[JBoss JIRA] (WFCORE-2428) Properties of Elytron dir-context are parsed incorrectly
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2428?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8167 to WFCORE-2428:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2428 (was: WFLY-8167)
Component/s: Security
(was: Security)
> Properties of Elytron dir-context are parsed incorrectly
> --------------------------------------------------------
>
> Key: WFCORE-2428
> URL: https://issues.jboss.org/browse/WFCORE-2428
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Critical
>
> Properties added for Elytron {{dir-context}} through server configuration are parsed incorrectly. In case when some value is used in server configuration then its representation in server obtains also quotation marks, i.e. {{something}} is parsed as string {{"something"}}.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 8 months
[JBoss JIRA] (WFCORE-2422) Credential Store alias name in camel case leads to AssertionError.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2422?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7984 to WFCORE-2422:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2422 (was: WFLY-7984)
Component/s: Security
(was: Security)
> Credential Store alias name in camel case leads to AssertionError.
> ------------------------------------------------------------------
>
> Key: WFCORE-2422
> URL: https://issues.jboss.org/browse/WFCORE-2422
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Peter Skopek
>
> Credential Store alias name in camel case leads to AssertionError.
> I am not able to reproduce it over jboss-cli but I can reproduce it in tests.
> You can see to attachment.
> *How to reproduce*
> * unzip uppercasealias.zip to wildfly/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/credential/store
> * cd wildfly/testsuite/integration/basic
> * mvn test -Dtest=CredentialStoreTestCase
> In log you can see this:
> {code}
> ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("credential-store" => "testCamelCase"),
> ("alias" => "camelcasenotationalias")
> ]): java.lang.AssertionError
> at org.jboss.as.controller.access.permission.ManagementPermissionAuthorizer.authorize(ManagementPermissionAuthorizer.java:87)
> at org.jboss.as.controller.access.management.DelegatingConfigurableAuthorizer.authorize(DelegatingConfigurableAuthorizer.java:99)
> at org.jboss.as.controller.OperationContextImpl.getBasicAuthorizationResponse(OperationContextImpl.java:1841)
> at org.jboss.as.controller.OperationContextImpl.authorize(OperationContextImpl.java:1739)
> at org.jboss.as.controller.OperationContextImpl.authorize(OperationContextImpl.java:1698)
> at org.jboss.as.controller.OperationContextImpl.getResourceRegistration(OperationContextImpl.java:575)
> at org.jboss.as.controller.AbstractAddStepHandler.recordCapabilitiesAndRequirements(AbstractAddStepHandler.java:270)
> at org.jboss.as.controller.AbstractAddStepHandler.execute(AbstractAddStepHandler.java:146)
> at org.wildfly.extension.elytron.CredentialStoreAliasDefinition$AddHandler.execute(CredentialStoreAliasDefinition.java:209)
> at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:921)
> at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:664)
> at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:383)
> at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1390)
> at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:419)
> at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:240)
> at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:193)
> at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:240)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:217)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:137)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:161)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157)
> at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:212)
> at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:185)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:157)
> at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70)
> at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 8 months
[JBoss JIRA] (WFCORE-2423) Elytron resources runtime updates without reload
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2423?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7512 to WFCORE-2423:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2423 (was: WFLY-7512)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
> Elytron resources runtime updates without reload
> ------------------------------------------------
>
> Key: WFCORE-2423
> URL: https://issues.jboss.org/browse/WFCORE-2423
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Martin Choma
> Assignee: Dmitrii Tikhomirov
>
> When updating elytron resources, server ends up in {{reload-required}} state. For example
> {code}
> [standalone@localhost:9990 /] /subsystem=elytron/kerberos-security-factory=krbSF:write-attribute(name=debug, value=true)
> {
> "outcome" => "success",
> "response-headers" => {
> "operation-requires-reload" => true,
> "process-state" => "reload-required"
> }
> }
> {code}
> Make it possible for all (most - some may be impossible) resources to support runtime updates.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 8 months
[JBoss JIRA] (WFCORE-2424) Updating of elytron kerberos security factory requires reload
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2424?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7342 to WFCORE-2424:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2424 (was: WFLY-7342)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
> Updating of elytron kerberos security factory requires reload
> -------------------------------------------------------------
>
> Key: WFCORE-2424
> URL: https://issues.jboss.org/browse/WFCORE-2424
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Labels: user_experience
>
> Is it necessary? I mean adding kerberos-security-factory does not require reload.
> It relates to all of attributes debug, minimum-remaining-lifetime principal, request-lifetime,
> mechanism-oids, path, relative-to, server. For example
> {code}
> [standalone@localhost:9990 /] /subsystem=elytron/kerberos-security-factory=krbSF:write-attribute(name=debug, value=true)
> {
> "outcome" => "success",
> "response-headers" => {
> "operation-requires-reload" => true,
> "process-state" => "reload-required"
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 8 months
[JBoss JIRA] (WFCORE-2425) Allow expressions in credential-reference attributes
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2425?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7863 to WFCORE-2425:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2425 (was: WFLY-7863)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
> Allow expressions in credential-reference attributes
> ----------------------------------------------------
>
> Key: WFCORE-2425
> URL: https://issues.jboss.org/browse/WFCORE-2425
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Martin Choma
> Labels: user_experience
>
> Change these attributes to {{"expressions-allowed" => true}}
> {code}
> These applies to key-store and key-manager:
> */credential-reference/alias
> */credential-reference/type
> */credential-reference/clear-text
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 8 months
[JBoss JIRA] (WFCORE-2418) CS tool, invalid options are accepted
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2418?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8196 to WFCORE-2418:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2418 (was: WFLY-8196)
Component/s: Security
(was: Security)
> CS tool, invalid options are accepted
> -------------------------------------
>
> Key: WFCORE-2418
> URL: https://issues.jboss.org/browse/WFCORE-2418
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Critical
> Labels: credential-store, wildfly-elytron-tool
>
> Curently if I provide invalid option (e.g. --option_does_not_exists) it is accepted(ignored) and command is performed
> {code}
> [mchoma@localhost bin]$ java -jar wildfly-elytron-tool.jar credential-store --add myalias --secret supersecretpassword --location="/tmp/test.store" --uri "cr-store://test?modifiable=true;create=true;keyStoreType=JCEKS" --password mycspassword --salt 12345678 --iteration 230 --summary --option_does_not_exists
> Alias "myalias" has been successfully stored
> Credential store command summary:
> --------------------------------------
> /subsystem=elytron/credential-store=test:add(uri="cr-store://test?modifiable=true;create=true;keyStoreType=JCEKS",relative-to=jboss.server.data.dir,credential-reference={clear-text="MASK-uNWeyrmbByBEjgZM1FAPQW==;12345678;230"})
> {code}
> It will be safer if command fail instead. It will guard users from unintentional command beeing performed.
> {code}
> [mchoma@localhost bin]$ java -jar wildfly-elytron-tool.jar credential-store --add myalias --secret supersecretpassword --location="/tmp/test.store" --uri "cr-store://test?modifiable=true;create=true;keyStoreType=JCEKS" --password mycspassword --salt 12345678 --iteration 230 --summary --option_does_not_exists
> wildfly-elytron-tool: invalid option -- 'option_does_not_exists'
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 8 months
[JBoss JIRA] (WFCORE-2419) Complex type simple-permission-mapper in Elytron subsystem
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2419?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7167 to WFCORE-2419:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2419 (was: WFLY-7167)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
Fix Version/s: 4.0.0.Alpha1
(was: 11.0.0.Alpha1)
> Complex type simple-permission-mapper in Elytron subsystem
> ----------------------------------------------------------
>
> Key: WFCORE-2419
> URL: https://issues.jboss.org/browse/WFCORE-2419
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Critical
> Fix For: 4.0.0.Alpha1
>
>
> Elytron subsystem uses complex type in simple-permission-mapper resource which is difficult to use and can result to bad user experience, see description of JBEAP-6100 for more details.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 8 months
[JBoss JIRA] (WFCORE-2421) CS tool generated different MASKED password then vault.sh
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2421?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8279 to WFCORE-2421:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2421 (was: WFLY-8279)
Component/s: Security
(was: Security)
> CS tool generated different MASKED password then vault.sh
> ---------------------------------------------------------
>
> Key: WFCORE-2421
> URL: https://issues.jboss.org/browse/WFCORE-2421
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Darran Lofthouse
>
> CS tool generated different MASKED password then vault.sh
> When I run oldf vault.sh
> {code}
> ./vault.sh --keystore key.store --keystore-password secret_password --alias Vault --vault-block vaultBlock --attribute passDB --sec-attr secretvalue --enc-dir ./vault --iteration 230 --salt 12345678 -t
> {code}
> I can see this *MASK-1GhfMaq4jSY0.kFFU3QG4T*
> Whole output:
> {code:collapse=true}
> <vault>
> <vault-option name="KEYSTORE_URL" value="key.store"/>
> <vault-option name="KEYSTORE_PASSWORD" value="MASK-1GhfMaq4jSY0.kFFU3QG4T"/>
> <vault-option name="KEYSTORE_ALIAS" value="Vault"/>
> <vault-option name="SALT" value="12345678"/>
> <vault-option name="ITERATION_COUNT" value="230"/>
> <vault-option name="ENC_FILE_DIR" value="./vault/"/>
> </vault><management>
> {code}
> In the other hand when I run new CS tool with params:
> {code}
> java -jar wildfly-elytron-tool.jar credential-store --add myalias --secret secretpassword --location="test.store1" --uri "cr-store://test.store?modifiable=true;create=true;keyStoreType=JCEKS" --password secret_password --summary --salt 12345678 --iteration 230 --create
> {code}
> I get *MASK-KAwLfD1BN8WFhZptWsa17G*
> Whole output:
> {code:collapse=true}
> Alias "myalias" has been successfully stored
> Credential store command summary:
> --------------------------------------
> /subsystem=elytron/credential-store=test:add(uri="cr-store://test.store?modifiable=true;create=true;keyStoreType=JCEKS",relative-to=jboss.server.data.dir,credential-reference={clear-text="MASK-KAwLfD1BN8WFhZptWsa17G==;12345678;230"})
> {code}
> *I set these values for both:*
> password to mask *secret_password*
> iteration *12345678*
> salt *230*
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 8 months
[JBoss JIRA] (WFCORE-2420) JMS client dependencies doesn't contain a default wildfly-config.xml
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2420?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7999 to WFCORE-2420:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2420 (was: WFLY-7999)
Component/s: Security
Security
(was: JMS)
(was: Security)
> JMS client dependencies doesn't contain a default wildfly-config.xml
> --------------------------------------------------------------------
>
> Key: WFCORE-2420
> URL: https://issues.jboss.org/browse/WFCORE-2420
> Project: WildFly Core
> Issue Type: Bug
> Components: Security, Security
> Reporter: Josef Cacek
> Assignee: Jeff Mesnil
> Priority: Critical
>
> Using the {{wildfly-jms-client-bom}} dependency for JMS clients doesn't introduce a default {{wildfly-config.xml}} with Elytron client configuration. As the result, clients are not able to authenticate (e.g. using JBOSS-LOCAL-USER SASL mechanism).
> The default configuration in {{wildfly-config.xml}} should allow similar behavior as with legacy security. So the following call should pass:
> {code}
> ConnectionFactory connectionFactory = (ConnectionFactory) namingContext.lookup("jms/RemoteConnectionFactory");
> {code}
> Currently the call throws exception:
> {code}
> SEVERE: Naming problem occured
> javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host [Root exception is javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server are supported]
> at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:110)
> at org.wildfly.naming.client.remote.RemoteContext.lookupNative(RemoteContext.java:91)
> at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:78)
> at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:64)
> at org.wildfly.naming.client.WildFlyRootContext.lookup(WildFlyRootContext.java:123)
> at org.wildfly.naming.client.WildFlyRootContext.lookup(WildFlyRootContext.java:113)
> at javax.naming.InitialContext.lookup(InitialContext.java:417)
> at org.wildfly.security.elytron.demo.JmsClient.main(JmsClient.java:45)
> Caused by: javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server are supported
> at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:412)
> at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:239)
> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
> at ...asynchronous invocation...(Unknown Source)
> at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:466)
> at org.jboss.remoting3.FutureConnection.connect(FutureConnection.java:113)
> at org.jboss.remoting3.FutureConnection.init(FutureConnection.java:75)
> at org.jboss.remoting3.FutureConnection.get(FutureConnection.java:151)
> at org.jboss.remoting3.EndpointImpl.getConnection(EndpointImpl.java:422)
> at org.jboss.remoting3.UncloseableEndpoint.getConnection(UncloseableEndpoint.java:57)
> at org.jboss.remoting3.Endpoint.getConnection(Endpoint.java:105)
> at org.wildfly.naming.client.remote.RemoteNamingProvider.lambda$new$0(RemoteNamingProvider.java:68)
> at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentity(RemoteNamingProvider.java:126)
> at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:108)
> ... 7 more
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 8 months
[JBoss JIRA] (WFCORE-2414) Coverity static analysis: Non-Serializable SecurityIdentity is contained in Serializable ElytronAccount
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2414?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7950 to WFCORE-2414:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2414 (was: WFLY-7950)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
> Coverity static analysis: Non-Serializable SecurityIdentity is contained in Serializable ElytronAccount
> -------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2414
> URL: https://issues.jboss.org/browse/WFCORE-2414
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
>
> Coverity static analysis found Serializable ElytronAccount contains non-Serializable SecurityIdentity.
> https://scan7.coverity.com/reports.htm#v23632/p12664/fileInstanceId=86223...
> Please resolve this inconsistent situation.
> By dev feedback SecurityIdentity can't be made Serializable. Rework to remove SecurityIdentity from ElytronAccount was suggested.
> {code:title=hipchat.log}
> [3:23 PM] Martin Choma: Shouldn't be SecurityIdentity Serializable? - because of HttpSession replication?
> [3:23 PM] Darran Lofthouse: No it can't be
> [3:24 PM] Darran Lofthouse: it is backed by implementation as well as state
> [3:25 PM] David M. Lloyd: right it would essentially be a security hole to be able to deserialize an identity
> [3:26 PM] David M. Lloyd: among other problems
> [3:26 PM] Darran Lofthouse: on the far side we restore the identity instead of deserializing it
> [3:31 PM] Martin Choma: I got it. Thing is static analyzer is complaining elytron-web ElytronAccount (Serializable class) is referencing SecurityIdentity, but probably problem is ElytronAccount does not have to be mark as Serializable, right?
> [3:34 PM] Darran Lofthouse: @MartinChoma we may be able to re-work that and remove the reference to SI
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 8 months