does not support principal to group mapping (memberOf) > ------------------------------------------------------------------------- > > Key: WFLY-7848 > URL: https://issues.jboss.org/browse/WFLY-7848 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Jan Kalina > Assignee: Jan Kalina > Priority: Blocker > Fix For: 11.0.0.Alpha1 > > > Elytron ldap-realm is not able to work with LDAP which uses principal to group mapping. It seems that there is currently no way how to configure principal to group mapping in application server. > Simplified example: > {code} > dn: uid=TestUserOne,ou=users,dc=principal-to-group,dc=example,dc=org > objectClass: groupMember > memberOf: uid=GroupOne,ou=groups,dc=principal-to-group,dc=example,dc=org > memberOf: uid=Slashy/Group,ou=groups,dc=principal-to-group,dc=example,dc=org > dn: uid=GroupOne,ou=groups,dc=principal-to-group,dc=example,dc=org > objectClass: groupMember > objectClass: group > memberOf: uid=GroupFive,ou=subgroups,ou=groups,dc=principal-to-group,dc=example,dc=org > {code} > Example for reproducing: (by olukas) > Role {{SomeRole}} is currently not able to be assigned to user {{someUser}} when following ldif is used. In this case principal to group mapping is provided by attribute {{description}}, but in can be provided by any attribute (e.g. memberOf). User {{thisUserIsNotUsed}} is used only for simpler reproduction of issue. > {code} > dn: ou=People,dc=jboss,dc=org > objectclass: top > objectclass: organizationalUnit > ou: People > dn: uid=someUser,ou=People,dc=jboss,dc=org > objectclass: top > objectclass: person > objectclass: inetOrgPerson > uid: someUser > cn: some User > sn: User > userPassword: Password > description: cn=SomeRole,ou=Roles,dc=jboss,dc=org > dn: uid=thisUserIsNotUsed,ou=People,dc=jboss,dc=org > objectclass: top > objectclass: person > objectclass: inetOrgPerson > uid: thisUserIsNotUsed > cn: this User Is Not Used > sn: this User Is Not Used > userPassword: Password > dn: ou=Roles,dc=jboss,dc=org > objectclass: top > objectclass: organizationalUnit > ou: Roles > dn: cn=SomeRole,ou=Roles,dc=jboss,dc=org > objectclass: top > objectclass: groupOfNames > cn: SomeRole > member: uid=thisUserIsNotUsed,ou=People,dc=jboss,dc=org > {code} > Mentioned ldif works with legacy security solution. > This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (ELY-181) Review JACC in Servlet and EJB subsystems

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-181?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-181: --------------------------------- Fix Version/s: 1.1.0.Beta20 (was: 1.1.0.Beta19) > Review JACC in Servlet and EJB subsystems > ----------------------------------------- > > Key: ELY-181 > URL: https://issues.jboss.org/browse/ELY-181 > Project: WildFly Elytron > Issue Type: Sub-task > Components: API / SPI > Reporter: Pedro Igor > Assignee: Pedro Igor > Fix For: 1.1.0.Beta20 > > -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (ELY-524) RealmIdentity data caching support in the LDAP realm

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-524?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-524: --------------------------------- Fix Version/s: 1.1.0.Beta20 (was: 1.1.0.Beta19) > RealmIdentity data caching support in the LDAP realm > ---------------------------------------------------- > > Key: ELY-524 > URL: https://issues.jboss.org/browse/ELY-524 > Project: WildFly Elytron > Issue Type: Feature Request > Components: Realms > Reporter: David Lloyd > Assignee: Pedro Igor > Priority: Critical > Fix For: 1.1.0.Beta20 > > > The LDAP realm should use a caching strategy to avoid excessive database load in the presence of per-request authentication traffic. > The realm implementation could maintain a synchronized LRU cache of one-time-initialize references to a cached DirContext or Attributes or binding or some combination of these. Because the cache is synchronized, the one-time-initialize object would be added under the lock and then the lock released before the object is populated and returned as a cached credential, allowing atomic action with a minimum of contention. > For each cached entity, a NamingListener could be established which would invalidate (or possibly update) the cached value as the database changes. > Alternatively, a NamingListener could be established for all identities, and each update would invalidate or update any cached values corresponding to the DN or resolved name. > This is a complex design topic so discussion is welcome. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (ELY-559) Token-based authentication should forward authentication

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-559?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-559: --------------------------------- Fix Version/s: 1.1.0.Beta20 (was: 1.1.0.Beta19) > Token-based authentication should forward authentication > -------------------------------------------------------- > > Key: ELY-559 > URL: https://issues.jboss.org/browse/ELY-559 > Project: WildFly Elytron > Issue Type: Enhancement > Components: Authentication Mechanisms > Reporter: David Lloyd > Fix For: 1.1.0.Beta20 > > > Mechanisms that handle BearerTokenCredetials (ELY-557) should forward them as public or private credentials (ELY-473 / https://github.com/wildfly-security/wildfly-elytron/pull/434 ). -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

[JBoss JIRA] (ELY-211) Client-side trust store configuration

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-211?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-211: --------------------------------- Fix Version/s: 1.1.0.Beta20 (was: 1.1.0.Beta19) > Client-side trust store configuration > ------------------------------------- > > Key: ELY-211 > URL: https://issues.jboss.org/browse/ELY-211 > Project: WildFly Elytron > Issue Type: Task > Components: Authentication Client > Reporter: David Lloyd > Assignee: David Lloyd > Fix For: 1.1.0.Beta20 > > > Lest I forget. The client needs the ability to supplement the default trust store, to restrict the set of acceptable peer certificates/signers, for mutual authentication purposes. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 5 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira January 2017