[JBoss JIRA] (WFCORE-2228) Propagation of Elytron SecurityIdentities between domain processes
by Darran Lofthouse (JIRA)
Darran Lofthouse created WFCORE-2228:
----------------------------------------
Summary: Propagation of Elytron SecurityIdentities between domain processes
Key: WFCORE-2228
URL: https://issues.jboss.org/browse/WFCORE-2228
Project: WildFly Core
Issue Type: Enhancement
Components: Security
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Priority: Critical
Fix For: 3.0.0.Alpha23
Prior to WildFly Elytron integration the current identity was represented using a Subject on calls between a host controller and it's app server instances or from one host controller to another the contents of the Subject would be described so it can be reconstructed at the far side.
This issue is to implement the equivalent behaviour using a WildFly Elytron SecurityIdentity.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (WFLY-7705) LdapRealm - referral mode: direct verification + THROW mode
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/WFLY-7705?page=com.atlassian.jira.plugin.... ]
Jan Kalina reopened WFLY-7705:
------------------------------
> LdapRealm - referral mode: direct verification + THROW mode
> ------------------------------------------------------------
>
> Key: WFLY-7705
> URL: https://issues.jboss.org/browse/WFLY-7705
> Project: WildFly
> Issue Type: Feature Request
> Components: Security
> Reporter: Jan Kalina
> Assignee: Jan Kalina
> Fix For: 11.0.0.Alpha1
>
>
> *1) Log in as referral user is still not possible.*
> Currently referral user can be found by ldap realm, but his password cannot be verified => log in is still not possible.
> There are two possible ways how to authenticate user in ldap realm:
> using direct verification - in this case after obtaining referral user, this referral user is used in LDAP bindRequest against original LDAP server (not referenced LDAP server) which results to invalid credentials bindResponse
> not using direct verification - in this case after obtaining referral user, this user is used as part of baseObject scope LDAP searchRequest for password attribute against original LDAP server (not referenced LDAP server) which results to noSuchObject searchResDone.
> Comment [1] says that you are able to log in as user of referred server. Can you please share your configuration? Since there is no related documentation, maybe I do something wrong in using/not using of direct verification.
> *2) Elytron does not handle THROW referral mode*
> In case when dir-context uses THROW referral-mode then com.sun.jndi.ldap.LdapReferralException is not caught in Elytron (which is LDAP client) and is thrown to integration tier which also does not handle it, e.g. in case when ldap-realm is used for authentication to application, then it results to status code 500 returned to the application.
> [1] https://issues.jboss.org/browse/WFLY-7322?focusedCommentId=13307815&page=...
> ( Requested in https://issues.jboss.org/browse/JBEAP-6450?focusedCommentId=13323387#comm... )
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (WFCORE-2068) HTTPSConnectionWithCLITestCase and HTTPSManagementInterfaceTestCase Failing Due To Native Protocol Issue
by Jean-Francois Denise (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2068?page=com.atlassian.jira.plugi... ]
Jean-Francois Denise reassigned WFCORE-2068:
--------------------------------------------
Assignee: Darran Lofthouse (was: Jean-Francois Denise)
[~dlofthouse], as soon as the test is un-ignored, the http and https test cases are failing with a 403 error. Seems that something is wrong with security there.
> HTTPSConnectionWithCLITestCase and HTTPSManagementInterfaceTestCase Failing Due To Native Protocol Issue
> --------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2068
> URL: https://issues.jboss.org/browse/WFCORE-2068
> Project: WildFly Core
> Issue Type: Bug
> Components: Remoting, Test Suite
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Priority: Blocker
> Fix For: 3.0.0.Alpha23
>
>
> The listed test case is failing during clean up with the following error: -
> {noformat}
> java.io.IOException: java.io.IOException: WFLYPRT0054: Channel closed
> at org.jboss.as.protocol.mgmt.ManagementClientChannelStrategy$Establishing.getChannel(ManagementClientChannelStrategy.java:166)
> at org.jboss.as.controller.client.impl.RemotingModelControllerClient.getOrCreateChannel(RemotingModelControllerClient.java:135)
> at org.jboss.as.controller.client.impl.RemotingModelControllerClient$1.getChannel(RemotingModelControllerClient.java:59)
> at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:135)
> at org.jboss.as.protocol.mgmt.ManagementChannelHandler.executeRequest(ManagementChannelHandler.java:110)
> at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeRequest(AbstractModelControllerClient.java:263)
> at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:168)
> at org.jboss.as.controller.client.impl.AbstractModelControllerClient.executeForResult(AbstractModelControllerClient.java:147)
> at org.jboss.as.controller.client.impl.AbstractModelControllerClient.execute(AbstractModelControllerClient.java:80)
> {noformat}
> The stage of the test using HTTP Upgrade over a HTTPS connection appears to be working fine, the issue is with the native management interface used for test clean up.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (WFLY-7953) Coverity: default platform encoding used in DefaultSingleSignOnSessionFactory
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFLY-7953?page=com.atlassian.jira.plugin.... ]
Martin Choma updated WFLY-7953:
-------------------------------
Description:
Coverity static-analysis scan found a String to byte conversion (4xoccurences of {{getBytes()}}) with default platform encoding in the DefaultSingleSignOnSessionFactory method.
Following code
{code:java|title=DefaultSingleSignOnSessionFactory.java}
@Override
public String createLogoutParameter(String sessionId) {
try {
Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
signature.initSign(this.privateKey);
Base64.Encoder urlEncoder = Base64.getUrlEncoder();
return sessionId + "." + ByteIterator.ofBytes(urlEncoder.encode(ByteIterator.ofBytes(sessionId.getBytes()).sign(signature).drain())).asUtf8String().drainToString();
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
throw new IllegalStateException(e);
}
}
@Override
public String verifyLogoutParameter(String parameter) {
String[] parts = parameter.split("\\.");
if (parts.length != 2) {
throw new IllegalArgumentException(parameter);
}
try {
String localSessionId = ByteIterator.ofBytes(parts[0].getBytes()).asUtf8String().drainToString();
Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
signature.initVerify(this.certificate);
signature.update(localSessionId.getBytes());
Base64.Decoder urlDecoder = Base64.getUrlDecoder();
if (!ByteIterator.ofBytes(urlDecoder.decode(parts[1].getBytes())).verify(signature)) {
throw log.httpMechSsoInvalidLogoutMessage(localSessionId);
}
return localSessionId;
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
throw new IllegalStateException(e);
} catch (SignatureException e) {
throw new IllegalArgumentException(parameter, e);
}
}
{code}
The encoding should be specified as argument.
Setting with high priority, because once default platform encoding UTF-16 will be set, funcionality do not need to work as intended. Especially when combined with {{asUtf8String()}}, which implies specifying default encoding UTF-8.
https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=86758...
https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=86758...
was:
Coverity static-analysis scan found a String to byte conversion (4xoccurences of {{getBytes()}}) with default platform encoding in the DefaultSingleSignOnSessionFactory method.
Following code
{code:java|title=DefaultSingleSignOnSessionFactory.java}
@Override
public String createLogoutParameter(String sessionId) {
try {
Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
signature.initSign(this.privateKey);
Base64.Encoder urlEncoder = Base64.getUrlEncoder();
return sessionId + "." + ByteIterator.ofBytes(urlEncoder.encode(ByteIterator.ofBytes(sessionId.getBytes()).sign(signature).drain())).asUtf8String().drainToString();
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
throw new IllegalStateException(e);
}
}
@Override
public String verifyLogoutParameter(String parameter) {
String[] parts = parameter.split("\\.");
if (parts.length != 2) {
throw new IllegalArgumentException(parameter);
}
try {
String localSessionId = ByteIterator.ofBytes(parts[0].getBytes()).asUtf8String().drainToString();
Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
signature.initVerify(this.certificate);
signature.update(localSessionId.getBytes());
Base64.Decoder urlDecoder = Base64.getUrlDecoder();
if (!ByteIterator.ofBytes(urlDecoder.decode(parts[1].getBytes())).verify(signature)) {
throw log.httpMechSsoInvalidLogoutMessage(localSessionId);
}
return localSessionId;
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
throw new IllegalStateException(e);
} catch (SignatureException e) {
throw new IllegalArgumentException(parameter, e);
}
}
{code}
The encoding should be specified as argument.
Setting with high priority, because once default platform encoding UTF-16 will be set, funcionality do not need to work as intended. Especially when combined with {{asUtf8String()}}, which implies specifying default encoding UTF-8.
> Coverity: default platform encoding used in DefaultSingleSignOnSessionFactory
> -----------------------------------------------------------------------------
>
> Key: WFLY-7953
> URL: https://issues.jboss.org/browse/WFLY-7953
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Critical
>
> Coverity static-analysis scan found a String to byte conversion (4xoccurences of {{getBytes()}}) with default platform encoding in the DefaultSingleSignOnSessionFactory method.
> Following code
> {code:java|title=DefaultSingleSignOnSessionFactory.java}
> @Override
> public String createLogoutParameter(String sessionId) {
> try {
> Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
> signature.initSign(this.privateKey);
> Base64.Encoder urlEncoder = Base64.getUrlEncoder();
> return sessionId + "." + ByteIterator.ofBytes(urlEncoder.encode(ByteIterator.ofBytes(sessionId.getBytes()).sign(signature).drain())).asUtf8String().drainToString();
> } catch (NoSuchAlgorithmException | InvalidKeyException e) {
> throw new IllegalStateException(e);
> }
> }
>
> @Override
> public String verifyLogoutParameter(String parameter) {
> String[] parts = parameter.split("\\.");
> if (parts.length != 2) {
> throw new IllegalArgumentException(parameter);
> }
> try {
> String localSessionId = ByteIterator.ofBytes(parts[0].getBytes()).asUtf8String().drainToString();
> Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
> signature.initVerify(this.certificate);
> signature.update(localSessionId.getBytes());
> Base64.Decoder urlDecoder = Base64.getUrlDecoder();
> if (!ByteIterator.ofBytes(urlDecoder.decode(parts[1].getBytes())).verify(signature)) {
> throw log.httpMechSsoInvalidLogoutMessage(localSessionId);
> }
> return localSessionId;
> } catch (NoSuchAlgorithmException | InvalidKeyException e) {
> throw new IllegalStateException(e);
> } catch (SignatureException e) {
> throw new IllegalArgumentException(parameter, e);
> }
> }
> {code}
> The encoding should be specified as argument.
> Setting with high priority, because once default platform encoding UTF-16 will be set, funcionality do not need to work as intended. Especially when combined with {{asUtf8String()}}, which implies specifying default encoding UTF-8.
> https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=86758...
> https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=86758...
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (WFLY-7953) Coverity: default platform encoding used in DefaultSingleSignOnSessionFactory
by Martin Choma (JIRA)
Martin Choma created WFLY-7953:
----------------------------------
Summary: Coverity: default platform encoding used in DefaultSingleSignOnSessionFactory
Key: WFLY-7953
URL: https://issues.jboss.org/browse/WFLY-7953
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Martin Choma
Assignee: Darran Lofthouse
Priority: Critical
Coverity static-analysis scan found a String to byte conversion (4xoccurences of {{getBytes()}}) with default platform encoding in the DefaultSingleSignOnSessionFactory method.
Following code
{code:java|title=DefaultSingleSignOnSessionFactory.java}
@Override
public String createLogoutParameter(String sessionId) {
try {
Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
signature.initSign(this.privateKey);
Base64.Encoder urlEncoder = Base64.getUrlEncoder();
return sessionId + "." + ByteIterator.ofBytes(urlEncoder.encode(ByteIterator.ofBytes(sessionId.getBytes()).sign(signature).drain())).asUtf8String().drainToString();
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
throw new IllegalStateException(e);
}
}
@Override
public String verifyLogoutParameter(String parameter) {
String[] parts = parameter.split("\\.");
if (parts.length != 2) {
throw new IllegalArgumentException(parameter);
}
try {
String localSessionId = ByteIterator.ofBytes(parts[0].getBytes()).asUtf8String().drainToString();
Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
signature.initVerify(this.certificate);
signature.update(localSessionId.getBytes());
Base64.Decoder urlDecoder = Base64.getUrlDecoder();
if (!ByteIterator.ofBytes(urlDecoder.decode(parts[1].getBytes())).verify(signature)) {
throw log.httpMechSsoInvalidLogoutMessage(localSessionId);
}
return localSessionId;
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
throw new IllegalStateException(e);
} catch (SignatureException e) {
throw new IllegalArgumentException(parameter, e);
}
}
{code}
The encoding should be specified as argument.
Setting with high priority, because once default platform encoding UTF-16 will be set, funcionality do not need to work as intended. Especially when combined with {{asUtf8String()}}, which implies specifying default encoding UTF-8.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (WFLY-7953) Coverity: default platform encoding used in DefaultSingleSignOnSessionFactory
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFLY-7953?page=com.atlassian.jira.plugin.... ]
Martin Choma updated WFLY-7953:
-------------------------------
Affects Version/s: 11.0.0.Alpha1
> Coverity: default platform encoding used in DefaultSingleSignOnSessionFactory
> -----------------------------------------------------------------------------
>
> Key: WFLY-7953
> URL: https://issues.jboss.org/browse/WFLY-7953
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Critical
>
> Coverity static-analysis scan found a String to byte conversion (4xoccurences of {{getBytes()}}) with default platform encoding in the DefaultSingleSignOnSessionFactory method.
> Following code
> {code:java|title=DefaultSingleSignOnSessionFactory.java}
> @Override
> public String createLogoutParameter(String sessionId) {
> try {
> Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
> signature.initSign(this.privateKey);
> Base64.Encoder urlEncoder = Base64.getUrlEncoder();
> return sessionId + "." + ByteIterator.ofBytes(urlEncoder.encode(ByteIterator.ofBytes(sessionId.getBytes()).sign(signature).drain())).asUtf8String().drainToString();
> } catch (NoSuchAlgorithmException | InvalidKeyException e) {
> throw new IllegalStateException(e);
> }
> }
>
> @Override
> public String verifyLogoutParameter(String parameter) {
> String[] parts = parameter.split("\\.");
> if (parts.length != 2) {
> throw new IllegalArgumentException(parameter);
> }
> try {
> String localSessionId = ByteIterator.ofBytes(parts[0].getBytes()).asUtf8String().drainToString();
> Signature signature = Signature.getInstance(DEFAULT_SIGNATURE_ALGORITHM);
> signature.initVerify(this.certificate);
> signature.update(localSessionId.getBytes());
> Base64.Decoder urlDecoder = Base64.getUrlDecoder();
> if (!ByteIterator.ofBytes(urlDecoder.decode(parts[1].getBytes())).verify(signature)) {
> throw log.httpMechSsoInvalidLogoutMessage(localSessionId);
> }
> return localSessionId;
> } catch (NoSuchAlgorithmException | InvalidKeyException e) {
> throw new IllegalStateException(e);
> } catch (SignatureException e) {
> throw new IllegalArgumentException(parameter, e);
> }
> }
> {code}
> The encoding should be specified as argument.
> Setting with high priority, because once default platform encoding UTF-16 will be set, funcionality do not need to work as intended. Especially when combined with {{asUtf8String()}}, which implies specifying default encoding UTF-8.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months