[JBoss JIRA] (WFCORE-2417) Inconsistency in attribute name of Elytron name-rewriter/final-name-rewriter
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2417?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7590 to WFCORE-2417:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2417 (was: WFLY-7590)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
Fix Version/s: 4.0.0.Alpha1
(was: 11.0.0.Alpha1)
> Inconsistency in attribute name of Elytron name-rewriter/final-name-rewriter
> ----------------------------------------------------------------------------
>
> Key: WFCORE-2417
> URL: https://issues.jboss.org/browse/WFCORE-2417
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Labels: user_experience
> Fix For: 4.0.0.Alpha1
>
>
> In Elytron subsystem there are attributes {{name-rewriter}} and {{final-name-rewriter}} which serves for the same purpose. Both of them are used for final name rewriting. It can be confusing when two different names are used for the same type of attribute.
> Attribute {{name-rewriter}} is used in:
> * {{realms}} attribute in {{security-domain}}
> Attribute {{final-name-rewriter}} is used in:
> * {{mechanism-configurations}} in both {{http-authentication-factory}} and {{sasl-authentication-factory}}
> * {{mechanism-realm-configurations}} in {{mechanism-configurations}} in both {{http-authentication-factory}} and {{sasl-authentication-factory}}
> Names of {{name-rewriter}} and {{final-name-rewriter}} should be unified for this resources in DMR and also in XSD.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2411) CS with {CMD} or {EXT} pass doesn't persist type=COMMAND to configuration -> after reload it doesn't work.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2411?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7869 to WFCORE-2411:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2411 (was: WFLY-7869)
Component/s: Security
(was: Security)
> CS with {CMD} or {EXT} pass doesn't persist type=COMMAND to configuration -> after reload it doesn't work.
> ----------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2411
> URL: https://issues.jboss.org/browse/WFCORE-2411
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Peter Skopek
> Priority: Blocker
>
> This issue blocks verification of this RFE https://issues.jboss.org/browse/EAP7-533.
> CS with {CMD} or {EXT} pass doesn't persist type=COMMAND to configuration -> after reload it doesn't work.
> You can try it by this command (you must replace path to some real file.
> /subsystem=elytron/credential-store=CredStoreCMD:add(uri="cr-store://test/cs444.jceks", credential-reference={type=COMMAND, clear-text="{CMD}/real/path/to/pass-ely.sh"})
> Once the command is successful executed:
> # stop the server (not necessary)
> # check standalone.xml
> Given CredentialStore is persisted without attribute *type="COMMAND"*
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2412) Complex type key-store in Elytron subsystem
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2412?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7166 to WFCORE-2412:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2412 (was: WFLY-7166)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
Fix Version/s: 4.0.0.Alpha1
(was: 11.0.0.Alpha1)
> Complex type key-store in Elytron subsystem
> -------------------------------------------
>
> Key: WFCORE-2412
> URL: https://issues.jboss.org/browse/WFCORE-2412
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Critical
> Fix For: 4.0.0.Alpha1
>
>
> Elytron subsystem uses complex type in key-store resource which is difficult to use and can result to bad user experience, see description of JBEAP-6100 for more details.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2413) Using own CustomRealm, CustomModificationRealm and CustomRealmMapper implementation leads to AbstractMethodError.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2413?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8313 to WFCORE-2413:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2413 (was: WFLY-8313)
Component/s: Security
(was: Security)
> Using own CustomRealm, CustomModificationRealm and CustomRealmMapper implementation leads to AbstractMethodError.
> -----------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2413
> URL: https://issues.jboss.org/browse/WFCORE-2413
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Darran Lofthouse
> Priority: Critical
>
> Using own CustomRealm, CustomModifiableRealm and CustomRealmMapper implementation leads to AbstractMethodError.
> I tried create my own implementation, set up server to use it but I get error message about AbstractMethodError.
> You can see bellow how to reproduce this problem. I attached jar files with implementation where are located .java files too.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2408) Description of Elytron oauth2-introspection resource is copy/pasted from jwt
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2408?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7676 to WFCORE-2408:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2408 (was: WFLY-7676)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
Fix Version/s: 4.0.0.Alpha1
(was: 11.0.0.Alpha1)
> Description of Elytron oauth2-introspection resource is copy/pasted from jwt
> ----------------------------------------------------------------------------
>
> Key: WFCORE-2408
> URL: https://issues.jboss.org/browse/WFCORE-2408
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Labels: user_experience
> Fix For: 4.0.0.Alpha1
>
>
> Description of {{oauth2-introspection}} resource from Elytron {{token-realm}} is copy/pasted from description of {{jwt}}.
> It is similar as WFLY-7573, but its description (and also its linked fix) talks only about description of attributes. This Jira is related to description of whole resource which currently says:
> "A token validator to be used in conjunction with a token-based realm that handles security tokens based on the JWT/JWS standard."
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2409) Review elytron kerberos-security-factory resource
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2409?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7259 to WFCORE-2409:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2409 (was: WFLY-7259)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
Fix Version/s: 4.0.0.Alpha1
(was: 11.0.0.Alpha1)
> Review elytron kerberos-security-factory resource
> -------------------------------------------------
>
> Key: WFCORE-2409
> URL: https://issues.jboss.org/browse/WFCORE-2409
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Critical
> Labels: user_experience
> Fix For: 4.0.0.Alpha1
>
>
> * {{mechanism-oids}}
> ** Minimal command for kerberos security factory creation is {code}/subsystem=elytron/kerberos-security-factory=kerberos:add(principal=mchoma, path=/path/to/keytab, mechanism-oids=[1.2.840.113554.1.2.2]){code}
> ** I don't think it is user-friendly to require user to specify mechanism-oids. I think some reasonable default value should be used here.
> * {{minimum-remaining-lifetime}}
> ** please, specify units in documentation, e.g. seconds/minutes
> * {{relative-to}}
> ** as just path reference can be used here, probably should be just "expressions-allowed" => false
> ** In legacy settings it is documented better: "The name of another previously named path, or of one of the standard paths provided by the system. If 'relative-to' is provided, the value of the 'path' attribute is treated as relative to the path specified by this attribute."
> * {{server}}
> ** I assume based on {{server}} attribute INITIATE_ONLY or ACCEPT_ONLY is configured on GSSCredential [1]. Wouldn't it be useful to have also possibility to set INITIATE_AND_ACCEPT? Couldn't that be useful for example in case of identity propagation.
> * {{for-hosts}}
> ** comparing to legacy security {{kerberosIdentityType}} I am missing for-hosts. Elytron won't provide such feature?
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2410) Wrong resource and operation descriptions for Elytron filesystem-realm in management model and XSD
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2410?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-7582 to WFCORE-2410:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2410 (was: WFLY-7582)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
> Wrong resource and operation descriptions for Elytron filesystem-realm in management model and XSD
> --------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2410
> URL: https://issues.jboss.org/browse/WFCORE-2410
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Labels: user_experience
>
> There are some wrong or insufficient resource and operation description for Elytron filesystem-realm in CLI:
> * attribute {{levels}} for filesystem-realm - description says "The number of levels of directory hashing to apply.", but created directory structure does not use any hashing. Example how it works: when levels is set to 3 then for user admin following directory structure and file a/d/m/admin.xml is used. Description of levels should be fixed. This should be also fixed in XSD.
> * description of {{digest}} password encryption/hash mechanisms in {{set-password}} operation for identity of filesystem-realm says "A password using a salted digest." which is wrong. It seems it is copy-pasted from {{salted-simple-digest}}.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2403) CS tool, omitting required param leads to NPE
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2403?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8187 to WFCORE-2403:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2403 (was: WFLY-8187)
Component/s: Security
(was: Security)
> CS tool, omitting required param leads to NPE
> ---------------------------------------------
>
> Key: WFCORE-2403
> URL: https://issues.jboss.org/browse/WFCORE-2403
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Blocker
> Labels: credential-store
>
> Omitting required param leads to NPE, e.g. when adding alias without password (-p --password)
> {code}
> java -jar wildfly-elytron-tool.jar credential-store -a test_alis -x admin123 -c -u "cr-store://store-test-1?create=true" -salt 12345678 --iteration 230
> Exception in thread "main" java.lang.NullPointerException
> at java.util.regex.Matcher.getTextLength(Matcher.java:1283)
> at java.util.regex.Matcher.reset(Matcher.java:309)
> at java.util.regex.Matcher.<init>(Matcher.java:229)
> at java.util.regex.Pattern.matcher(Pattern.java:1093)
> at java.util.Formatter.parse(Formatter.java:2547)
> at java.util.Formatter.format(Formatter.java:2501)
> at java.io.PrintStream.format(PrintStream.java:970)
> at java.io.PrintStream.printf(PrintStream.java:871)
> at org.wildfly.security.tool.ElytronTool.main(ElytronTool.java:58)
> {code}
> Help does not document required options. If required option is ommited user is not informed about which parameter is missing. So effectivelly user have no way to find out required parameters.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months
[JBoss JIRA] (WFCORE-2404) Elytron, unable to create custom principal transformer
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2404?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved WFLY-8152 to WFCORE-2404:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2404 (was: WFLY-8152)
Component/s: Security
(was: Security)
> Elytron, unable to create custom principal transformer
> ------------------------------------------------------
>
> Key: WFCORE-2404
> URL: https://issues.jboss.org/browse/WFCORE-2404
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Jan Kalina
> Priority: Blocker
>
> When I try to register custom principal transformer I get {{NoClassDefFoundError}}
> {code}
> 07:11:37,203 WARN [org.jboss.modules] (MSC service thread 1-4) Failed to define class org.wildfly.extras.creaper.commands.elytron.mapper.AddCustomPrincipalTransformerImpl in Module "org.jboss.customprincipaltransformerimpl" from local module loader @282ba1e (finder: local module finder @13b6d03 (roots: /home/mchoma/workspace/git-repositories/creaper/testsuite/standalone/target/jboss-as/modules,/home/mchoma/workspace/git-repositories/creaper/testsuite/standalone/target/jboss-as/modules/system/layers/base)): java.lang.NoClassDefFoundError: Failed to link org/wildfly/extras/creaper/commands/elytron/mapper/AddCustomPrincipalTransformerImpl (Module "org.jboss.customprincipaltransformerimpl" from local module loader @282ba1e (finder: local module finder @13b6d03 (roots: /home/mchoma/workspace/git-repositories/creaper/testsuite/standalone/target/jboss-as/modules,/home/mchoma/workspace/git-repositories/creaper/testsuite/standalone/target/jboss-as/modules/system/layers/base))): org/wildfly/extension/elytron/capabilities/PrincipalTransformer
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
> at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:448)
> at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:276)
> at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:79)
> at org.jboss.modules.Module.loadModuleClass(Module.java:708)
> at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:192)
> at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:412)
> at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:400)
> at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
> at org.wildfly.extension.elytron.CustomComponentDefinition$ComponentAddHandler.createValue(CustomComponentDefinition.java:156)
> at org.wildfly.extension.elytron.CustomComponentDefinition$ComponentAddHandler.lambda$performRuntime$1(CustomComponentDefinition.java:135)
> at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> 07:11:37,204 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.security.principal-transformer.CreaperTestAddCustomPrincipalTransformer: org.jboss.msc.service.StartException in service org.wildfly.security.principal-transformer.CreaperTestAddCustomPrincipalTransformer: Failed to start service
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.NoClassDefFoundError: Failed to link org/wildfly/extras/creaper/commands/elytron/mapper/AddCustomPrincipalTransformerImpl (Module "org.jboss.customprincipaltransformerimpl" from local module loader @282ba1e (finder: local module finder @13b6d03 (roots: /home/mchoma/workspace/git-repositories/creaper/testsuite/standalone/target/jboss-as/modules,/home/mchoma/workspace/git-repositories/creaper/testsuite/standalone/target/jboss-as/modules/system/layers/base))): org/wildfly/extension/elytron/capabilities/PrincipalTransformer
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
> at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:448)
> at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:276)
> at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:79)
> at org.jboss.modules.Module.loadModuleClass(Module.java:708)
> at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:192)
> at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:412)
> at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:400)
> at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
> at org.wildfly.extension.elytron.CustomComponentDefinition$ComponentAddHandler.createValue(CustomComponentDefinition.java:156)
> at org.wildfly.extension.elytron.CustomComponentDefinition$ComponentAddHandler.lambda$performRuntime$1(CustomComponentDefinition.java:135)
> at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
> at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
> ... 3 more
> 07:11:37,207 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 3) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("custom-principal-transformer" => "CreaperTestAddCustomPrincipalTransformer")
> ]) - failure description: {
> "WFLYCTL0080: Failed services" => {"org.wildfly.security.principal-transformer.CreaperTestAddCustomPrincipalTransformer" => "org.jboss.msc.service.StartException in service org.wildfly.security.principal-transformer.CreaperTestAddCustomPrincipalTransformer: Failed to start service
> Caused by: java.lang.NoClassDefFoundError: Failed to link org/wildfly/extras/creaper/commands/elytron/mapper/AddCustomPrincipalTransformerImpl (Module \"org.jboss.customprincipaltransformerimpl\" from local module loader @282ba1e (finder: local module finder @13b6d03 (roots: /home/mchoma/workspace/git-repositories/creaper/testsuite/standalone/target/jboss-as/modules,/home/mchoma/workspace/git-repositories/creaper/testsuite/standalone/target/jboss-as/modules/system/layers/base))): org/wildfly/extension/elytron/capabilities/PrincipalTransformer"},
> "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.principal-transformer.CreaperTestAddCustomPrincipalTransformer"]
> }
> {code}
> That works in DR11 without issue
> Here is implementation of used custom prncipal transformer
> {code:java|title=AddCustomPrincipalTransformerImpl.java}
> package org.wildfly.extras.creaper.commands.elytron.mapper;
> import org.wildfly.extension.elytron.Configurable;
> import java.security.Principal;
> import java.util.Map;
> import org.wildfly.extension.elytron.capabilities.PrincipalTransformer;
> public class AddCustomPrincipalTransformerImpl implements PrincipalTransformer, Configurable {
> @Override
> public Principal apply(Principal p) {
> return p;
> }
> @Override
> public void initialize(Map<String, String> configuration) {
> if (configuration.containsKey("throwException")) {
> throw new IllegalStateException("Only test purpose. This exception was thrown on demand.");
> }
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 2 months