[JBoss JIRA] (WFCORE-2434) Elytron, log cause of LoginException during obraining ticket
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2434?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8286 to WFCORE-2434:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2434 (was: WFLY-8286)
Component/s: Security
(was: Security)
> Elytron, log cause of LoginException during obraining ticket
> ------------------------------------------------------------
>
> Key: WFCORE-2434
> URL: https://issues.jboss.org/browse/WFCORE-2434
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: David Lloyd
> Priority: Critical
>
> I get to situation where in method {{GSSCredentialSecurityFactory.createGSSCredential()}} the cause of LoginException is hide from user.
> In log there is
> {code:title=server.log}
> 14:26:07,751 TRACE [org.wildfly.security] (default task-1) java.security.GeneralSecurityException: ELY01121: Unable to perform initial JAAS login.
> {code}
> But with debugger I get to obvious cause {{javax.security.auth.login.LoginException: Bad JAAS configuration: credsType and keytab values are not compatible}}, but this is not logged into log.
> Setting to high priority, because logging useful information is esential for troubleshooting fragile Kerberos setup.
> Mesage
> {code:java|title=ElytronMessages}
> @Message(id = 1121, value = "Unable to perform initial JAAS login.")
> GeneralSecurityException unableToPerformInitialLogin(@Cause LoginException cause);
> {code}
> is created in
> {code:java|title=GSSCredentialSecurityFactory.java#L283}
> } catch (LoginException e) {
> throw log.unableToPerformInitialLogin(e);
> }
> {code}
> and logged into log by
> {code:java|title=ServerAuthenticationContext.java#L847}
> } catch (GeneralSecurityException e) {
> // skip this credential
> log.trace(e);
> }
> {code}
> An more importantly. Question here is if some global issue should follow up? Because problem is in usage of log.trace(e) where although cause exception is avalaible, effectivelly is called log.trace(e.toString()) and cause is hidden; So probably some global check should be performed in elytron codebase if other such occurences aren't also problematic.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2429) CLI command for update CredentialReference should fail rather then pass.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2429?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7907 to WFCORE-2429:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2429 (was: WFLY-7907)
Component/s: Security
(was: Security)
> CLI command for update CredentialReference should fail rather then pass.
> ------------------------------------------------------------------------
>
> Key: WFCORE-2429
> URL: https://issues.jboss.org/browse/WFCORE-2429
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Peter Skopek
>
> CLI command for update CredentialReference should fail rather then pass.
> Because CLI command doesn't persist any data to configuration file but pass.
> I expect that command would fail and shows some error message.
> *How to reproduce*
> {code}
> /subsystem=elytron/credential-store=credS004:add(uri="cr-store://test/credS004.jceks?create.storage=true", credential-reference={clear-text=pass987}, relative-to=jboss.server.data.dir)
> {code}
> {code}
> /subsystem=elytron/credential-store=credS004:write-attribute(name=credential-reference.store, value=credS002)
> {code}
> *AND*
> {code}
> /subsystem=elytron/credential-store=credS004:write-attribute(name=credential-reference.alias, value=credS002)
> {code}
> *Ends with success, but it has to be a failure*
> These commands could lead to inconsistency.
> Because there is valid state to have
> credential-reference={clear-text=pass987}
> and credential-reference={store=cs, alias=alias}
> but not their combination.
> *I can use this right form of command*
> {code}
> /subsystem=elytron/credential-store=credS004:write-attribute(name=credential-reference, value={store=credS002, alias=jimmy})
> {code}
> Now is everything OK.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2430) Logging the elytron version once is sufficient
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2430?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7976 to WFCORE-2430:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2430 (was: WFLY-7976)
Component/s: Security
(was: Security)
> Logging the elytron version once is sufficient
> ----------------------------------------------
>
> Key: WFCORE-2430
> URL: https://issues.jboss.org/browse/WFCORE-2430
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Brian Stansberry
> Assignee: Darran Lofthouse
> Priority: Minor
>
> Pick one or the other please:
> {code}
> 19:05:58,886 INFO [org.wildfly.security] (ServerService Thread Pool -- 7) ELY00001: WildFly Elytron version 1.1.0.Beta21
> 19:05:58,890 INFO [org.wildfly.extension.elytron] (ServerService Thread Pool -- 7) WFLYELY00001: Activating Elytron Subsystem Elytron Version=1.1.0.Beta21, Subsystem Version=1.0.0.Beta2
> {code}
> I couldn't care less about the Subsystem Version. Besides the extension code MUST get integrated into WildFly (Core) proper.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2431) Complex type configurable-sasl-server-factory in Elytron subsystem
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2431?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7169 to WFCORE-2431:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2431 (was: WFLY-7169)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
Fix Version/s: 4.0.0.Alpha1
(was: 11.0.0.Alpha1)
> Complex type configurable-sasl-server-factory in Elytron subsystem
> ------------------------------------------------------------------
>
> Key: WFCORE-2431
> URL: https://issues.jboss.org/browse/WFCORE-2431
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Fix For: 4.0.0.Alpha1
>
>
> Elytron subsystem uses complex type in configurable-sasl-server-factory resource which is difficult to use and can result to bad user experience, see description of JBEAP-6100 for more details.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2432) Elytron auth method misconfiguration not logged
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2432?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7698 to WFCORE-2432:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2432 (was: WFLY-7698)
Component/s: Security
(was: Security)
> Elytron auth method misconfiguration not logged
> -----------------------------------------------
>
> Key: WFCORE-2432
> URL: https://issues.jboss.org/browse/WFCORE-2432
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Priority: Critical
> Labels: user_experience
>
> When deployment is configured to be secured with DIGEST, but {{http-authentication-factory}} does not list DIGEST mechanism, user is not informed about misconfiguration. Even when TRACE logging is turned on. When user tries to access app 403 http code is returned and Forbidden is shown in browser. I would expect browser dialog to appear to allow user provide credentials (401 http status code).
> {code:title=web.xml}
> <login-config>
> <auth-method>DIGEST</auth-method>
> <realm-name>ApplicaitonRealm</realm-name>
> </login-config>
> {code}
> {code:title=standalone-elytron.xml}
> <http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain">
> <mechanism-configuration>
> <mechanism mechanism-name="BASIC">
> <mechanism-realm realm-name="Application Realm"/>
> </mechanism>
> <mechanism mechanism-name="FORM"/>
> </mechanism-configuration>
> </http-authentication-factory>
> {code}
> This applies globally to all authentication mechanisms, not only DIGEST.
> Could elytron handle misconfiguration:
> * either fail during deploying application as deployment requirement can't be satisfy
> * or provide reasonable elytron defaults of missing mechanism configuration.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2433) Autocomplete doesn't work properly in credential-reference.store attribute.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2433?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8022 to WFCORE-2433:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2433 (was: WFLY-8022)
Component/s: Security
(was: Security)
> Autocomplete doesn't work properly in credential-reference.store attribute.
> ---------------------------------------------------------------------------
>
> Key: WFCORE-2433
> URL: https://issues.jboss.org/browse/WFCORE-2433
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Peter Skopek
>
> Autocomplete doesn't work properly in credential-reference attribute.
> I want to use autocomplete for credential-reference.store but it doesn't work.
> *How to reproduce*
> {code}
> /subsystem=elytron/credential-store=cs1:add(uri="cr-store://test/cs1.jceks", credential-reference={store=<TAB>
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2426) Value of parameter "restart-required" for some attributes in Elytron subsystem resources does not match reality
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2426?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7492 to WFCORE-2426:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2426 (was: WFLY-7492)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
Fix Version/s: 4.0.0.Alpha1
(was: 11.0.0.Alpha1)
> Value of parameter "restart-required" for some attributes in Elytron subsystem resources does not match reality
> ---------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2426
> URL: https://issues.jboss.org/browse/WFCORE-2426
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Ondrej Kotek
> Assignee: Darran Lofthouse
> Labels: user_experience
> Fix For: 4.0.0.Alpha1
>
>
> Some attributes of some resources in {{elytron}} subsystem defines in its description that there is not necessary to do {{reload}} or {{restart}}. But reality is different. Trying to change such attributes you are informed that {{reload}} is necessary:
> {noformat}
> configurable-sasl-server-factory/filters
> configurable-sasl-server-factory/properties
> custom-role-mapper/*
> aggregate-http-server-mechanism-factory/http-server-factories
> constant-permission-mapper/permissions
> filesystem-realm/levels
> filesystem-realm/name-rewriter
> ldap-key-store/attributes/new-item-template
> service-loader-http-server-mechanism-factory/module
> aggregate-principal-decoder/principal-decoders
> simple-permission-mapper/permission-mappings
> chained-name-rewriter/name-rewriters
> custom-permission-mapper/*
> configurable-http-server-mechanism-factory/properties
> custom-name-rewriter/*
> aggregate-sasl-server-factory/sasl-server-factories
> aggregate-name-rewriter/name-rewriters
> ldap-realm/identity-mapping/*
> mechanism-provider-filtering-sasl-server-factory/filters
> custom-principal-decoder/*
> custom-realm-mapper/*
> jdbc-realm/principal-query
> key-managers/credential-reference
> service-loader-sasl-server-factory/module
> concatenating-principal-decoder/principal-decoders
> credential-store/alias/*
> custom-modifiable-realm/*
> custom-credential-security-factory/*
> key-store/credential-reference
> custom-role-decoder/*
> aggregate-role-mapper/role-mappers
> custom-realm/*
> {noformat}
> The attributes are defined as {{"restart-required" => "no-services"}}, see e.g. {{/subsystem=elytron/concatenating-principal-decoder=concatPrincDecoder:read-resource-description}}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2427) Credential store has configuration in "uri" attribute.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2427?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7483 to WFCORE-2427:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2427 (was: WFLY-7483)
Component/s: Security
(was: Security)
> Credential store has configuration in "uri" attribute.
> ------------------------------------------------------
>
> Key: WFCORE-2427
> URL: https://issues.jboss.org/browse/WFCORE-2427
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Peter Skopek
> Priority: Critical
>
> Credential store has configuration in "uri" attribute. All parameters are in one string. It can be confusing and there is risk of typo (e.g. delimiter typo)
> In my opinion the main intention for it is to have general solution for custom implementation.
> *Current state*
> {code}
> /subsystem=elytron/credential-store=cs001:add(uri="cr-store://test/cs/keystore.jceks?store.password=pass123;create.storage=true")
> {code}
> *Suggestion for improvement:*
> Better solution to achieve this could be use a map.
> e.g. some like that:
> {code}
> /subsystem=elytron/credential-store=credStore:add(cs-map={store.password=pass123, create.storage=true, store.file=path/to/cred/file})
> {code}
> Now credential store name is in URI too, it can be get from resource name.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2428) Properties of Elytron dir-context are parsed incorrectly
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2428?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8167 to WFCORE-2428:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2428 (was: WFLY-8167)
Component/s: Security
(was: Security)
> Properties of Elytron dir-context are parsed incorrectly
> --------------------------------------------------------
>
> Key: WFCORE-2428
> URL: https://issues.jboss.org/browse/WFCORE-2428
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Critical
>
> Properties added for Elytron {{dir-context}} through server configuration are parsed incorrectly. In case when some value is used in server configuration then its representation in server obtains also quotation marks, i.e. {{something}} is parsed as string {{"something"}}.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2422) Credential Store alias name in camel case leads to AssertionError.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2422?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7984 to WFCORE-2422:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2422 (was: WFLY-7984)
Component/s: Security
(was: Security)
> Credential Store alias name in camel case leads to AssertionError.
> ------------------------------------------------------------------
>
> Key: WFCORE-2422
> URL: https://issues.jboss.org/browse/WFCORE-2422
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Peter Skopek
>
> Credential Store alias name in camel case leads to AssertionError.
> I am not able to reproduce it over jboss-cli but I can reproduce it in tests.
> You can see to attachment.
> *How to reproduce*
> * unzip uppercasealias.zip to wildfly/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/credential/store
> * cd wildfly/testsuite/integration/basic
> * mvn test -Dtest=CredentialStoreTestCase
> In log you can see this:
> {code}
> ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("credential-store" => "testCamelCase"),
> ("alias" => "camelcasenotationalias")
> ]): java.lang.AssertionError
> at org.jboss.as.controller.access.permission.ManagementPermissionAuthorizer.authorize(ManagementPermissionAuthorizer.java:87)
> at org.jboss.as.controller.access.management.DelegatingConfigurableAuthorizer.authorize(DelegatingConfigurableAuthorizer.java:99)
> at org.jboss.as.controller.OperationContextImpl.getBasicAuthorizationResponse(OperationContextImpl.java:1841)
> at org.jboss.as.controller.OperationContextImpl.authorize(OperationContextImpl.java:1739)
> at org.jboss.as.controller.OperationContextImpl.authorize(OperationContextImpl.java:1698)
> at org.jboss.as.controller.OperationContextImpl.getResourceRegistration(OperationContextImpl.java:575)
> at org.jboss.as.controller.AbstractAddStepHandler.recordCapabilitiesAndRequirements(AbstractAddStepHandler.java:270)
> at org.jboss.as.controller.AbstractAddStepHandler.execute(AbstractAddStepHandler.java:146)
> at org.wildfly.extension.elytron.CredentialStoreAliasDefinition$AddHandler.execute(CredentialStoreAliasDefinition.java:209)
> at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:921)
> at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:664)
> at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:383)
> at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1390)
> at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:419)
> at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:240)
> at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:193)
> at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:240)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:217)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:137)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:161)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157)
> at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:212)
> at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:185)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:157)
> at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70)
> at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months