[JBoss JIRA] (WFCORE-2466) Elytron, IBM java, SPNEGO continuation required situation
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2466?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7875 to WFCORE-2466:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2466 (was: WFLY-7875)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
> Elytron, IBM java, SPNEGO continuation required situation
> ---------------------------------------------------------
>
> Key: WFCORE-2466
> URL: https://issues.jboss.org/browse/WFCORE-2466
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Blocker
> Attachments: ContinuationRequiredIBM.pcap, server.log
>
>
> I have problem to achieve this scenario with elytron on IBM java:
> # Using IBM Java
> # Client sends non kerberos OID mechanism as most preferred with non kerberos ticket
> # Server response with "continuation required"
> # Client sends kerberos ticket
> # Server response with 401 instead of 200
> # In server there is error
> {code}
> 10:43:35,570 TRACE [org.wildfly.security] (default task-3) GSSContext message exchange failed: org.ietf.jgss.GSSException, major code: 10, minor code: 0
> major string: Defective token
> minor string: Bad token tag: -95
> at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:5)
> at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:33)
> at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:102)
> at com.ibm.security.jgss.TokenHeader.<init>(TokenHeader.java:70)
> at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:119)
> at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:186)
> at org.wildfly.security.http.impl.SpnegoAuthenticationMechanism.evaluateRequest(SpnegoAuthenticationMechanism.java:138)
> at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:106)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:90)
> at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:74)
> at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:82)
> {code}
> Basically, it is same scenario as tested in [1] (for legacy security).
> This scenario works correctly
> * on Oracle and OpenJDK java with elytron in EAP 7.1
> * with legacy security on IBM java in EAP 7.1
> Setting high priority as:
> * It works in legacy security, so customers won't be able to migrate
> * Similar error was resolved in EAP 7.0 (JBEAP-3709) as blocker because customer case existed for that.
> [1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13d...
> [2] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13d...
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2467) Specify detailed HttpServerAuthenticationMechanismFactory interface contract
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2467?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7693 to WFCORE-2467:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2467 (was: WFLY-7693)
Component/s: Security
(was: Security)
> Specify detailed HttpServerAuthenticationMechanismFactory interface contract
> ----------------------------------------------------------------------------
>
> Key: WFCORE-2467
> URL: https://issues.jboss.org/browse/WFCORE-2467
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Priority: Critical
>
> Please specify detailed contract of HttpServerAuthenticationMechanismFactory.
> Describe which params are allowed to be null and what happens in that case. Also describe if null return values are allowed from interface methods and when does that could happen.
> You can consider {{javax.security.sasl.SaslServerFactory}} as example of detailed contract.
> For example:
> * Is {{properties}} parameter of {{getMechanismNames()}} allowed to be null?
> * is {{getMechanismNames()}} allowed to return null ?
> * Are any of {{createAuthenticationMechanism()}} parameters allowed to be null?
> ** For {{ServerMechanismFactoryImpl}} implementation {{properties}} could not be null - is it general rule?
> {code}
> java.lang.IllegalArgumentException: Parameter 'properties' may not be null
> at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:69)
> at org.wildfly.common.Assert.checkNotNullParam(Assert.java:47)
> at org.wildfly.security.http.impl.ServerMechanismFactoryImpl.createAuthenticationMechanism(ServerMechanismFactoryImpl.java:79)
> {code}
> ** For {{ServerMechanismFactoryImpl}} implementation {{callbackHandler}} could not be null - is it general rule?
> {code}
> java.lang.IllegalArgumentException: Parameter 'callbackHandler' may not be null
> at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:69)
> at org.wildfly.common.Assert.checkNotNullParam(Assert.java:47)
> at org.wildfly.security.http.impl.ServerMechanismFactoryImpl.createAuthenticationMechanism(ServerMechanismFactoryImpl.java:80)
> {code}
> ** For {{ServerMechanismFactoryImpl}} implementation {{mechanismName}} could not be null - is it general rule?
> {code}
> java.lang.IllegalArgumentException: Parameter 'mechanismName' may not be null
> at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:69)
> at org.wildfly.common.Assert.checkNotNullParam(Assert.java:47)
> at org.wildfly.security.http.impl.ServerMechanismFactoryImpl.createAuthenticationMechanism(ServerMechanismFactoryImpl.java:78)
> {code}
> I would suggest to wrap {{java.lang.IllegalArgumentException}} to HttpAuthenticationException. Otherwise possibility of {{IllegalArgumentException}} should be documented in contract.
> * Is {{createAuthenticationMechanism()}} allowed to return null?
> Filing as Critical, as this interface is expected to be implemented by custom factories.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2459) Missing log that authetication failed in Elytron LdapRealm
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2459?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8165 to WFCORE-2459:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2459 (was: WFLY-8165)
Component/s: Security
(was: Security)
> Missing log that authetication failed in Elytron LdapRealm
> ----------------------------------------------------------
>
> Key: WFCORE-2459
> URL: https://issues.jboss.org/browse/WFCORE-2459
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
>
> In case when wrong password is passed during authentication through LdapRealm then server log does not include information that 'authentication failed'.
> Following log occurs in server.log:
> {code}
> 2017-02-20 13:16:41,482 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [jduke].
> 2017-02-20 13:16:41,483 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [ou=People,dc=jboss,dc=org] with arguments [[Ljava.lang.String;@3e8a4972]. Returning attributes are [[userPassword]]. Binary attributes are [[]].
> 2017-02-20 13:16:41,491 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=jduke,ou=People,dc=jboss,dc=org].
> 2017-02-20 13:16:41,493 DEBUG [org.wildfly.security] (default task-2) Identity for principal [jduke] found at [uid=jduke,ou=People,dc=jboss,dc=org].
> 2017-02-20 13:16:41,504 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@3db0aa06] was closed. Connection closed or just returned to the pool.
> 2017-02-20 13:16:41,506 DEBUG [org.wildfly.security] (default task-2) User jduke authorization failed.
> 2017-02-20 13:16:41,506 TRACE [org.wildfly.security] (default task-2) Handling AuthenticationCompleteCallback: fail
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2461) Credential-store attribute relative-to doesn't reference path as required
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2461?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8068 to WFCORE-2461:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2461 (was: WFLY-8068)
Component/s: Security
(was: Security)
> Credential-store attribute relative-to doesn't reference path as required
> -------------------------------------------------------------------------
>
> Key: WFCORE-2461
> URL: https://issues.jboss.org/browse/WFCORE-2461
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Josef Cacek
> Assignee: Ilia Vassilev
>
> Combination of {{path}} and {{relative-to}} attributes is common across all the elytron subsystem. All but one {{relative-to}} attributes list the "path" as required:
> {code}
> "relative-to" => {
> "type" => STRING,
> ...
> "requires" => ["path"],
> ...
> }
> {code}
> The credential-store configuration doesn't define this dependency.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2462) CS tool, format Missing required option
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2462?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8202 to WFCORE-2462:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2462 (was: WFLY-8202)
Component/s: Security
(was: Security)
> CS tool, format Missing required option
> ---------------------------------------
>
> Key: WFCORE-2462
> URL: https://issues.jboss.org/browse/WFCORE-2462
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Ilia Vassilev
> Labels: credential-store, user_experience, wildfly-elytron-tool
>
> There is validation on required option.
> {code}
> [mchoma@localhost bin]$ java -jar wildfly-elytron-tool.jar credential-store
> Missing required option: [-a Add new alias to the credential store, -r Remove alias from the credential store, -e Check if alias exists within the credential store, -v Display all aliases, -h Get help with usage of this command][mchoma@localhost bin]$
> {code}
> However it is one line message. I would prefer mulitline message for readability as
> {code}
> [mchoma@localhost bin]$ java -jar wildfly-elytron-tool.jar credential-store
> Missing one of required options:
> -a Add new alias to the credential store,
> -r Remove alias from the credential store,
> -e Check if alias exists within the credential store,
> -v Display all aliases,
> -h Get help with usage of this command
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2457) Insufficient failure-description for filters of Elytron configurable-sasl-server-factory
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2457?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7452 to WFCORE-2457:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2457 (was: WFLY-7452)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
> Insufficient failure-description for filters of Elytron configurable-sasl-server-factory
> ----------------------------------------------------------------------------------------
>
> Key: WFCORE-2457
> URL: https://issues.jboss.org/browse/WFCORE-2457
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Labels: user_experience
>
> In case when both {{pattern-filter}} and {{predefined-filter}} are set in one Object in CLI command for {{filters}} of Elytron {{configurable-sasl-server-factory}} then it finishes with insufficient failure-description:
> {code}
> /subsystem=elytron/configurable-sasl-server-factory=someFactory:add(sasl-server-factory=global,filters=[{pattern-filter=(.*),predefined-filter=BINDING}])
> {
> "outcome" => "failed",
> "failure-description" => "WFLYELY01014: Invalid [filters] definition.",
> "rolled-back" => true
> }
> {code}
> This failure-description is not wrong but it is also not helpful. Improve failure-description to say that only one of {{pattern-filter}} and {{predefined-filter}} can be set in one Object in list of filters.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2458) Inconsistent attribute desription of security domain
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2458?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7686 to WFCORE-2458:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2458 (was: WFLY-7686)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 10.1.0.Final)
> Inconsistent attribute desription of security domain
> ----------------------------------------------------
>
> Key: WFCORE-2458
> URL: https://issues.jboss.org/browse/WFCORE-2458
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Juraj Duráni
> Assignee: Darran Lofthouse
> Priority: Minor
>
> Some attributes have inconsistent description (obtained using 'read-resource-description' operation):
> - Missing module attribute:
> {code:plain|title=Missing module attribute}
> [standalone@localhost:9990 /] /subsystem=security/security-domain=other/mapping=classic:read-resource-description
> {
> "outcome" => "success",
> "result" => {
> "description" => "Mapping configuration. Configures a list of mapping modules to be used for principal, role, attribute and credential mapping.",
> "deprecated" => {
> "since" => "1.3.0",
> "reason" => "The Security subsystem is deprecated and may be removed, significantly revised, or limited to managed domain legacy server use in future versions."
> },
> "access-constraints" => {
> "sensitive" => {"security-domain" => {"type" => "core"}},
> "application" => {"security-domain" => {"type" => "security"}}
> },
> "attributes" => {"mapping-modules" => {
> "type" => LIST,
> "description" => "List of modules that map principal, role, and credential information",
> "expressions-allowed" => false,
> "nillable" => true,
> "deprecated" => {
> "since" => "1.2.0",
> "reason" => "Use of this attribute is deprecated, use resource"
> },
> "value-type" => {
> "code" => {
> "description" => "Class name of the module to be instantiated.",
> "type" => STRING,
> "nillable" => false,
> "min-length" => 1
> },
> "type" => {
> "description" => "Type of mapping this module performs. Allowed values are principal, role, attribute or credential..",
> "type" => STRING,
> "nillable" => false
> },
> "module-options" => {
> "description" => "List of module options containing a name/value pair.",
> "type" => OBJECT,
> "value-type" => STRING,
> "nillable" => true
> }
> },
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "all-services"
> }},
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {"mapping-module" => {
> "description" => "List of modules that map principal, role, and credential information",
> "model-description" => undefined
> }}
> }
> }
> {code}
> - Module description in policy-module refers to "login module"
> {code:plain|title=Inaccurate description}
> [standalone@localhost:9990 /] /subsystem=security/security-domain=other/authorization=classic/policy-module=a:read-resource-description
> {
> "outcome" => "success",
> "result" => {
> "description" => "List of authentication modules",
> "access-constraints" => {
> "sensitive" => {"security-domain" => {"type" => "core"}},
> "application" => {"security-domain" => {"type" => "security"}}
> },
> "attributes" => {
> "code" => {
> "type" => STRING,
> "description" => "Class name of the module to be instantiated.",
> "expressions-allowed" => false,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> "flag" => {
> "type" => STRING,
> "description" => "The flag controls how the module participates in the overall procedure. Allowed values are requisite, required, sufficient or optional.",
> "expressions-allowed" => true,
> "nillable" => false,
> "allowed" => [
> "required",
> "requisite",
> "sufficient",
> "optional"
> ],
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> "module" => {
> "type" => STRING,
> "description" => "Name of JBoss Module where the login module is located.",
> "expressions-allowed" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> "module-options" => {
> "type" => OBJECT,
> "description" => "List of module options containing a name/value pair.",
> "expressions-allowed" => true,
> "nillable" => true,
> "value-type" => STRING,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> }
> },
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {}
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2456) Obtain password from external source (CMD, EXT) doesn't work on Windows.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2456?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8268 to WFCORE-2456:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2456 (was: WFLY-8268)
Component/s: Security
(was: Security)
> Obtain password from external source (CMD, EXT) doesn't work on Windows.
> ------------------------------------------------------------------------
>
> Key: WFCORE-2456
> URL: https://issues.jboss.org/browse/WFCORE-2456
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Darran Lofthouse
>
> Obtain password from external source (CMD, EXT) doesn't work on Windows.
> Try to create new CS which obtains password from external source:
> {code}
> /subsystem=elytron/credential-store=myCredStore:add(uri="cr-store://test/myCredStore.jceks?create=true", credential-reference={clear-text="{CMD}C:\path\to\scrit\pass.bat,VerySecretPassword", type=COMMAND}, relative-to=jboss.server.config.dir)
> {code}
> pass.bat file contains only this
> {code}
> echo %1
> {code}
> Because of https://issues.jboss.org/browse/JBEAP-9211 you must do this extra step:
> Add new alias to CS -> JCEKS file is created
> Please try it open directly with pass "VerySecretPassword" -> *it doesn't work* on Windows.
> In my opinion there is problem with back slashes in script path.
> https://github.com/wildfly/wildfly-core/blob/3.0.0.Alpha22/controller/src...
> Because when I add there back slashed to path then it works.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2455) Empty secret-value is not allowed in credential stores
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2455?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8143 to WFCORE-2455:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2455 (was: WFLY-8143)
Component/s: Security
(was: Security)
> Empty secret-value is not allowed in credential stores
> -------------------------------------------------------
>
> Key: WFCORE-2455
> URL: https://issues.jboss.org/browse/WFCORE-2455
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Josef Cacek
> Assignee: Darran Lofthouse
> Priority: Critical
> Labels: credential-store
>
> It's not possible to add an entry with empty secret-value into a credential store.
> Masking the fact the password is empty is a valid scenario.
> {code}
> [standalone@localhost:9990 /] /subsystem=elytron/credential-store=cred-store-default/alias=emptysecret:add()
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0155: 'secret-value' may not be null",
> "rolled-back" => true
> }
> [standalone@localhost:9990 /] /subsystem=elytron/credential-store=cred-store-default/alias=emptysecret:add(secret-value="")
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0113: '' is an invalid value for parameter secret-value. Values must have a minimum length of 1 characters",
> "rolled-back" => true
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months