March 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (HAWKULARQE-73) Rebuild internal cluster 2

by viet nguyen (JIRA)

[ https://issues.jboss.org/browse/HAWKULARQE-73?page=com.atlassian.jira.plu... ] viet nguyen reassigned HAWKULARQE-73: ------------------------------------- Assignee: viet nguyen (was: Michael Foley) > Rebuild internal cluster 2 > --------------------------- > > Key: HAWKULARQE-73 > URL: https://issues.jboss.org/browse/HAWKULARQE-73 > Project: Hawkular QE > Issue Type: Sub-task > Reporter: viet nguyen > Assignee: viet nguyen > > Use cluster2 (JON BC hardware) for a larger set up than OS1. > - Rebuild cluster. Both master and node are on bare metal > - 30 metrics per pod > - how many pods > - verify metrics definition count > - verify metrics data -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (WFLY-3858) Infinispan cache configuration is not always applied to security-domain

by Paul Ferraro (JIRA)

[ https://issues.jboss.org/browse/WFLY-3858?page=com.atlassian.jira.plugin.... ] Paul Ferraro reopened WFLY-3858: -------------------------------- Need to reopen, as there was a problem identified with the original fix. > Infinispan cache configuration is not always applied to security-domain > ----------------------------------------------------------------------- > > Key: WFLY-3858 > URL: https://issues.jboss.org/browse/WFLY-3858 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 8.1.0.Final > Reporter: Robert Tuck > Assignee: Paul Ferraro > Fix For: 11.0.0.Alpha1 > > Attachments: debugger output.txt > > > On Wildfly 8.1.0.Final, I have the following standalone-ha.xml: > <subsystem xmlns="urn:jboss:domain:infinispan:2.0"> > ... > <cache-container name="security" default-cache="auth-cache" start="EAGER"> > <transport cluster="${cluster.name}_SEC" lock-timeout="60000"/> > <replicated-cache name="auth-cache" batching="true" mode="ASYNC"> > <eviction strategy="LRU" max-entries="10000"/> > <expiration lifespan="60000"/> > </replicated-cache> > </cache-container> > </subsystem> > ... > <subsystem xmlns="urn:jboss:domain:security:1.2"> > <security-domains> > ... > <security-domain name="OAuth-Consumer" cache-type="infinispan"> > <authentication> > <login-module code="com.idbs.ewb.server.auth.module.OAuthConsumerLoginModule" flag="sufficient" > module="deployment.ewb-server-ear.ear"> > <module-option name="allowedConsumerAuthFailures" value="-1"/> > <module-option name="consumerLoginFailureTimeoutMs" value="3000"/> > </login-module> > </authentication> > </security-domain> > </security-domains> > </subsystem> > After startup the OAuth-Consumer security domain cache "auth-cache" is not always configured with the specified settings (~50% of the time). This can be verified by monitoring the jboss.infinispan nodes with JConsole and retrieving the cache settings, and tracking the cache hits during logins. This shows that succesful logins are cached but do not expire after the expected 60s, and that the expiration lifespan is set to -1 rather than 60000, as are eviction max entries. > After some debugging I have narrowed down the problem to some code that gets called from inside org.jboss.as.security.plugins.JNDIBasedSecurityManagement: > public SecurityDomainContext createSecurityDomainContext(String securityDomain, Object cacheFactory) throws Exception { > log.debugf("Creating SDC for domain=" + securityDomain); > AuthenticationManager am = createAuthenticationManager(securityDomain); > // create authentication cache > if (cacheFactory instanceof EmbeddedCacheManager) { > EmbeddedCacheManager cacheManager = EmbeddedCacheManager.class.cast(cacheFactory); > @SuppressWarnings("rawtypes") > Cache cache = null; > if (cacheManager != null) { > // TODO override global settings with security domain specific > ConfigurationBuilder builder = new ConfigurationBuilder(); > Configuration baseCfg = cacheManager.getCacheConfiguration("auth-cache"); > ^^^^ This call here doesn’t always return the correct configuration, baseCfg is then null. > if (baseCfg != null) { > builder.read(baseCfg); > } > cacheManager.defineConfiguration(securityDomain, builder.build()); > cache = cacheManager.getCache(securityDomain); > } > if (cache != null && am instanceof CacheableManager) { > @SuppressWarnings({ "unchecked", "rawtypes" }) > CacheableManager<Map, Principal> cm = (CacheableManager<Map, Principal>) am; > cm.setCache(cache); > } > } else if (cacheFactory instanceof DefaultAuthenticationCacheFactory) { > <…> > } > getCacheConfiguration(String) is implemented inside org.infinispan.manager.DefaultCacheManager: > @Override > public Configuration getCacheConfiguration(String name) { > Configuration configuration = configurationOverrides.get(name); > if (configuration == null && cacheExists(name)) { > return defaultConfiguration; > } > return configuration; > } > Seems like the condition configuration == null occurs when the cache doesn’t exist, therefore it returns null. This appears to be a race condition between this code and where it gets registered in wireAndStartCache(String). > -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (ELY-1008) Elytron Audit Logging does not support logging into more destinations

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1008?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse resolved ELY-1008. ----------------------------------- Fix Version/s: 1.1.0.Beta32 Resolution: Rejected SecurityEventListener.aggregate is available to combine multiple event listeners into one. > Elytron Audit Logging does not support logging into more destinations > --------------------------------------------------------------------- > > Key: ELY-1008 > URL: https://issues.jboss.org/browse/ELY-1008 > Project: WildFly Elytron > Issue Type: Bug > Reporter: Jan Tymel > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: 1.1.0.Beta32 > > Attachments: deployment.war > > > According to my understanding it is not possible to send Elytron Audit logs to more destinations (files or syslogs). It is caused by {{security-event-listener}} property within {{security-domain}} takes only _string_ attribute and not _list_ of them. > Example of use-case that may be affected: > I want to send logs to a syslog server AND also as a backup to a file on NFS. This means that if the syslog server will be unreachable, it will still be possible to send logs into a backup file on NFS and therefore no logs will be completely lost. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (ELY-1008) Elytron Audit Logging does not support logging into more destinations

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1008?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse reassigned ELY-1008: ------------------------------------- Assignee: Darran Lofthouse > Elytron Audit Logging does not support logging into more destinations > --------------------------------------------------------------------- > > Key: ELY-1008 > URL: https://issues.jboss.org/browse/ELY-1008 > Project: WildFly Elytron > Issue Type: Bug > Reporter: Jan Tymel > Assignee: Darran Lofthouse > Priority: Blocker > Attachments: deployment.war > > > According to my understanding it is not possible to send Elytron Audit logs to more destinations (files or syslogs). It is caused by {{security-event-listener}} property within {{security-domain}} takes only _string_ attribute and not _list_ of them. > Example of use-case that may be affected: > I want to send logs to a syslog server AND also as a backup to a file on NFS. This means that if the syslog server will be unreachable, it will still be possible to send logs into a backup file on NFS and therefore no logs will be completely lost. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (ELY-1011) Failed validation in regex-validating-principal-transformer causes NPE for Elytron audit logging

by Ondrej Lukas (JIRA)

Ondrej Lukas created ELY-1011: --------------------------------- Summary: Failed validation in regex-validating-principal-transformer causes NPE for Elytron audit logging Key: ELY-1011 URL: https://issues.jboss.org/browse/ELY-1011 Project: WildFly Elytron Issue Type: Bug Reporter: Ondrej Lukas Assignee: Darran Lofthouse Priority: Critical In case when validation in Elytron regex-validating-principal-transformer fails then following NPE occurs in server log: {code} ERROR [org.wildfly.security] (default task-2) ELY01094: An event handler threw an exception: java.lang.NullPointerException: Value in JsonObjects name/value pair cannot be null at org.glassfish.json.JsonObjectBuilderImpl.validateValue(JsonObjectBuilderImpl.java:164) at org.glassfish.json.JsonObjectBuilderImpl.add(JsonObjectBuilderImpl.java:74) at org.wildfly.security.audit.JsonSecurityEventFormatter.handleAuthenticationFailedEvent(JsonSecurityEventFormatter.java:99) at org.wildfly.security.audit.JsonSecurityEventFormatter.handleAuthenticationFailedEvent(JsonSecurityEventFormatter.java:93) at org.wildfly.security.audit.JsonSecurityEventFormatter.handleAuthenticationFailedEvent(JsonSecurityEventFormatter.java:43) at org.wildfly.security.auth.server.event.SecurityAuthenticationFailedEvent.accept(SecurityAuthenticationFailedEvent.java:49) at org.wildfly.extension.elytron.AuditResourceDefinitions$1.lambda$null$1(AuditResourceDefinitions.java:156) at org.wildfly.security.audit.AuditLogger.accept(AuditLogger.java:56) at org.wildfly.security.audit.AuditLogger.accept(AuditLogger.java:35) at org.wildfly.security.auth.server.SecurityDomain.handleSecurityEvent(SecurityDomain.java:680) at org.wildfly.security.auth.server.SecurityDomain.safeHandleSecurityEvent(SecurityDomain.java:687) at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.fail(ServerAuthenticationContext.java:1793) at org.wildfly.security.auth.server.ServerAuthenticationContext.fail(ServerAuthenticationContext.java:433) at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:865) at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:728) at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113) at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.fail(UsernamePasswordAuthenticationMechanism.java:107) at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:170) at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115) at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77) at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:110) at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94) at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78) at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:97) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:46) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) {code} It happens only in case when Elytron audit log is enabled. It happens in case when match attribute is set to true and principal name does not match given pattern as well as in case when match attribute is set to false and principal name matches given pattern. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (WFCORE-2549) Elytron, kerberos-security-factory unintentionaly required attribute "options"

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2549?page=com.atlassian.jira.plugi... ] Martin Choma updated WFCORE-2549: --------------------------------- Labels: (was: eap71_beta kerberos) > Elytron, kerberos-security-factory unintentionaly required attribute "options" > ------------------------------------------------------------------------------ > > Key: WFCORE-2549 > URL: https://issues.jboss.org/browse/WFCORE-2549 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Martin Choma > Assignee: Darran Lofthouse > Priority: Blocker > > *User impact:* User can't configure kerberos authentication without optional {{options}} attribute > *Workaround:* Add any option, even if you don't need any. > {code} > /subsystem=elytron/kerberos-security-factory=a:add(principal=HTTP/localhost@JBOSS.ORG, path=/somewhere, mechanism-oids=["1.2.840.113554.1.2.2","1.3.6.1.5.5.2"],options={a=b}) > {code} > *Description:* > If I try command which worked previously I get error > {code} > [standalone@localhost:9990 /] /subsystem=elytron/kerberos-security-factory=a:add(principal=HTTP/localhost@JBOSS.ORG, path=/somewhere, mechanism-oids=["1.2.840.113554.1.2.2","1.3.6.1.5.5.2"]) > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException", > "rolled-back" => true > } > {code} > In server.log there is this stacktrace > {code} > 15:00:53,476 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([ > ("subsystem" => "elytron"), > ("kerberos-security-factory" => "a") > ]): java.lang.IllegalArgumentException > at org.jboss.dmr.ModelValue.asPropertyList(ModelValue.java:103) > at org.jboss.dmr.ModelNode.asPropertyList(ModelNode.java:503) > at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.getValueSupplier(KerberosSecurityFactoryDefinition.java:168) > at org.wildfly.extension.elytron.TrivialAddHandler.performRuntime(TrivialAddHandler.java:77) > at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:151) > at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:979) > at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:722) > at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:441) > at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1388) > at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:421) > at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:243) > at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:263) > at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:229) > at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:243) > at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:217) > at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:137) > at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:161) > at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157) > at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:287) > at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:244) > at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254) > at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225) > at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:157) > at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70) > at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > {code} > Adding optional {{options}} attribute makes command work again > {code} > [standalone@localhost:9990 /] /subsystem=elytron/kerberos-security-factory=a:add(principal=HTTP/localhost@JBOSS.ORG, path=/somewhere, mechanism-oids=["1.2.840.113554.1.2.2","1.3.6.1.5.5.2"],options={a=b}) > {"outcome" => "success"} > {code} > Attribute {{options}} is marked correctly optional in model. > {code} > "options" => { > "type" => OBJECT, > "description" => "The Krb5LoginModule additional options.", > "expressions-allowed" => false, > "required" => false, > "nillable" => true, > "value-type" => STRING, > "access-type" => "read-write", > "storage" => "configuration", > "restart-required" => "no-services" > }, > {code} > Not setting as alpha blocker, as workaround exists. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (DROOLS-1480) Support timezones in date and type variables

by Edson Tirelli (JIRA)

[ https://issues.jboss.org/browse/DROOLS-1480?page=com.atlassian.jira.plugi... ] Edson Tirelli commented on DROOLS-1480: --------------------------------------- Thank you for creating this. I am hoping we get a clarification on timezones support in DMN 1.2. I am not expecting this to be solved in DMN 1.1. > Support timezones in date and type variables > -------------------------------------------- > > Key: DROOLS-1480 > URL: https://issues.jboss.org/browse/DROOLS-1480 > Project: Drools > Issue Type: Enhancement > Components: dmn engine > Affects Versions: 7.0.0.Beta7 > Reporter: Tibor Zimányi > Assignee: Edson Tirelli > Priority: Minor > Labels: reported-by-qe > > Currently we don't support timezones in date and time variables. This should be implemented, when we are sure about the exact format of timezones. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (WFCORE-2549) Elytron, kerberos-security-factory unintentionaly required attribute "options"

by Martin Choma (JIRA)

Martin Choma created WFCORE-2549: ------------------------------------ Summary: Elytron, kerberos-security-factory unintentionaly required attribute "options" Key: WFCORE-2549 URL: https://issues.jboss.org/browse/WFCORE-2549 Project: WildFly Core Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Darran Lofthouse Priority: Blocker *User impact:* User can't configure kerberos authentication without optional {{options}} attribute *Workaround:* Add any option, even if you don't need any. {code} /subsystem=elytron/kerberos-security-factory=a:add(principal=HTTP/localhost@JBOSS.ORG, path=/somewhere, mechanism-oids=["1.2.840.113554.1.2.2","1.3.6.1.5.5.2"],options={a=b}) {code} *Description:* If I try command which worked previously I get error {code} [standalone@localhost:9990 /] /subsystem=elytron/kerberos-security-factory=a:add(principal=HTTP/localhost@JBOSS.ORG, path=/somewhere, mechanism-oids=["1.2.840.113554.1.2.2","1.3.6.1.5.5.2"]) { "outcome" => "failed", "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException", "rolled-back" => true } {code} In server.log there is this stacktrace {code} 15:00:53,476 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "elytron"), ("kerberos-security-factory" => "a") ]): java.lang.IllegalArgumentException at org.jboss.dmr.ModelValue.asPropertyList(ModelValue.java:103) at org.jboss.dmr.ModelNode.asPropertyList(ModelNode.java:503) at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.getValueSupplier(KerberosSecurityFactoryDefinition.java:168) at org.wildfly.extension.elytron.TrivialAddHandler.performRuntime(TrivialAddHandler.java:77) at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:151) at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:979) at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:722) at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:441) at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1388) at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:421) at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:243) at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:263) at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:229) at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:243) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:217) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:137) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:161) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157) at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:287) at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:244) at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254) at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:157) at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70) at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) {code} Adding optional {{options}} attribute makes command work again {code} [standalone@localhost:9990 /] /subsystem=elytron/kerberos-security-factory=a:add(principal=HTTP/localhost@JBOSS.ORG, path=/somewhere, mechanism-oids=["1.2.840.113554.1.2.2","1.3.6.1.5.5.2"],options={a=b}) {"outcome" => "success"} {code} Attribute {{options}} is marked correctly optional in model. {code} "options" => { "type" => OBJECT, "description" => "The Krb5LoginModule additional options.", "expressions-allowed" => false, "required" => false, "nillable" => true, "value-type" => STRING, "access-type" => "read-write", "storage" => "configuration", "restart-required" => "no-services" }, {code} Not setting as alpha blocker, as workaround exists. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (WFCORE-2432) Elytron auth method misconfiguration not logged

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2432?page=com.atlassian.jira.plugi... ] Jan Kalina updated WFCORE-2432: ------------------------------- Priority: Blocker (was: Critical) > Elytron auth method misconfiguration not logged > ----------------------------------------------- > > Key: WFCORE-2432 > URL: https://issues.jboss.org/browse/WFCORE-2432 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Martin Choma > Assignee: Jan Kalina > Priority: Blocker > Labels: user_experience > > When deployment is configured to be secured with DIGEST, but {{http-authentication-factory}} does not list DIGEST mechanism, user is not informed about misconfiguration. Even when TRACE logging is turned on. When user tries to access app 403 http code is returned and Forbidden is shown in browser. I would expect browser dialog to appear to allow user provide credentials (401 http status code). > {code:title=web.xml} > <login-config> > <auth-method>DIGEST</auth-method> > <realm-name>ApplicaitonRealm</realm-name> > </login-config> > {code} > {code:title=standalone-elytron.xml} > <http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain"> > <mechanism-configuration> > <mechanism mechanism-name="BASIC"> > <mechanism-realm realm-name="Application Realm"/> > </mechanism> > <mechanism mechanism-name="FORM"/> > </mechanism-configuration> > </http-authentication-factory> > {code} > This applies globally to all authentication mechanisms, not only DIGEST. > Could elytron handle misconfiguration: > * either fail during deploying application as deployment requirement can't be satisfy > * or provide reasonable elytron defaults of missing mechanism configuration. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

[JBoss JIRA] (WFCORE-2432) Elytron auth method misconfiguration not logged

by Jan Kalina (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2432?page=com.atlassian.jira.plugi... ] Jan Kalina reassigned WFCORE-2432: ---------------------------------- Assignee: Jan Kalina > Elytron auth method misconfiguration not logged > ----------------------------------------------- > > Key: WFCORE-2432 > URL: https://issues.jboss.org/browse/WFCORE-2432 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Martin Choma > Assignee: Jan Kalina > Priority: Critical > Labels: user_experience > > When deployment is configured to be secured with DIGEST, but {{http-authentication-factory}} does not list DIGEST mechanism, user is not informed about misconfiguration. Even when TRACE logging is turned on. When user tries to access app 403 http code is returned and Forbidden is shown in browser. I would expect browser dialog to appear to allow user provide credentials (401 http status code). > {code:title=web.xml} > <login-config> > <auth-method>DIGEST</auth-method> > <realm-name>ApplicaitonRealm</realm-name> > </login-config> > {code} > {code:title=standalone-elytron.xml} > <http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain"> > <mechanism-configuration> > <mechanism mechanism-name="BASIC"> > <mechanism-realm realm-name="Application Realm"/> > </mechanism> > <mechanism mechanism-name="FORM"/> > </mechanism-configuration> > </http-authentication-factory> > {code} > This applies globally to all authentication mechanisms, not only DIGEST. > Could elytron handle misconfiguration: > * either fail during deploying application as deployment requirement can't be satisfy > * or provide reasonable elytron defaults of missing mechanism configuration. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 1 month

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira March 2017