[JBoss JIRA] (WFLY-2129) @WebContext on EJB, results in Web Service endpoints that doesn't honor neither method-level authorization nor general authorization configuration
by RH Bugzilla Integration (JIRA)
[ https://issues.jboss.org/browse/WFLY-2129?page=com.atlassian.jira.plugin.... ]
RH Bugzilla Integration commented on WFLY-2129:
-----------------------------------------------
Petr Penicka <ppenicka(a)redhat.com> changed the Status of [bug 1206657|https://bugzilla.redhat.com/show_bug.cgi?id=1206657] from VERIFIED to CLOSED
> @WebContext on EJB, results in Web Service endpoints that doesn't honor neither method-level authorization nor general authorization configuration
> --------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: WFLY-2129
> URL: https://issues.jboss.org/browse/WFLY-2129
> Project: WildFly
> Issue Type: Bug
> Components: EJB, Web Services
> Affects Versions: 8.0.0.Alpha4
> Environment: Mac OS X
> Reporter: Nicky Mølholm
> Assignee: Jim Ma
>
> Using @WebContext on EJB Web service endpoints results in the following two "bugs":
> - Normal EJB security annotations on methods are not honored
> - The EJB container does not get a chance to honor the 'missing-method-permissions-deny-access' element in jboss-ejb3.xml, standalone.xml (etc)
> A simple EJB with a Web service view can illustrate the first problem:
> {code:java}
> @Stateless
> @WebService
> @SecurityDomain("other")
> @org.jboss.ws.api.annotation.WebContext(contextRoot = "/greeterCtx", urlPattern = "/Greeter", authMethod = "BASIC", secureWSDLAccess = false))
> public class Greeter {
> @PermitAll // <-- This doesn't work
> //@RolesAllowed("SECRET_CLIENT_ROLE") // <-- Neither does this!
> // <--- unless you put them on class level
> public String sayHello(String name) {
> System.out.println("******** Greeter.sayHello(" + name + ")");
> return "Hello " + name;
> }
> }
> {code}
> So the problem here is that you are not allowed to invoke the Web Service operation (sayHello). Add to that a completely silent behavior. No stack traces. No trace logging. Nothing.
>
> Now if you take this EJB and remove the @PermitAll (and @RolesAllowed if any) annotation. And if you specify 'false' in jboss-ejb3.xml#missing-method-permissions-deny-access. Then you are not allowed to call the EJB either.
> These are my observations obtained from browsing through the source and playing around with the debugger:
> - When you add the @WebContext(authMethod = "BASIC") annotation on an EJB, you effectively enable authorization logic in addition to authentication logic. This authorization code lives in Web container code (in code from the "jboss web" project). Not in the EJB container - which otherwise is responsible for honoring the @PermitAll,@DenyAll,@RolesAllowed annotations in addition to the 'missing-method-permissions-deny-access' element.
> - This web layer code, silently rejects access to methods exposed through the EJB web service view, if there is no security annotations on the EJB bean class
> You can put @RolesAllowed or @PermitAll on your EJB's web service view methods - but they are never honored by JBoss AS
> -- ...But: if you put these annotations on your bean class, then access is granted as expected
> - You can set 'missing-method-permissions-deny-access' to false (in JBoss AS' profile configuration file or the JBoss AS specific module DD file) - but it is never used by JBoss AS
>
> Proposed solution:
> If the upper Web container layer correctly can propagate the method invocation to the EJB container - then appropriate authorizations check will follow - and ultimately fixing these issues.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months
[JBoss JIRA] (JGRP-2152) ASYM_ENCRYPT failure on Wildfly 10.1.0
by Bela Ban (JIRA)
[ https://issues.jboss.org/browse/JGRP-2152?page=com.atlassian.jira.plugin.... ]
Bela Ban resolved JGRP-2152.
----------------------------
Resolution: Won't Fix
Works with JGroups 3.6.12 or 4.0
> ASYM_ENCRYPT failure on Wildfly 10.1.0
> --------------------------------------
>
> Key: JGRP-2152
> URL: https://issues.jboss.org/browse/JGRP-2152
> Project: JGroups
> Issue Type: Bug
> Affects Versions: 3.6.10
> Reporter: Matt Wringe
> Assignee: Bela Ban
> Fix For: 4.0, 3.6.13
>
> Attachments: hawkular-metrics-1.log, hawkular-metrics-2.log, org.jboss.as.test.clustering.cluster.cdi.CdiFailoverTestCase-SYNC-tcp-output-clean.txt, org.jboss.as.test.clustering.cluster.cdi.CdiFailoverTestCase-SYNC-tcp-output-clean2.txt, org.jboss.as.test.clustering.cluster.cdi.CdiFailoverTestCase-SYNC-tcp-output.txt, standalone.xml
>
>
> Using ASYM_ENCRYPT on Wildfly 10.1.0 seems to be broken.
> I am using the parameters for ASYM_ENCRYPT specified in http://www.jgroups.org/manual/index.html#Security
> Note: running with SYM_ENCRYPT doesn't cause any issues and it works fine with my setup. Its only ASYM_ENCRYPT which is currently failing.
> Note: running this on EAP fails in a similar manner.
> Eg:
> <protocol type="ASYM_ENCRYPT">
> <property name="encrypt_entire_message">true</property>
> <property name="sym_keylength">128</property>
> <property name="sym_algorithm">AES/ECB/PKCS5Padding</property>
> <property name="asym_keylength">512</property>
> <property name="asym_algorithm">RSA</property>
> </protocol>
> If I run a single instance, then I don't see any problems appear in the logs. Its when I start a second instance that I start to see errors about unrecognised ciphers and timeouts.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months
[JBoss JIRA] (JGRP-2152) ASYM_ENCRYPT failure on Wildfly 10.1.0
by Richard Achmatowicz (JIRA)
[ https://issues.jboss.org/browse/JGRP-2152?page=com.atlassian.jira.plugin.... ]
Richard Achmatowicz commented on JGRP-2152:
-------------------------------------------
I guess you can, Bela. I'm looking into whether I have to create an issue for Wildfly 10.1.x, and Michal has already created a few issues for the EAP 7.1 DR builds resulting from the test he added.
> ASYM_ENCRYPT failure on Wildfly 10.1.0
> --------------------------------------
>
> Key: JGRP-2152
> URL: https://issues.jboss.org/browse/JGRP-2152
> Project: JGroups
> Issue Type: Bug
> Affects Versions: 3.6.10
> Reporter: Matt Wringe
> Assignee: Bela Ban
> Fix For: 4.0, 3.6.13
>
> Attachments: hawkular-metrics-1.log, hawkular-metrics-2.log, org.jboss.as.test.clustering.cluster.cdi.CdiFailoverTestCase-SYNC-tcp-output-clean.txt, org.jboss.as.test.clustering.cluster.cdi.CdiFailoverTestCase-SYNC-tcp-output-clean2.txt, org.jboss.as.test.clustering.cluster.cdi.CdiFailoverTestCase-SYNC-tcp-output.txt, standalone.xml
>
>
> Using ASYM_ENCRYPT on Wildfly 10.1.0 seems to be broken.
> I am using the parameters for ASYM_ENCRYPT specified in http://www.jgroups.org/manual/index.html#Security
> Note: running with SYM_ENCRYPT doesn't cause any issues and it works fine with my setup. Its only ASYM_ENCRYPT which is currently failing.
> Note: running this on EAP fails in a similar manner.
> Eg:
> <protocol type="ASYM_ENCRYPT">
> <property name="encrypt_entire_message">true</property>
> <property name="sym_keylength">128</property>
> <property name="sym_algorithm">AES/ECB/PKCS5Padding</property>
> <property name="asym_keylength">512</property>
> <property name="asym_algorithm">RSA</property>
> </protocol>
> If I run a single instance, then I don't see any problems appear in the logs. Its when I start a second instance that I start to see errors about unrecognised ciphers and timeouts.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months
[JBoss JIRA] (WFLY-7895) NPE thrown in jboss-cli while defining already defined StringListType attribute
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/WFLY-7895?page=com.atlassian.jira.plugin.... ]
Brian Stansberry commented on WFLY-7895:
----------------------------------------
Please move this to WFCORE. Tab completion is a client side issue so CLI component only. Please assign to Jean-Francois Denise.
> NPE thrown in jboss-cli while defining already defined StringListType attribute
> -------------------------------------------------------------------------------
>
> Key: WFLY-7895
> URL: https://issues.jboss.org/browse/WFLY-7895
> Project: WildFly
> Issue Type: Bug
> Components: CLI, Security
> Reporter: Jan Tymel
> Assignee: Jason Greene
>
> NullPointerException is thrown when user tries to define already (i.e. previously in current command) defined StringListType attribute. This attempt results in following stack trace and termination of jboss-cli.
> {code}
> /subsystem=elytron/provider-loader=providerLoader:add(providers=[{class-names=[com.example.Class]},class-names=[{com.example.AnotherClass}Exception in thread "Aesh Process Loop 749282235" java.lang.NullPointerException
> at org.jboss.as.cli.impl.DeploymentItemCompleter.getCandidates(DeploymentItemCompleter.java:80)
> at org.jboss.as.cli.impl.DeploymentItemCompleter.complete(DeploymentItemCompleter.java:53)
> at org.jboss.as.cli.impl.ValueTypeCompleter$ValueTypeCallbackHandler.getCandidatesFromMetadata(ValueTypeCompleter.java:433)
> at org.jboss.as.cli.impl.ValueTypeCompleter$ValueTypeCallbackHandler.getSimpleValues(ValueTypeCompleter.java:690)
> at org.jboss.as.cli.impl.ValueTypeCompleter$ValueTypeCallbackHandler.getCandidates(ValueTypeCompleter.java:573)
> at org.jboss.as.cli.impl.ValueTypeCompleter.complete(ValueTypeCompleter.java:346)
> at org.jboss.as.cli.operation.OperationRequestCompleter.complete(OperationRequestCompleter.java:276)
> at org.jboss.as.cli.operation.OperationRequestCompleter.complete(OperationRequestCompleter.java:89)
> at org.jboss.as.cli.CommandCompleter.doComplete(CommandCompleter.java:137)
> at org.jboss.as.cli.CommandCompleter.complete(CommandCompleter.java:64)
> at org.jboss.as.cli.impl.Console$Factory$1$1.complete(Console.java:143)
> at org.jboss.aesh.console.AeshCompletionHandler.complete(AeshCompletionHandler.java:155)
> at org.jboss.aesh.console.AeshInputProcessor.complete(AeshInputProcessor.java:429)
> at org.jboss.aesh.console.AeshInputProcessor.parseOperation(AeshInputProcessor.java:166)
> at org.jboss.aesh.console.Console.processInternalOperation(Console.java:775)
> at org.jboss.aesh.console.Console.execute(Console.java:735)
> at org.jboss.aesh.console.Console.access$900(Console.java:73)
> at org.jboss.aesh.console.Console$6.run(Console.java:644)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> Expected result:
> No NPE thrown, jboss-cli is not terminated.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months
[JBoss JIRA] (WFLY-7896) CME and NPE in Artemis integration seen in test run
by Jeff Mesnil (JIRA)
[ https://issues.jboss.org/browse/WFLY-7896?page=com.atlassian.jira.plugin.... ]
Jeff Mesnil commented on WFLY-7896:
-----------------------------------
This issue is caused by ARTEMIS-926 (https://issues.apache.org/jira/browse/ARTEMIS-926)
link to Apache JIRA does not work at the moment...
> CME and NPE in Artemis integration seen in test run
> ---------------------------------------------------
>
> Key: WFLY-7896
> URL: https://issues.jboss.org/browse/WFLY-7896
> Project: WildFly
> Issue Type: Bug
> Components: JMS
> Reporter: David Lloyd
> Assignee: Jeff Mesnil
>
> The exception of note was:
> {noformat}
> ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 64) MSC000001: Failed to start service jboss.messaging-activemq.default.jms.manager: org.jboss.msc.service.StartException in service jboss.messaging-activemq.default.jms.manager: WFLYMSGAMQ0033: Failed to start service
> at org.wildfly.extension.messaging.activemq.jms.JMSService.doStart(JMSService.java:203)
> at org.wildfly.extension.messaging.activemq.jms.JMSService.access$000(JMSService.java:63)
> at org.wildfly.extension.messaging.activemq.jms.JMSService$1.run(JMSService.java:97)
> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> Caused by: java.util.ConcurrentModificationException
> at java.util.Hashtable$Enumerator.next(Hashtable.java:1367)
> at org.apache.activemq.artemis.core.config.impl.ConfigurationImpl.parseSystemProperties(ConfigurationImpl.java:308)
> at org.apache.activemq.artemis.core.config.impl.ConfigurationImpl.parseSystemProperties(ConfigurationImpl.java:299)
> at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.internalStart(ActiveMQServerImpl.java:488)
> at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.start(ActiveMQServerImpl.java:466)
> at org.apache.activemq.artemis.jms.server.impl.JMSServerManagerImpl.start(JMSServerManagerImpl.java:412)
> at org.wildfly.extension.messaging.activemq.jms.JMSService.doStart(JMSService.java:199)
> ... 8 more
> {noformat}
> The build was https://ci.wildfly.org/viewLog.html?buildTypeId=WildFlyProject_Elytron_Wi... which is a topic branch for Elytron integration.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months
[JBoss JIRA] (ELY-862) Elytron dir-context supports only plaintext password
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/ELY-862?page=com.atlassian.jira.plugin.sy... ]
Jan Kalina edited comment on ELY-862 at 1/17/17 10:32 AM:
----------------------------------------------------------
By discussion should be used *AuthenticationContext* instead - *reopened*.
(contains AuthenticationConfiguration instances that can be backed by a CredentialSource backed by a CredentialStore)
was (Author: honza889):
By discussion should be used *AuthenticationContext* instead.
(contains AuthenticationConfiguration instances that can be backed by a CredentialSource backed by a CredentialStore)
> Elytron dir-context supports only plaintext password
> ----------------------------------------------------
>
> Key: ELY-862
> URL: https://issues.jboss.org/browse/ELY-862
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Realms
> Reporter: Jan Kalina
> Assignee: Jan Kalina
> Priority: Blocker
>
> Only plaintext password is currently able to be configured in Elytron dir-context resource. Any integration with Credential store is missing.
> We request blocker since it seems that there is currently no option how to provide non-plaintext password for dir-context to server configuration.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months
[JBoss JIRA] (JBAS-7853) Migrate sessions that use jvmRoute to nodes where they are local cached
by RH Bugzilla Integration (JIRA)
[ https://issues.jboss.org/browse/JBAS-7853?page=com.atlassian.jira.plugin.... ]
RH Bugzilla Integration commented on JBAS-7853:
-----------------------------------------------
Petr Penicka <ppenicka(a)redhat.com> changed the Status of [bug 1233400|https://bugzilla.redhat.com/show_bug.cgi?id=1233400] from VERIFIED to CLOSED
> Migrate sessions that use jvmRoute to nodes where they are local cached
> -----------------------------------------------------------------------
>
> Key: JBAS-7853
> URL: https://issues.jboss.org/browse/JBAS-7853
> Project: Application Server 3 4 5 and 6
> Issue Type: Task
> Components: Clustering, Web (Tomcat) service
> Reporter: Brian Stansberry
> Assignee: Paul Ferraro
> Fix For: 6.0.0.CR1
>
>
> Detect situation where a session is not stored locally in infinispan on the node that is servicing it. (This could happen with DIST following a rehash). If detected, determine the jvmRoute of a node where the session is local. Change the jvmRoute of session cookie to that node, which will trigger the next request going there.
> Note that this requires that the request that is changing the jvmRoute also replicates the session synchronously.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months
[JBoss JIRA] (WFLY-7897) LdapRealm - wrong behavior of {0} wildcard on role-recursion
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/WFLY-7897?page=com.atlassian.jira.plugin.... ]
Jan Kalina moved ELY-882 to WFLY-7897:
--------------------------------------
Project: WildFly (was: WildFly Elytron)
Key: WFLY-7897 (was: ELY-882)
Component/s: Security
(was: Realms)
Affects Version/s: (was: 1.1.0.Beta19)
> LdapRealm - wrong behavior of {0} wildcard on role-recursion
> ------------------------------------------------------------
>
> Key: WFLY-7897
> URL: https://issues.jboss.org/browse/WFLY-7897
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Jan Kalina
> Assignee: Jan Kalina
>
> Wildcard "\{0\}" is replaced by username in filter-name in filtering attribute mapping.
> It is correct for search of identity roles, but wrong for search roles of role - on role-recursion. In such case it should be replaced by name of that role.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 5 months