[JBoss JIRA] (WFLY-9273) Referral mode 'throw' for searching groups in legacy LDAP realm causes NPE
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/WFLY-9273?page=com.atlassian.jira.plugin.... ]
Brian Stansberry closed WFLY-9273.
----------------------------------
Resolution: Migrated to another ITS
> Referral mode 'throw' for searching groups in legacy LDAP realm causes NPE
> --------------------------------------------------------------------------
>
> Key: WFLY-9273
> URL: https://issues.jboss.org/browse/WFLY-9273
> Project: WildFly
> Issue Type: Bug
> Components: Domain Management, Security
> Affects Versions: 11.0.0.CR1
> Reporter: Jiri Ondrusek
> Assignee: Jiri Ondrusek
> Labels: eap72
>
> When referral mode 'throw' is configured for LDAP outbound connection which is used by legacy LDAP security realm and its groups are assigned through principal-to-group LDAP authorization then it finishes with NPE. It causes that Management Console returns status 500 when referral mode 'throw' is used for group searching user includes referral role.
> It can be reproduced by using configuration from [1] with referral mode 'throw'.
> Thrown exception on trace level:
> {code}
> TRACE [org.wildfly.security] (management task-1) BASIC: org.wildfly.security.http.HttpAuthenticationException: org.wildfly.security.http.HttpAuthenticationException: org.wildfly.security.auth.server.RealmUnavailableException: java.io.IOException: java.lang.NullPointerException
> at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:176)
> at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
> at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
> at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
> at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.wildfly.security.http.HttpAuthenticationException: org.wildfly.security.auth.server.RealmUnavailableException: java.io.IOException: java.lang.NullPointerException
> at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authorize(UsernamePasswordAuthenticationMechanism.java:98)
> at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:154)
> ... 12 more
> Caused by: org.wildfly.security.auth.server.RealmUnavailableException: java.io.IOException: java.lang.NullPointerException
> at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$SecurityRealmImpl$RealmIdentityImpl.getGroups(LdapSubjectSupplementalService.java:336)
> at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$SecurityRealmImpl$RealmIdentityImpl.getAuthorizationIdentity(LdapSubjectSupplementalService.java:319)
> at org.wildfly.security.auth.realm.AggregateSecurityRealm$Identity.getAuthorizationIdentity(AggregateSecurityRealm.java:157)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.doAuthorization(ServerAuthenticationContext.java:1797)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.authorize(ServerAuthenticationContext.java:1826)
> at org.wildfly.security.auth.server.ServerAuthenticationContext.authorize(ServerAuthenticationContext.java:477)
> at org.wildfly.security.auth.server.ServerAuthenticationContext.authorize(ServerAuthenticationContext.java:472)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:757)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:735)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
> at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authorize(UsernamePasswordAuthenticationMechanism.java:92)
> ... 13 more
> Caused by: java.io.IOException: java.lang.NullPointerException
> at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapGroupSearcher.loadGroups(LdapSubjectSupplementalService.java:203)
> at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$SecurityRealmImpl$RealmIdentityImpl.getGroups(LdapSubjectSupplementalService.java:334)
> ... 23 more
> Caused by: java.lang.NullPointerException
> at org.jboss.as.domain.management.security.LdapGroupSearcherFactory$PrincipalToGroupSearcher.search(LdapGroupSearcherFactory.java:315)
> at org.jboss.as.domain.management.security.LdapGroupSearcherFactory$PrincipalToGroupSearcher.search(LdapGroupSearcherFactory.java:221)
> at org.jboss.as.domain.management.security.LdapCacheService$NoCacheCache.search(LdapCacheService.java:225)
> at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapGroupSearcher.loadGroupEntries(LdapSubjectSupplementalService.java:250)
> at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapGroupSearcher.loadGroups(LdapSubjectSupplementalService.java:227)
> at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapGroupSearcher.loadGroups(LdapSubjectSupplementalService.java:220)
> at org.jboss.as.domain.management.security.LdapSubjectSupplementalService$LdapGroupSearcher.loadGroups(LdapSubjectSupplementalService.java:194)
> ... 24 more
> {code}
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1417272#c1
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3421) Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3421?page=com.atlassian.jira.plugi... ]
Martin Choma edited comment on WFCORE-3421 at 11/16/17 12:56 PM:
-----------------------------------------------------------------
These are attributes in elytron subsystem which use "requires" and "default" at once.
{noformat}
"search-recursive" => {
"type" => BOOLEAN,
"description" => "Indicates if attribute LDAP search queries are recursive.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => true,
"requires" => ["filter"]
},
"role-recursion-name" => {
"type" => STRING,
"description" => "Determine LDAP attribute of role entry which will be substitute for \"{0}\" in filter-name when searching roles of role.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "cn",
"requires" => ["role-recursion"],
"min-length" => 1L,
"max-length" => 2147483647L
},
"version-comparison" => {
"type" => STRING,
"description" => "When set to 'less-than' a Provider will match against the filter if the Provider's version is less-than the version specified here. Setting to 'greater-than' has the opposite effect. Has no effect if a provider-version has not been specified in the filter.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "less-than",
"requires" => ["provider-version"],
"allowed" => [
"less-than",
"greater-than"
]
}
"required" => {
"type" => BOOLEAN,
"description" => "Is the file required to exist at the time the KeyStore service starts?",
"attribute-group" => "file",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => false,
"requires" => ["path"],
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "all-services"
},
{noformat}
Examples where setting an attribute to it's default value does mean that it's required attribute must also be defined:
{noformat}
[standalone@localhost:9990 /] /subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{search-recursive=false}]})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'identity-mapping.attribute-mapping[0].filter' needs to be set or passed before attribute 'identity-mapping.attribute-mapping[0].search-recursive' can be correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /] /subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{role-recursion-name=cn}]})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'identity-mapping.attribute-mapping[0].role-recursion' needs to be set or passed before attribute 'identity-mapping.attribute-mapping[0].role-recursion-name' can be correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /] /subsystem=elytron/mechanism-provider-filtering-sasl-server-factory=a:add(sasl-server-factory=elytron,filters=[{provider-name=a, version-comparison=less-than}]
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'filters[0].provider-version' needs to be set or passed before attribute 'filters[0].version-comparison' can be correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /] /subsystem=elytron/key-store=b:add(type=JKS, credential-reference={clear-text=a}, required=false
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'path' needs to be set or passed before attribute 'required' can be correctly set",
"rolled-back" => true
}
{noformat}
On the other hand if I omit these attributes in CLI (role-recursion-name, search-recursive, version-comparison, required), so actually let default value to be applied, then CLI command is not failing on that error
was (Author: mchoma):
These are attributes in elytron subsystem which use "requires" and "default" at once.
{noformat}
"search-recursive" => {
"type" => BOOLEAN,
"description" => "Indicates if attribute LDAP search queries are recursive.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => true,
"requires" => ["filter"]
},
"role-recursion-name" => {
"type" => STRING,
"description" => "Determine LDAP attribute of role entry which will be substitute for \"{0}\" in filter-name when searching roles of role.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "cn",
"requires" => ["role-recursion"],
"min-length" => 1L,
"max-length" => 2147483647L
},
"version-comparison" => {
"type" => STRING,
"description" => "When set to 'less-than' a Provider will match against the filter if the Provider's version is less-than the version specified here. Setting to 'greater-than' has the opposite effect. Has no effect if a provider-version has not been specified in the filter.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "less-than",
"requires" => ["provider-version"],
"allowed" => [
"less-than",
"greater-than"
]
}
"required" => {
"type" => BOOLEAN,
"description" => "Is the file required to exist at the time the KeyStore service starts?",
"attribute-group" => "file",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => false,
"requires" => ["path"],
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "all-services"
},
{noformat}
Examples where setting an attribute to it's default value does mean that it's required attribute must also be defined:
{noformat}
[standalone@localhost:9990 /] /subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{search-recursive=false}]})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'identity-mapping.attribute-mapping[0].filter' needs to be set or passed before attribute 'identity-mapping.attribute-mapping[0].search-recursive' can be correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /] /subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{role-recursion-name=cn}]})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'identity-mapping.attribute-mapping[0].role-recursion' needs to be set or passed before attribute 'identity-mapping.attribute-mapping[0].role-recursion-name' can be correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /] /subsystem=elytron/mechanism-provider-filtering-sasl-server-factory=a:add(sasl-server-factory=elytron,filters=[{provider-name=a, version-comparison=less-than}]
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'filters[0].provider-version' needs to be set or passed before attribute 'filters[0].version-comparison' can be correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /] /subsystem=elytron/key-store=b:add(type=JKS, credential-reference={clear-text=a}, required=false
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'path' needs to be set or passed before attribute 'required' can be correctly set",
"rolled-back" => true
}
{noformat}
> Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-3421
> URL: https://issues.jboss.org/browse/WFCORE-3421
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 4.0.0.Alpha2
> Reporter: ehsavoie Hugonnet
>
> If outflow-anonymous is set to false then there is no need for outflow-security-domains as the default configuration shows clearly.
> So
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> should work like
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> A custom validation code is required instead of relying on the setRequires of SimpleAttributeDefinition
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (DROOLS-1962) [DMN Editor] Decision service
by Jozef Marko (JIRA)
[ https://issues.jboss.org/browse/DROOLS-1962?page=com.atlassian.jira.plugi... ]
Jozef Marko updated DROOLS-1962:
--------------------------------
Tester: Jozef Marko
> [DMN Editor] Decision service
> -----------------------------
>
> Key: DROOLS-1962
> URL: https://issues.jboss.org/browse/DROOLS-1962
> Project: Drools
> Issue Type: Task
> Components: DMN Editor
> Reporter: Jozef Marko
> Assignee: Michael Anstis
> Priority: Trivial
> Labels: reported-by-qe
> Fix For: 7.5.0.Final
>
>
> "In DRD it is rounded rectangle that surrounds all of the encapsulated decisions in the service. The inputs to the service are defined by all of the information requirements leading into the rounded rectangle. The outputs of the service are the decisions shown above the straight line bisecting the rounded rectangle. If there is no such line, all encapsulated decisions are exposed in the service output." cited form DMN Method and Style, Chapter 3, Decision Requirements
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months