February 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (ELY-915) Elytron filesystem caching realm should cache attributes and credentials

by Ondrej Kotek (JIRA)

[ https://issues.jboss.org/browse/ELY-915?page=com.atlassian.jira.plugin.sy... ] Ondrej Kotek moved JBEAP-8663 to ELY-915: ----------------------------------------- Project: WildFly Elytron (was: JBoss Enterprise Application Platform) Key: ELY-915 (was: JBEAP-8663) Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1) Component/s: Realms (was: Security) Affects Version/s: 1.1.0.Beta21 (was: 7.1.0.DR11) > Elytron filesystem caching realm should cache attributes and credentials > ------------------------------------------------------------------------ > > Key: ELY-915 > URL: https://issues.jboss.org/browse/ELY-915 > Project: WildFly Elytron > Issue Type: Bug > Components: Realms > Affects Versions: 1.1.0.Beta21 > Reporter: Ondrej Kotek > > Elytron caching realm backed by filesystem realm provides caching for identity objects but not for related credentials and attributes. > Credentials and attributes should not be loaded from file system for a cache hit. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-913) Incorrect username is passed to principal when principal-transformers are enabled

by Ondrej Lukas (JIRA)

[ https://issues.jboss.org/browse/ELY-913?page=com.atlassian.jira.plugin.sy... ] Ondrej Lukas closed ELY-913. ---------------------------- Resolution: Rejected Ok, I understand it now. Thanks for the clarification. I am closing this issue since this is not a bug. > Incorrect username is passed to principal when principal-transformers are enabled > --------------------------------------------------------------------------------- > > Key: ELY-913 > URL: https://issues.jboss.org/browse/ELY-913 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta21 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Priority: Critical > > In case when some principal-transformers are used for transforming principal in security domain then final username which is used for authentication and later for authorization is: input_username transformed by pre-realm-principal-transformer, post-realm-principal-transformer and realm principal-transformer. However Principal assigned to SecurityIdentity uses only name input_username transformed by pre-realm-principal-transformer. > It seems it is caused by passing {{preRealmPrincipal}} as fourth parameter in https://github.com/wildfly-security/wildfly-elytron/blob/7b5c89c437d27fec... > Value of SecurityIdentity.getPrincipal() can be seen when trace log is enabled due to https://github.com/wildfly-security/wildfly-elytron/blob/7b5c89c437d27fec... > Since it seems there is currently no documentation related to this topic I cannot say whether it is real bug. [~dlofthouse] could you please provide some clarification? > Log (see Steps to Reproduce for more details about configuration): > {code} > TRACE [org.wildfly.security] (default task-3) Principal assigning: [user], pre-realm rewritten: [user1], realm name: [ApplicationRealm], post realm rewritten: [user12], realm rewritten: [user123] > TRACE [org.wildfly.security] (default task-3) Attempting to authenticate account user123 using LegacyPropertiesSecurityRealm. > ... > TRACE [org.wildfly.security] (default task-3) Role mapping: principal [user1] -> decoded roles [JBossAdmin] -> realm mapped roles [JBossAdmin] -> domain mapped roles [JBossAdmin] > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-913) Incorrect username is passed to principal when principal-transformers are enabled

by David Lloyd (JIRA)

[ https://issues.jboss.org/browse/ELY-913?page=com.atlassian.jira.plugin.sy... ] David Lloyd commented on ELY-913: --------------------------------- This is intentional. The domain principal is meant to be unique per domain, whereas the realm principal need only be unique per realm. So if I have two realms, for example one for customers and one for employees, and they both contain an identity with the same name, I can use post-realm rewriters to disambiguate them. Example 1: "David/cust" -> map to customer realm -> "David" Example 2: "David/emp" -> map to employee realm -> "David" > Incorrect username is passed to principal when principal-transformers are enabled > --------------------------------------------------------------------------------- > > Key: ELY-913 > URL: https://issues.jboss.org/browse/ELY-913 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta21 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Priority: Critical > > In case when some principal-transformers are used for transforming principal in security domain then final username which is used for authentication and later for authorization is: input_username transformed by pre-realm-principal-transformer, post-realm-principal-transformer and realm principal-transformer. However Principal assigned to SecurityIdentity uses only name input_username transformed by pre-realm-principal-transformer. > It seems it is caused by passing {{preRealmPrincipal}} as fourth parameter in https://github.com/wildfly-security/wildfly-elytron/blob/7b5c89c437d27fec... > Value of SecurityIdentity.getPrincipal() can be seen when trace log is enabled due to https://github.com/wildfly-security/wildfly-elytron/blob/7b5c89c437d27fec... > Since it seems there is currently no documentation related to this topic I cannot say whether it is real bug. [~dlofthouse] could you please provide some clarification? > Log (see Steps to Reproduce for more details about configuration): > {code} > TRACE [org.wildfly.security] (default task-3) Principal assigning: [user], pre-realm rewritten: [user1], realm name: [ApplicationRealm], post realm rewritten: [user12], realm rewritten: [user123] > TRACE [org.wildfly.security] (default task-3) Attempting to authenticate account user123 using LegacyPropertiesSecurityRealm. > ... > TRACE [org.wildfly.security] (default task-3) Role mapping: principal [user1] -> decoded roles [JBossAdmin] -> realm mapped roles [JBossAdmin] -> domain mapped roles [JBossAdmin] > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 11 months

1
0
0 / 0

[JBoss JIRA] (ELY-904) Logout notification support for HTTP-based authentication mechanisms

by Pedro Igor (JIRA)

[ https://issues.jboss.org/browse/ELY-904?page=com.atlassian.jira.plugin.sy... ] Pedro Igor commented on ELY-904: -------------------------------- I stepped back and pushed changes related with the addition of a logout method to {{HttpServerAuthenticationMechanism}}. Support this via notification is really possible for session based mechanism, given that usually we just need to invalidate session and not write to the response. If our HTTP API were allowing mechs to write to the response without necessary calling one of those "complete methods" (authenticationComplete, noAuthInProgress, etc) we can avoid adding this method and just support LOGOUT notification in our API. > Logout notification support for HTTP-based authentication mechanisms > -------------------------------------------------------------------- > > Key: ELY-904 > URL: https://issues.jboss.org/browse/ELY-904 > Project: WildFly Elytron > Issue Type: Enhancement > Components: HTTP > Affects Versions: 1.1.0.Beta21 > Reporter: Pedro Igor > Assignee: Pedro Igor > > I think it makes sense to also allow HTTP mechanisms to handle logouts. Logout is tightly related with authentication and mechanisms should be able to act properly during logout requests. > Although only a few set of mechanisms support logout, I think adding a default method {{org.wildfly.security.http.HttpServerAuthenticationMechanism#logout}} will make our API even more complete and capable of supporting more use cases. > The main use case for this enhancement is programmatic logout. In this case, logout can be triggered from inside an application which in turn delegates the logout logic to the mechanism that authenticated an user. > Considering Elytron Web, this enhancement would make integration with other containers even more simple and avoid dealing with specific logout mechanisms (e.g.: notifications) provided by these same containers. This is specially true for servlet containers. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 11 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8023) Autocomplete doesn't work properly in credential-reference.alias attribute.

by Hynek Švábek (JIRA)

Hynek Švábek created WFLY-8023: ---------------------------------- Summary: Autocomplete doesn't work properly in credential-reference.alias attribute. Key: WFLY-8023 URL: https://issues.jboss.org/browse/WFLY-8023 Project: WildFly Issue Type: Bug Components: Security Reporter: Hynek Švábek Assignee: Darran Lofthouse Autocomplete doesn't work properly in credential-reference.alias attribute. I want to use autocomplete for credential-reference.alias when I the credential-reference.store attribute is filled but it doesn't work. *How to reproduce* {code} /subsystem=elytron/credential-store=cs1:add(uri="cr-store://test/cs1.jceks", credential-reference={store=cs012, alias=<TAB> {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 11 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8023) Autocomplete doesn't work properly in credential-reference.alias attribute.

by Hynek Švábek (JIRA)

[ https://issues.jboss.org/browse/WFLY-8023?page=com.atlassian.jira.plugin.... ] Hynek Švábek reassigned WFLY-8023: ---------------------------------- Assignee: Peter Skopek (was: Darran Lofthouse) > Autocomplete doesn't work properly in credential-reference.alias attribute. > --------------------------------------------------------------------------- > > Key: WFLY-8023 > URL: https://issues.jboss.org/browse/WFLY-8023 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > Assignee: Peter Skopek > > Autocomplete doesn't work properly in credential-reference.alias attribute. > I want to use autocomplete for credential-reference.alias when I the credential-reference.store attribute is filled but it doesn't work. > *How to reproduce* > {code} > /subsystem=elytron/credential-store=cs1:add(uri="cr-store://test/cs1.jceks", credential-reference={store=cs012, alias=<TAB> > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 11 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8022) Autocomplete doesn't work properly in credential-reference.store attribute.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-8022?page=com.atlassian.jira.plugin.... ] Darran Lofthouse commented on WFLY-8022: ---------------------------------------- This is likely a duplicate of WFCORE-2245 > Autocomplete doesn't work properly in credential-reference.store attribute. > --------------------------------------------------------------------------- > > Key: WFLY-8022 > URL: https://issues.jboss.org/browse/WFLY-8022 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > Assignee: Peter Skopek > > Autocomplete doesn't work properly in credential-reference attribute. > I want to use autocomplete for credential-reference.store but it doesn't work. > *How to reproduce* > {code} > /subsystem=elytron/credential-store=cs1:add(uri="cr-store://test/cs1.jceks", credential-reference={store=<TAB> > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 11 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8022) Autocomplete doesn't work properly in credential-reference.store attribute.

by Hynek Švábek (JIRA)

[ https://issues.jboss.org/browse/WFLY-8022?page=com.atlassian.jira.plugin.... ] Hynek Švábek reassigned WFLY-8022: ---------------------------------- Assignee: Peter Skopek (was: Darran Lofthouse) > Autocomplete doesn't work properly in credential-reference.store attribute. > --------------------------------------------------------------------------- > > Key: WFLY-8022 > URL: https://issues.jboss.org/browse/WFLY-8022 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > Assignee: Peter Skopek > > Autocomplete doesn't work properly in credential-reference attribute. > I want to use autocomplete for credential-reference.store but it doesn't work. > *How to reproduce* > {code} > /subsystem=elytron/credential-store=cs1:add(uri="cr-store://test/cs1.jceks", credential-reference={store=<TAB> > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 11 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8022) Autocomplete doesn't work properly in credential-reference.store attribute.

by Hynek Švábek (JIRA)

Hynek Švábek created WFLY-8022: ---------------------------------- Summary: Autocomplete doesn't work properly in credential-reference.store attribute. Key: WFLY-8022 URL: https://issues.jboss.org/browse/WFLY-8022 Project: WildFly Issue Type: Bug Components: Security Reporter: Hynek Švábek Assignee: Darran Lofthouse Autocomplete doesn't work properly in credential-reference attribute. I want to use autocomplete for credential-reference.store but it doesn't work. *How to reproduce* {code} /subsystem=elytron/credential-store=cs1:add(uri="cr-store://test/cs1.jceks", credential-reference={store=<TAB> {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 11 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8014) Remote store cannot be added to a cache via CLI

by Paul Ferraro (JIRA)

[ https://issues.jboss.org/browse/WFLY-8014?page=com.atlassian.jira.plugin.... ] Paul Ferraro updated WFLY-8014: ------------------------------- Workaround Description: Both store=file:add and store=remove:add succeed when the {allow-resource-service-restart=true} invocation flag is used. > Remote store cannot be added to a cache via CLI > ----------------------------------------------- > > Key: WFLY-8014 > URL: https://issues.jboss.org/browse/WFLY-8014 > Project: WildFly > Issue Type: Bug > Components: Clustering > Affects Versions: 11.0.0.Alpha1 > Reporter: Michal Petrov > Assignee: Paul Ferraro > > It is not possible to add remote store to a new cache: > {quote} > /subsystem=infinispan/cache-container=web/local-cache=myCache/store=remote:add(remote-servers=\[mail-smtp\]) > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0158: Operation handler failed: org.jboss.msc.service.DuplicateServiceException: Service org.wildfly.clustering.infinispan.cache-configuration.web.myCache.store is already registered", > "rolled-back" => true > } > {quote} > However it is possible to add a file store: > {{/subsystem=infinispan/cache-container=web/local-cache=myCache/store=file:add}} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

7 years, 11 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira February 2017