[JBoss JIRA] (ELY-1304) Elytron subsystem does not expose digest-sha-384 for digest password
by Yeray Borges (JIRA)
[ https://issues.jboss.org/browse/ELY-1304?page=com.atlassian.jira.plugin.s... ]
Yeray Borges updated ELY-1304:
------------------------------
Fix Version/s: 1.2.0.Beta10
(was: 1.2.0.Beta11)
> Elytron subsystem does not expose digest-sha-384 for digest password
> --------------------------------------------------------------------
>
> Key: ELY-1304
> URL: https://issues.jboss.org/browse/ELY-1304
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Martin Choma
> Assignee: Yeray Borges
> Fix For: 1.2.0.Beta10
>
>
> For the sake of completeness add digest-sha-384 to allowed values of algorithm attribute of set-password operation
> {code:title=/subsystem=elytron/ldap-realm=a:read-operation-description(name=set-password)}
> "digest" => {
> "type" => OBJECT,
> "description" => "A digest password.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "value-type" => {
> "algorithm" => {
> "type" => STRING,
> "description" => "The algorithm used to encrypt the password.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "default" => "digest-sha-512",
> "allowed" => [
> "digest-md5",
> "digest-sha",
> "digest-sha-256",
> "digest-sha-512"
> ]
> },
> "password" => {
> "type" => STRING,
> "description" => "The actual password to set.",
> "expressions-allowed" => false,
> "required" => true,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "realm" => {
> "type" => STRING,
> "description" => "The realm.",
> "expressions-allowed" => false,
> "required" => true,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L
> }
> }
> },
> {code}
> Passwords of types otp, salted-simple-digest, simple-digest already expose sha-384 variant.
> Seems to me underlying Elytron implementation is already prepared for that.
> {code:java|title=DigestPasswordImpl.java}
> private static MessageDigest getMessageDigest(final String algorithm) throws NoSuchAlgorithmException {
> switch (algorithm) {
> case ALGORITHM_DIGEST_MD5:
> return MessageDigest.getInstance("MD5");
> case ALGORITHM_DIGEST_SHA:
> return MessageDigest.getInstance("SHA-1");
> case ALGORITHM_DIGEST_SHA_256:
> return MessageDigest.getInstance("SHA-256");
> case ALGORITHM_DIGEST_SHA_384:
> return MessageDigest.getInstance("SHA-384");
> case ALGORITHM_DIGEST_SHA_512:
> return MessageDigest.getInstance("SHA-512");
> default:
> throw log.noSuchAlgorithmInvalidAlgorithm(algorithm);
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3421) Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3421?page=com.atlassian.jira.plugi... ]
Martin Choma edited comment on WFCORE-3421 at 11/16/17 8:02 AM:
----------------------------------------------------------------
These are attributes in elytron subsystem which use "requires" and "default" at once.
{noformat}
"search-recursive" => {
"type" => BOOLEAN,
"description" => "Indicates if attribute LDAP search queries are recursive.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => true,
"requires" => ["filter"]
},
"role-recursion-name" => {
"type" => STRING,
"description" => "Determine LDAP attribute of role entry which will be substitute for \"{0}\" in filter-name when searching roles of role.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "cn",
"requires" => ["role-recursion"],
"min-length" => 1L,
"max-length" => 2147483647L
},
"version-comparison" => {
"type" => STRING,
"description" => "When set to 'less-than' a Provider will match against the filter if the Provider's version is less-than the version specified here. Setting to 'greater-than' has the opposite effect. Has no effect if a provider-version has not been specified in the filter.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "less-than",
"requires" => ["provider-version"],
"allowed" => [
"less-than",
"greater-than"
]
}
"required" => {
"type" => BOOLEAN,
"description" => "Is the file required to exist at the time the KeyStore service starts?",
"attribute-group" => "file",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => false,
"requires" => ["path"],
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "all-services"
},
{noformat}
Examples where setting an attribute to it's default value does mean that it's required attribute must also be defined:
{noformat}
[standalone@localhost:9990 /] /subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{search-recursive=false}]})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'identity-mapping.attribute-mapping[0].filter' needs to be set or passed before attribute 'identity-mapping.attribute-mapping[0].search-recursive' can be correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /] /subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{role-recursion-name=cn}]})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'identity-mapping.attribute-mapping[0].role-recursion' needs to be set or passed before attribute 'identity-mapping.attribute-mapping[0].role-recursion-name' can be correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /] /subsystem=elytron/mechanism-provider-filtering-sasl-server-factory=a:add(sasl-server-factory=elytron,filters=[{provider-name=a, version-comparison=less-than}]
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'filters[0].provider-version' needs to be set or passed before attribute 'filters[0].version-comparison' can be correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /] /subsystem=elytron/key-store=b:add(type=JKS, credential-reference={clear-text=a}, required=false
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'path' needs to be set or passed before attribute 'required' can be correctly set",
"rolled-back" => true
}
{noformat}
was (Author: mchoma):
These are attributes in elytron subsystem which use "requires" and "default" at once.
{noformat}
"search-recursive" => {
"type" => BOOLEAN,
"description" => "Indicates if attribute LDAP search queries are recursive.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => true,
"requires" => ["filter"]
},
"role-recursion-name" => {
"type" => STRING,
"description" => "Determine LDAP attribute of role entry which will be substitute for \"{0}\" in filter-name when searching roles of role.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "cn",
"requires" => ["role-recursion"],
"min-length" => 1L,
"max-length" => 2147483647L
},
"version-comparison" => {
"type" => STRING,
"description" => "When set to 'less-than' a Provider will match against the filter if the Provider's version is less-than the version specified here. Setting to 'greater-than' has the opposite effect. Has no effect if a provider-version has not been specified in the filter.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "less-than",
"requires" => ["provider-version"],
"allowed" => [
"less-than",
"greater-than"
]
}
"required" => {
"type" => BOOLEAN,
"description" => "Is the file required to exist at the time the KeyStore service starts?",
"attribute-group" => "file",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => false,
"requires" => ["path"],
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "all-services"
},
{noformat}
e.g.
{noformat}
[standalone@localhost:9990 /] /subsystem=elytron/key-store=b:add(type=JKS, credential-reference={clear-text=a}, required=false
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'path' needs to be set or passed before attribute 'required' can be correctly set",
"rolled-back" => true
}
{noformat}
> Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-3421
> URL: https://issues.jboss.org/browse/WFCORE-3421
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 4.0.0.Alpha2
> Reporter: ehsavoie Hugonnet
>
> If outflow-anonymous is set to false then there is no need for outflow-security-domains as the default configuration shows clearly.
> So
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> should work like
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> A custom validation code is required instead of relying on the setRequires of SimpleAttributeDefinition
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3421) Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3421?page=com.atlassian.jira.plugi... ]
Martin Choma updated WFCORE-3421:
---------------------------------
Comment: was deleted
(was: Do we have any examples where setting an attribute to it's default value does mean that it's required attribute must also be defined?)
> Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-3421
> URL: https://issues.jboss.org/browse/WFCORE-3421
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 4.0.0.Alpha2
> Reporter: ehsavoie Hugonnet
>
> If outflow-anonymous is set to false then there is no need for outflow-security-domains as the default configuration shows clearly.
> So
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> should work like
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> A custom validation code is required instead of relying on the setRequires of SimpleAttributeDefinition
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3421) Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3421?page=com.atlassian.jira.plugi... ]
Darran Lofthouse commented on WFCORE-3421:
------------------------------------------
Do we have any examples where setting an attribute to it's default value does mean that it's required attribute must also be defined?
> Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-3421
> URL: https://issues.jboss.org/browse/WFCORE-3421
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 4.0.0.Alpha2
> Reporter: ehsavoie Hugonnet
>
> If outflow-anonymous is set to false then there is no need for outflow-security-domains as the default configuration shows clearly.
> So
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> should work like
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> A custom validation code is required instead of relying on the setRequires of SimpleAttributeDefinition
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3421) Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3421?page=com.atlassian.jira.plugi... ]
Martin Choma edited comment on WFCORE-3421 at 11/16/17 7:10 AM:
----------------------------------------------------------------
These are attributes in elytron subsystem which use "requires" and "default" at once.
{noformat}
"search-recursive" => {
"type" => BOOLEAN,
"description" => "Indicates if attribute LDAP search queries are recursive.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => true,
"requires" => ["filter"]
},
"role-recursion-name" => {
"type" => STRING,
"description" => "Determine LDAP attribute of role entry which will be substitute for \"{0}\" in filter-name when searching roles of role.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "cn",
"requires" => ["role-recursion"],
"min-length" => 1L,
"max-length" => 2147483647L
},
"version-comparison" => {
"type" => STRING,
"description" => "When set to 'less-than' a Provider will match against the filter if the Provider's version is less-than the version specified here. Setting to 'greater-than' has the opposite effect. Has no effect if a provider-version has not been specified in the filter.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "less-than",
"requires" => ["provider-version"],
"allowed" => [
"less-than",
"greater-than"
]
}
"required" => {
"type" => BOOLEAN,
"description" => "Is the file required to exist at the time the KeyStore service starts?",
"attribute-group" => "file",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => false,
"requires" => ["path"],
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "all-services"
},
{noformat}
e.g.
{noformat}
[standalone@localhost:9990 /] /subsystem=elytron/key-store=b:add(type=JKS, credential-reference={clear-text=a}, required=false
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'path' needs to be set or passed before attribute 'required' can be correctly set",
"rolled-back" => true
}
{noformat}
was (Author: mchoma):
These are attributes in elytron subsystem which use "requires" and "default" at once.
{noformat}
"search-recursive" => {
"type" => BOOLEAN,
"description" => "Indicates if attribute LDAP search queries are recursive.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => true,
"requires" => ["filter"]
},
"role-recursion-name" => {
"type" => STRING,
"description" => "Determine LDAP attribute of role entry which will be substitute for \"{0}\" in filter-name when searching roles of role.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "cn",
"requires" => ["role-recursion"],
"min-length" => 1L,
"max-length" => 2147483647L
},
"version-comparison" => {
"type" => STRING,
"description" => "When set to 'less-than' a Provider will match against the filter if the Provider's version is less-than the version specified here. Setting to 'greater-than' has the opposite effect. Has no effect if a provider-version has not been specified in the filter.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "less-than",
"requires" => ["provider-version"],
"allowed" => [
"less-than",
"greater-than"
]
}
"required" => {
"type" => BOOLEAN,
"description" => "Is the file required to exist at the time the KeyStore service starts?",
"attribute-group" => "file",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => false,
"requires" => ["path"],
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "all-services"
},
{noformat}
e.g.
{noformat}
[standalone@localhost:9990 /] /subsystem=elytron/key-store=b:add(type=JKS, credential-reference={clear-text=a}, required=false
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'path' needs to be set or passed before attribute 'required' can be correctly set",
"rolled-back" => true
}
{noformat}
> Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-3421
> URL: https://issues.jboss.org/browse/WFCORE-3421
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 4.0.0.Alpha2
> Reporter: ehsavoie Hugonnet
>
> If outflow-anonymous is set to false then there is no need for outflow-security-domains as the default configuration shows clearly.
> So
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> should work like
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> A custom validation code is required instead of relying on the setRequires of SimpleAttributeDefinition
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3421) Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3421?page=com.atlassian.jira.plugi... ]
Martin Choma commented on WFCORE-3421:
--------------------------------------
These are attributes in elytron subsystem which use "requires" and "default" at once.
{noformat}
"search-recursive" => {
"type" => BOOLEAN,
"description" => "Indicates if attribute LDAP search queries are recursive.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => true,
"requires" => ["filter"]
},
"role-recursion-name" => {
"type" => STRING,
"description" => "Determine LDAP attribute of role entry which will be substitute for \"{0}\" in filter-name when searching roles of role.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "cn",
"requires" => ["role-recursion"],
"min-length" => 1L,
"max-length" => 2147483647L
},
"version-comparison" => {
"type" => STRING,
"description" => "When set to 'less-than' a Provider will match against the filter if the Provider's version is less-than the version specified here. Setting to 'greater-than' has the opposite effect. Has no effect if a provider-version has not been specified in the filter.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "less-than",
"requires" => ["provider-version"],
"allowed" => [
"less-than",
"greater-than"
]
}
"required" => {
"type" => BOOLEAN,
"description" => "Is the file required to exist at the time the KeyStore service starts?",
"attribute-group" => "file",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => false,
"requires" => ["path"],
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "all-services"
},
{noformat}
e.g.
{noformat}
[standalone@localhost:9990 /] /subsystem=elytron/key-store=b:add(type=JKS, credential-reference={clear-text=a}, required=false
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'path' needs to be set or passed before attribute 'required' can be correctly set",
"rolled-back" => true
}
{noformat}
> Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-3421
> URL: https://issues.jboss.org/browse/WFCORE-3421
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 4.0.0.Alpha2
> Reporter: ehsavoie Hugonnet
>
> If outflow-anonymous is set to false then there is no need for outflow-security-domains as the default configuration shows clearly.
> So
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> should work like
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> A custom validation code is required instead of relying on the setRequires of SimpleAttributeDefinition
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3421) Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3421?page=com.atlassian.jira.plugi... ]
Martin Choma edited comment on WFCORE-3421 at 11/16/17 6:54 AM:
----------------------------------------------------------------
Adding relevant hipchat communication
{noformat}
Emmanuel Hugonnet·Nov-15 6:34 PM
I don't understand : *
[standalone@embedded /] /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'outflow-security-domains' needs to be set or passed before attribute 'outflow-anonymous' can be correctly set",
"rolled-back" => true,
"response-headers" => {"process-state" => "reload-required"}
}
as outflow-security-domains is not required
Brian Stansberry·Nov-15 6:35 PM
outflow-anonymous declares "requires" => ["outflow-security-domains"]
^^^ is a prediction, not something I looked at
Emmanuel Hugonnet·Nov-15 6:42 PM
yes but passing an undefined outflow-security-domains just for this feels strange
how can you require something that is not required ?
and not even present in the default config ?
Brian Stansberry·Nov-15 6:43 PM
that's a bug; it's a misuse of 'requires'
the meaning of 'requires' is "requires if defined" not "requires if defined and set to true"
that kind of "x requires y if x==true|1|etc" check requires currently requires custom validation code; using simple AD.setRequires(...) for it is a bug
{noformat}
was (Author: mchoma):
{noformat}
Emmanuel Hugonnet·Nov-15 6:34 PM
I don't understand : *
[standalone@embedded /] /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'outflow-security-domains' needs to be set or passed before attribute 'outflow-anonymous' can be correctly set",
"rolled-back" => true,
"response-headers" => {"process-state" => "reload-required"}
}
as outflow-security-domains is not required
Brian Stansberry·Nov-15 6:35 PM
outflow-anonymous declares "requires" => ["outflow-security-domains"]
^^^ is a prediction, not something I looked at
Emmanuel Hugonnet·Nov-15 6:42 PM
yes but passing an undefined outflow-security-domains just for this feels strange
how can you require something that is not required ?
and not even present in the default config ?
Brian Stansberry·Nov-15 6:43 PM
that's a bug; it's a misuse of 'requires'
the meaning of 'requires' is "requires if defined" not "requires if defined and set to true"
that kind of "x requires y if x==true|1|etc" check requires currently requires custom validation code; using simple AD.setRequires(...) for it is a bug
{noformat}
> Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-3421
> URL: https://issues.jboss.org/browse/WFCORE-3421
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 4.0.0.Alpha2
> Reporter: ehsavoie Hugonnet
>
> If outflow-anonymous is set to false then there is no need for outflow-security-domains as the default configuration shows clearly.
> So
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> should work like
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> A custom validation code is required instead of relying on the setRequires of SimpleAttributeDefinition
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3421) Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3421?page=com.atlassian.jira.plugi... ]
Martin Choma commented on WFCORE-3421:
--------------------------------------
{noformat}
Emmanuel Hugonnet·Nov-15 6:34 PM
I don't understand : *
[standalone@embedded /] /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'outflow-security-domains' needs to be set or passed before attribute 'outflow-anonymous' can be correctly set",
"rolled-back" => true,
"response-headers" => {"process-state" => "reload-required"}
}
as outflow-security-domains is not required
Brian Stansberry·Nov-15 6:35 PM
outflow-anonymous declares "requires" => ["outflow-security-domains"]
^^^ is a prediction, not something I looked at
Emmanuel Hugonnet·Nov-15 6:42 PM
yes but passing an undefined outflow-security-domains just for this feels strange
how can you require something that is not required ?
and not even present in the default config ?
Brian Stansberry·Nov-15 6:43 PM
that's a bug; it's a misuse of 'requires'
the meaning of 'requires' is "requires if defined" not "requires if defined and set to true"
that kind of "x requires y if x==true|1|etc" check requires currently requires custom validation code; using simple AD.setRequires(...) for it is a bug
{noformat}
> Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-3421
> URL: https://issues.jboss.org/browse/WFCORE-3421
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 4.0.0.Alpha2
> Reporter: ehsavoie Hugonnet
>
> If outflow-anonymous is set to false then there is no need for outflow-security-domains as the default configuration shows clearly.
> So
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> should work like
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> A custom validation code is required instead of relying on the setRequires of SimpleAttributeDefinition
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3421) Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3421?page=com.atlassian.jira.plugi... ]
Martin Choma updated WFCORE-3421:
---------------------------------
Description:
If outflow-anonymous is set to false then there is no need for outflow-security-domains as the default configuration shows clearly.
So
{noformat}
/subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
{noformat}
should work like
{noformat}
/subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
{noformat}
A custom validation code is required instead of relying on the setRequires of SimpleAttributeDefinition
was:
If outflow-anonymous is set to false then there is no need for outflow-security-domains as the default configuration shows clearly.
So /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}]) should work like /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
A custom validation code is required instead of relying on the setRequires of SimpleAttributeDefinition
> Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-3421
> URL: https://issues.jboss.org/browse/WFCORE-3421
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 4.0.0.Alpha2
> Reporter: ehsavoie Hugonnet
>
> If outflow-anonymous is set to false then there is no need for outflow-security-domains as the default configuration shows clearly.
> So
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> should work like
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> A custom validation code is required instead of relying on the setRequires of SimpleAttributeDefinition
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months