January 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-7492) Value of parameter "restart-required" for some attributes in Elytron subsystem resources does not match reality

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7492?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7492: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Value of parameter "restart-required" for some attributes in Elytron subsystem resources does not match reality > --------------------------------------------------------------------------------------------------------------- > > Key: WFLY-7492 > URL: https://issues.jboss.org/browse/WFLY-7492 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Ondrej Kotek > Assignee: Darran Lofthouse > Labels: user_experience > Fix For: 11.0.0.Alpha1 > > > Some attributes of some resources in {{elytron}} subsystem defines in its description that there is not necessary to do {{reload}} or {{restart}}. But reality is different. Trying to change such attributes you are informed that {{reload}} is necessary: > {noformat} > configurable-sasl-server-factory/filters > configurable-sasl-server-factory/properties > custom-role-mapper/* > aggregate-http-server-mechanism-factory/http-server-factories > constant-permission-mapper/permissions > filesystem-realm/levels > filesystem-realm/name-rewriter > ldap-key-store/attributes/new-item-template > service-loader-http-server-mechanism-factory/module > aggregate-principal-decoder/principal-decoders > simple-permission-mapper/permission-mappings > chained-name-rewriter/name-rewriters > custom-permission-mapper/* > configurable-http-server-mechanism-factory/properties > custom-name-rewriter/* > aggregate-sasl-server-factory/sasl-server-factories > aggregate-name-rewriter/name-rewriters > ldap-realm/identity-mapping/* > mechanism-provider-filtering-sasl-server-factory/filters > custom-principal-decoder/* > custom-realm-mapper/* > jdbc-realm/principal-query > key-managers/credential-reference > service-loader-sasl-server-factory/module > concatenating-principal-decoder/principal-decoders > credential-store/alias/* > custom-modifiable-realm/* > custom-credential-security-factory/* > key-store/credential-reference > custom-role-decoder/* > aggregate-role-mapper/role-mappers > custom-realm/* > {noformat} > The attributes are defined as {{"restart-required" => "no-services"}}, see e.g. {{/subsystem=elytron/concatenating-principal-decoder=concatPrincDecoder:read-resource-description}} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7481) Definition Credential Store with existing storage file but with wrong store password causes ugly failure-description.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7481?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7481: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Definition Credential Store with existing storage file but with wrong store password causes ugly failure-description. > --------------------------------------------------------------------------------------------------------------------- > > Key: WFLY-7481 > URL: https://issues.jboss.org/browse/WFLY-7481 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > Assignee: Darran Lofthouse > Fix For: 11.0.0.Alpha1 > > > Definition Credential Store with existing storage file but with wrong store password causes ugly failure-description. > *How to reproduce* > Prepare credential store file (the easiest way is create credential store from scratch) > /subsystem=elytron/credential-store=cs_pass123:add(uri="cr-store://test/cs/ks-pass123.jceks?store.password=pass123;create.storage=true") > /subsystem=elytron/credential-store=cs_pass123/alias=dbPass:add(secret-value=passwordToDB) > Then I try to create Credential store with wrong store password to existing store file. > /subsystem=elytron/credential-store=cs_wrong_store_pass:add(uri="cr-store://test/cs/ks-pass123.jceks?store.password=pass123wrong;key.password=pass123=true") > *I can see this result:* > {code} > { > "outcome" => "failed", > "failure-description" => { > "WFLYCTL0080: Failed services" => {"org.wildfly.security.credential-store-client.cs_wrong_key_pass" => "org.jboss.msc.service.StartException in service org.wildfly.security.credential-store-client.cs_wrong_key_pass: WFLYELY00004: Unable to start the service. > Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09506: Cannot read credential storage file '/home/hsvabek/securityworkspace/VERIFICATION/2016_11_02_UX_testing/jboss-eap-7.1.0.DR7/standalone/data/cs/ks-pass123.jceks' for the store named 'cs_wrong_key_pass' > Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect"}, > "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.credential-store-client.cs_wrong_key_pass"], > "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined > }, > "rolled-back" => true > } > {code} > *Suggestion for solution* > failure-description must not contain Exception or snippet stacktrace. > Description like that "Password to access credential store is incorrect." -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7502) Complicated failure-description in Elytron constant-permission-mapper

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7502?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7502: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Complicated failure-description in Elytron constant-permission-mapper > --------------------------------------------------------------------- > > Key: WFLY-7502 > URL: https://issues.jboss.org/browse/WFLY-7502 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Labels: user_experience > Fix For: 11.0.0.Alpha1 > > > There is complicated failure-description in Elytron constant-permission-mapper. Failure description in CLI should not contain Exception or snippet of stacktrace. Please instead of "Caused by:" parts from example below use some non-java administrator friendly message. > Complicated failure-description: > {code} > /subsystem=elytron/constant-permission-mapper=permission-mapper:add(permissions=[{class-name=WrongClass}]) > { > "outcome" => "failed", > "failure-description" => { > "WFLYCTL0080: Failed services" => {"org.wildfly.security.permission-mapper.permission-mapper" => "org.jboss.msc.service.StartException in service org.wildfly.security.permission-mapper.permission-mapper: WFLYELY00021: Exception while creating the permission object for the permission mapping. Please check [class-name], [target-name] (name of permission) and [action] of [WrongClass]. > Caused by: org.wildfly.security.permission.InvalidPermissionClassException: ELY03015: Could not load permission class \"WrongClass\" > Caused by: java.lang.ClassNotFoundException: WrongClass from [Module \"org.wildfly.extension.elytron:main\" from local module loader @5479e3f (finder: local module finder @27082746 (roots: /home/olukas/workspace/temp/uxcli/jboss-eap-7.1/modules,/home/olukas/workspace/temp/uxcli/jboss-eap-7.1/modules/system/layers/base))]"}, > "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.permission-mapper.permission-mapper"], > "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined > }, > "rolled-back" => true > } > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7522) Definition Elytron key-manager with key-store (which needs password) without filled credential-reference causes ugly failure-description with senseless Exception.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7522?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7522: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Definition Elytron key-manager with key-store (which needs password) without filled credential-reference causes ugly failure-description with senseless Exception. > ------------------------------------------------------------------------------------------------------------------------------------------------------------------ > > Key: WFLY-7522 > URL: https://issues.jboss.org/browse/WFLY-7522 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > Assignee: Darran Lofthouse > Fix For: 11.0.0.Alpha1 > > > Definition Elytron key-manager with key-store (which needs password) without filled credential-reference causes ugly failure-description with senseless Exception. > *Steps to reproduce* > * firefly.keystore which is attached copy to eap_home/standalone/data/cs. > * /subsystem=elytron/key-store=ff001:add(path=cs/firefly.keystore,relative-to=jboss.server.data.dir,type=JKS,credential-reference= {clear-text=Elytron}) > */subsystem=elytron/key-managers=keymanager001:add(algorithm=SunX509, key-store=ff001) > And you get this output: > {code} > { > "outcome" => "failed", > "failure-description" => { > "WFLYCTL0080: Failed services" => {"org.wildfly.security.key-managers.km002" => "org.jboss.msc.service.StartException in service org.wildfly.security.key-managers.km002: Failed to start service > Caused by: java.lang.NullPointerException"}, > "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.key-managers.km002"], > "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined > }, > "rolled-back" => true > } > {code} > There must be some kind of information about missing credential-reference or at least missing (wrong) password to key-store. > When I add there credential-reference with pass to Key-store then operation passes > /subsystem=elytron/key-managers=keymanager001:add(algorithm=SunX509, key-store=ff001, credential-reference={clear-text=Elytron}) > *Suggestions to improvement* > failure-description must not contain Exception or snippet stacktrace. > Please replace WFLYCTL0080 part to better message. > e.g. "credential-reference is required", "Missing password to key-store access" -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7578) Inconsistencies in using fileType/path+relative-to in Elytron XSD/DMR

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7578?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7578: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Inconsistencies in using fileType/path+relative-to in Elytron XSD/DMR > --------------------------------------------------------------------- > > Key: WFLY-7578 > URL: https://issues.jboss.org/browse/WFLY-7578 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Ondrej Kotek > Assignee: Darran Lofthouse > Labels: user_experience > Fix For: 11.0.0.Alpha1 > > > *Issue description:* > In _wildfly-elytron_1_0.xsd_, a file type is represented inconsistently. There are {{basicFileType}} and {{fileType}} complex types used, but there are also {{path}} and {{relative-to}} attributes used ({{providerLoadersType}}, {{kerberosSecurityFactory}}). > In DMR, file is represented as object (e.g. {{properties-realm}}) or as attributes (e.g. {{filesystem-realm}}, {{key-store}}). > *Suggestions for improvement:* > The file representation should be consistent in XSD/DMR. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7551) Elytron simple-regex-realm-mapper "pattern" attribute has wrong description.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7551?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7551: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Elytron simple-regex-realm-mapper "pattern" attribute has wrong description. > ---------------------------------------------------------------------------- > > Key: WFLY-7551 > URL: https://issues.jboss.org/browse/WFLY-7551 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > Assignee: Darran Lofthouse > Fix For: 11.0.0.Alpha1 > > > Elytron simple-regex-realm-mapper "pattern" attribute has wrong description [1]. > *Actual description* > {code} > The regular expression to use for this NameRewriter. > {code} > *Expected description* > Some like that (from DMR): > {code} > The regular expression which must contain at least one capture group to extract the realm from the name. > {code} > [1] https://github.com/wildfly-security/elytron-subsystem/blob/580569d17cb6c3... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7538) WebSocketTestCase fails with security manager - Reenable the test

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7538?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7538: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > WebSocketTestCase fails with security manager - Reenable the test > ----------------------------------------------------------------- > > Key: WFLY-7538 > URL: https://issues.jboss.org/browse/WFLY-7538 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Kabir Khan > Assignee: Darran Lofthouse > Priority: Blocker > Labels: downstream_dependency > Fix For: 11.0.0.Alpha1 > > > Reenable WebSocketsTestCase. See WFLY-7539 for more details -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7582) Wrong resource and operation descriptions for Elytron filesystem-realm in management model and XSD

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7582?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7582: ----------------------------------- Summary: Wrong resource and operation descriptions for Elytron filesystem-realm in management model and XSD (was: Wrong resource and operation descriptions for Elytron filesystem-realm in CLI and XSD) > Wrong resource and operation descriptions for Elytron filesystem-realm in management model and XSD > -------------------------------------------------------------------------------------------------- > > Key: WFLY-7582 > URL: https://issues.jboss.org/browse/WFLY-7582 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Labels: user_experience > > There are some wrong or insufficient resource and operation description for Elytron filesystem-realm in CLI: > * attribute {{levels}} for filesystem-realm - description says "The number of levels of directory hashing to apply.", but created directory structure does not use any hashing. Example how it works: when levels is set to 3 then for user admin following directory structure and file a/d/m/admin.xml is used. Description of levels should be fixed. This should be also fixed in XSD. > * description of {{digest}} password encryption/hash mechanisms in {{set-password}} operation for identity of filesystem-realm says "A password using a salted digest." which is wrong. It seems it is copy-pasted from {{salted-simple-digest}}. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7590) Inconsistency in attribute name of Elytron name-rewriter/final-name-rewriter

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7590?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7590: ----------------------------------- Fix Version/s: 11.0.0.Alpha1 > Inconsistency in attribute name of Elytron name-rewriter/final-name-rewriter > ---------------------------------------------------------------------------- > > Key: WFLY-7590 > URL: https://issues.jboss.org/browse/WFLY-7590 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Labels: user_experience > Fix For: 11.0.0.Alpha1 > > > In Elytron subsystem there are attributes {{name-rewriter}} and {{final-name-rewriter}} which serves for the same purpose. Both of them are used for final name rewriting. It can be confusing when two different names are used for the same type of attribute. > Attribute {{name-rewriter}} is used in: > * {{realms}} attribute in {{security-domain}} > Attribute {{final-name-rewriter}} is used in: > * {{mechanism-configurations}} in both {{http-authentication-factory}} and {{sasl-authentication-factory}} > * {{mechanism-realm-configurations}} in {{mechanism-configurations}} in both {{http-authentication-factory}} and {{sasl-authentication-factory}} > Names of {{name-rewriter}} and {{final-name-rewriter}} should be unified for this resources in DMR and also in XSD. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFLY-7584) Configuring more password types should be allowed for Elytron filesystem-realm identity in management model

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-7584?page=com.atlassian.jira.plugin.... ] Darran Lofthouse updated WFLY-7584: ----------------------------------- Summary: Configuring more password types should be allowed for Elytron filesystem-realm identity in management model (was: Configuring more password types should be allowed for Elytron filesystem-realm identity in CLI) > Configuring more password types should be allowed for Elytron filesystem-realm identity in management model > ----------------------------------------------------------------------------------------------------------- > > Key: WFLY-7584 > URL: https://issues.jboss.org/browse/WFLY-7584 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 11.0.0.Alpha1 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Labels: user_experience > > In case when two password type are part of {{set-password}} operation for identity of Elytron filesystem-realm then only first of them is used and others are discarded. Configuring multiple credentials for one identity should be supported [1]. > [1] https://issues.jboss.org/browse/WFLY-7584?focusedCommentId=13322919&page=... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 3 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira January 2017