[JBoss JIRA] (WFCORE-2477) Legacy Kerberos in management, regression in choosing keytab strategy
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2477?page=com.atlassian.jira.plugi... ]
Darran Lofthouse resolved WFCORE-2477.
--------------------------------------
Resolution: Duplicate Issue
This is the same issue as covered by WFCORE-2398
Effectively for both issues the protocol had become 'http' / 'https' when for http requests it should always be 'HTTP'.
> Legacy Kerberos in management, regression in choosing keytab strategy
> ---------------------------------------------------------------------
>
> Key: WFCORE-2477
> URL: https://issues.jboss.org/browse/WFCORE-2477
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Fix For: 3.0.0.Beta12
>
>
> There is regresion in strategy of choosing keytab described by xsd
> {code:xml|title=wildfly-config_5_0.xsd}
> <xs:element name="keytab">
> <xs:complexType>
> <xs:annotation>
> <xs:documentation>
> Reference to an individual keytab.
> On handling the authentication for an incoming request two pieces of information are known, the protocol and the name of the host
> this server is acting as. For HTTP requests the protocol will always be HTTP, for requests over Remoting by default the protocol will
> be 'remote' although this can be overridden.
> At the time authentication is going to be handled the keytab will be selected as follows: -
> 1 - Iterate the list of keytabs and identity one where the for-hosts attribute contains an entry matching protocol/hostname.
> 2 - Iterate the list of keytabs and identify one where the name of the principal matches matches protocol/hostname.
> 3 - Iterate the list of keytabs and identity one where the for-hosts attribute contains an entry matching hostname.
> 4 - Iterate the list of keytabs and identify one where the hostname portion of the principal matches the hostname of the request.
> 5 - Use the keytab where for-hosts is set to '*'.
> If no match is found no keytab will be selected and Kerberos will not be available for communication as that host.
> </xs:documentation>
> </xs:annotation>
> {code}
> In this example
> {code:xml|title=standalone.xlm}
> <security-realm name="PriorityForHostsProtocolBeforePrincipal">
> <server-identities>
> <kerberos>
> <keytab principal="HTTP/localhost.localdomain(a)JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/>
> <keytab principal="HTTP/wronghost(a)JBOSS.ORG" path="krb.keytab" for-hosts="HTTP/localhost.localdomain"/>
> </kerberos>
> {code}
> Rule 1 should be applied, but {{<keytab principal="HTTP/localhost.localdomain(a)JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/>}} is chosen,
> {code:title=server.log}
> 10:28:40,743 TRACE [org.jboss.as.domain.management.security] (management task-8) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:28:40,744 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected KeytabService with principal 'HTTP/localhost.localdomain(a)JBOSS.ORG' for host 'localhost.localdomain'
> 10:28:40,744 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> 10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> 10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> 10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> 10:28:40,847 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:28:40,848 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/localhost.localdomain(a)JBOSS.ORG' for host 'localhost.localdomain'
> 10:28:40,848 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> 10:28:40,848 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> 10:28:40,849 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> 10:28:40,849 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> {code}
> In this example
> {code:xml|title=standalone.xlm}
> <security-realm name="PriorityProtocolPrincipalBeforeForHosts">
> <server-identities>
> <kerberos>
> <keytab principal="HTTP/localhost.localdomain(a)JBOSS.ORG" path="krb.keytab" for-hosts="wronghost"/>
> <keytab principal="HTTP/wronghost(a)JBOSS.ORG" path="krb.keytab" for-hosts="localhost.localdomain"/>
> </kerberos>
> {code}
> Rule 2 should be applied, but {{<keytab principal="HTTP/wronghost(a)JBOSS.ORG" path="krb.keytab" for-hosts="localhost.localdomain"/>}} is chosen
> {code:title=server.log}
> 10:29:21,889 TRACE [org.jboss.as.domain.management.security] (management task-8) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:29:21,890 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected KeytabService with principal 'HTTP/wronghost(a)JBOSS.ORG' for host 'localhost.localdomain'
> 10:29:21,890 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,890 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,891 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,891 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/wronghost(a)JBOSS.ORG' for host 'localhost.localdomain'
> 10:29:21,957 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,957 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,958 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,958 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,959 INFO [stdout] (management task-9) Entered Krb5Context.acceptSecContext with state=STATE_NEW
> 10:29:21,960 INFO [stdout] (management task-9) Looking for keys for: HTTP/wronghost(a)JBOSS.ORG
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (WFCORE-2477) Legacy Kerberos in management, regression in choosing keytab strategy
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2477?page=com.atlassian.jira.plugi... ]
Darran Lofthouse updated WFCORE-2477:
-------------------------------------
Fix Version/s: 3.0.0.Beta12
> Legacy Kerberos in management, regression in choosing keytab strategy
> ---------------------------------------------------------------------
>
> Key: WFCORE-2477
> URL: https://issues.jboss.org/browse/WFCORE-2477
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Fix For: 3.0.0.Beta12
>
>
> There is regresion in strategy of choosing keytab described by xsd
> {code:xml|title=wildfly-config_5_0.xsd}
> <xs:element name="keytab">
> <xs:complexType>
> <xs:annotation>
> <xs:documentation>
> Reference to an individual keytab.
> On handling the authentication for an incoming request two pieces of information are known, the protocol and the name of the host
> this server is acting as. For HTTP requests the protocol will always be HTTP, for requests over Remoting by default the protocol will
> be 'remote' although this can be overridden.
> At the time authentication is going to be handled the keytab will be selected as follows: -
> 1 - Iterate the list of keytabs and identity one where the for-hosts attribute contains an entry matching protocol/hostname.
> 2 - Iterate the list of keytabs and identify one where the name of the principal matches matches protocol/hostname.
> 3 - Iterate the list of keytabs and identity one where the for-hosts attribute contains an entry matching hostname.
> 4 - Iterate the list of keytabs and identify one where the hostname portion of the principal matches the hostname of the request.
> 5 - Use the keytab where for-hosts is set to '*'.
> If no match is found no keytab will be selected and Kerberos will not be available for communication as that host.
> </xs:documentation>
> </xs:annotation>
> {code}
> In this example
> {code:xml|title=standalone.xlm}
> <security-realm name="PriorityForHostsProtocolBeforePrincipal">
> <server-identities>
> <kerberos>
> <keytab principal="HTTP/localhost.localdomain(a)JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/>
> <keytab principal="HTTP/wronghost(a)JBOSS.ORG" path="krb.keytab" for-hosts="HTTP/localhost.localdomain"/>
> </kerberos>
> {code}
> Rule 1 should be applied, but {{<keytab principal="HTTP/localhost.localdomain(a)JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/>}} is chosen,
> {code:title=server.log}
> 10:28:40,743 TRACE [org.jboss.as.domain.management.security] (management task-8) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:28:40,744 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected KeytabService with principal 'HTTP/localhost.localdomain(a)JBOSS.ORG' for host 'localhost.localdomain'
> 10:28:40,744 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> 10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> 10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> 10:28:40,745 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> 10:28:40,847 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:28:40,848 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/localhost.localdomain(a)JBOSS.ORG' for host 'localhost.localdomain'
> 10:28:40,848 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> 10:28:40,848 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> 10:28:40,849 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> 10:28:40,849 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain(a)JBOSS.ORG
> {code}
> In this example
> {code:xml|title=standalone.xlm}
> <security-realm name="PriorityProtocolPrincipalBeforeForHosts">
> <server-identities>
> <kerberos>
> <keytab principal="HTTP/localhost.localdomain(a)JBOSS.ORG" path="krb.keytab" for-hosts="wronghost"/>
> <keytab principal="HTTP/wronghost(a)JBOSS.ORG" path="krb.keytab" for-hosts="localhost.localdomain"/>
> </kerberos>
> {code}
> Rule 2 should be applied, but {{<keytab principal="HTTP/wronghost(a)JBOSS.ORG" path="krb.keytab" for-hosts="localhost.localdomain"/>}} is chosen
> {code:title=server.log}
> 10:29:21,889 TRACE [org.jboss.as.domain.management.security] (management task-8) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:29:21,890 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected KeytabService with principal 'HTTP/wronghost(a)JBOSS.ORG' for host 'localhost.localdomain'
> 10:29:21,890 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,890 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,891 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,891 INFO [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/wronghost(a)JBOSS.ORG' for host 'localhost.localdomain'
> 10:29:21,957 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,957 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,958 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,958 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost(a)JBOSS.ORG
> 10:29:21,959 INFO [stdout] (management task-9) Entered Krb5Context.acceptSecContext with state=STATE_NEW
> 10:29:21,960 INFO [stdout] (management task-9) Looking for keys for: HTTP/wronghost(a)JBOSS.ORG
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (WFCORE-2484) CS tool, log exception on error
by Ilia Vassilev (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2484?page=com.atlassian.jira.plugi... ]
Ilia Vassilev reassigned WFCORE-2484:
-------------------------------------
Assignee: Ilia Vassilev (was: Darran Lofthouse)
> CS tool, log exception on error
> -------------------------------
>
> Key: WFCORE-2484
> URL: https://issues.jboss.org/browse/WFCORE-2484
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Ilia Vassilev
> Priority: Critical
> Labels: credential-store, wildfly-elytron-tool
>
> When I try to create CS with invalid options I get just {{ELY09526: Unable to initialize credential store}}. For example:
> * I tried JKS, but JKS is unable to store secret keys
> {code}
> [mchoma@localhost bin]$ java -jar wildfly-elytron-tool.jar credential-store --add myalias --secret supersecretpassword --location="test.store" --uri "cr-store://test?modifiable=true;create=true;keyStoreType=JKS" --password mycspassword --salt 12345678 --iteration 230 --summary
> ELY09526: Unable to initialize credential store[mchoma@localhost bin]$
> {code}
> * I tried BKS, but have not BC among providers
> {code}
> java -jar wildfly-elytron-tool.jar credential-store --add myalias --secret supersecretpassword --location="/tmp/test.store" --uri "cr-store://test?modifiable=true;create=true;keyStoreType=BKS" --password mycspassword --salt 12345678 --iteration 230 --summary
> ELY09526: Unable to initialize credential store
> {code}
> It would be useful if underlying exception is logged as well. For example subsystem throws this exception and it is obvious what is wrong.
> {code}
> Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09526: Unable to initialize credential store
> at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:834)
> at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.load(KeyStoreCredentialStore.java:758)
> at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.initialize(KeyStoreCredentialStore.java:163)
> at org.wildfly.security.credential.store.CredentialStore.initialize(CredentialStore.java:119)
> at org.wildfly.extension.elytron.CredentialStoreService.start(CredentialStoreService.java:117)
> ... 5 more
> Caused by: java.security.KeyStoreException: BKS not found
> at java.security.KeyStore.getInstance(KeyStore.java:851)
> at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.getKeyStoreInstance(KeyStoreCredentialStore.java:832)
> ... 9 more
> Caused by: java.security.NoSuchAlgorithmException: BKS KeyStore not available
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
> at java.security.Security.getImpl(Security.java:695)
> at java.security.KeyStore.getInstance(KeyStore.java:848)
> ... 10 more
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (ELY-1030) Move TokenSecurityRealm to org.wildfly.security.auth.realm package
by Pedro Igor (JIRA)
[ https://issues.jboss.org/browse/ELY-1030?page=com.atlassian.jira.plugin.s... ]
Pedro Igor commented on ELY-1030:
---------------------------------
[~dlofthouse], I forgot about an important detail :)
We do have other classes related with token realm and these are what we call "token validators". For now we have JWT and OAuth2 (token introspection) validators and in the future we may introduce even more if necessary.
So, I think we should keep the package structure as it is.
> Move TokenSecurityRealm to org.wildfly.security.auth.realm package
> ------------------------------------------------------------------
>
> Key: ELY-1030
> URL: https://issues.jboss.org/browse/ELY-1030
> Project: WildFly Elytron
> Issue Type: Enhancement
> Components: Realms
> Reporter: Darran Lofthouse
> Assignee: Pedro Igor
> Priority: Critical
> Fix For: 1.1.0.Beta34
>
>
> The LDAP and JDBC realms have their own package as they have quite a few utility and configuration classes, the token realm only has one so I don't think we really need this one to be in it'own realm.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (WFCORE-2245) credential-reference capability-reference constraint
by Brian Stansberry (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2245?page=com.atlassian.jira.plugi... ]
Brian Stansberry resolved WFCORE-2245.
--------------------------------------
Fix Version/s: (was: 3.0.0.Beta12)
Assignee: Brian Stansberry (was: Darran Lofthouse)
Resolution: Duplicate Issue
[~claudio4j] Please follow WFCORE-2433
> credential-reference capability-reference constraint
> ----------------------------------------------------
>
> Key: WFCORE-2245
> URL: https://issues.jboss.org/browse/WFCORE-2245
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Claudio Miranda
> Assignee: Brian Stansberry
>
> There attribute credential-reference is defined in many subsystems as below. Looks like the capability-reference constraint should be set in the "store" field of the value-type, therefore I request a review on this capability-constraint placement.
> {code}
> "credential-reference" => {
> "type" => OBJECT,
> "description" => "Credential (from Credential Store) to authenticate on data source",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "capability-reference" => "org.wildfly.security.credential-store",
> "access-constraints" => {"sensitive" => {
> "credential" => {"type" => "core"},
> "data-source-security" => {"type" => "datasources"}
> }},
> "value-type" => {
> "store" => {
> "type" => STRING,
> "description" => "The name of the credential store holding the alias to credential",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "alias" => {
> "type" => STRING,
> "description" => "The alias which denotes stored secret or credential in the store",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "type" => {
> "type" => STRING,
> "description" => "The type of credential this reference is denoting",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "clear-text" => {
> "type" => STRING,
> "description" => "Secret specified using clear text (check credential store way of supplying credential/secrets to services)",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L
> }
> },
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "all-services"
> },
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (DROOLS-1501) CCE modifying a polymorphic object over a window
by Mario Fusco (JIRA)
[ https://issues.jboss.org/browse/DROOLS-1501?page=com.atlassian.jira.plugi... ]
Mario Fusco commented on DROOLS-1501:
-------------------------------------
Reproduced here https://github.com/kiegroup/drools/pull/1175
> CCE modifying a polymorphic object over a window
> ------------------------------------------------
>
> Key: DROOLS-1501
> URL: https://issues.jboss.org/browse/DROOLS-1501
> Project: Drools
> Issue Type: Bug
> Components: core engine
> Reporter: Mario Fusco
> Assignee: Mario Fusco
>
> Modifying an object matched in a polymorphic way and using a window like in this test case:
> {code}
> @Test
> public void testModifySubclassOverWindow() {
> // DROOLS-
> String drl = "declare Number @role( event ) end\n" +
> "declare Integer @role( event ) end\n" +
> "\n" +
> "rule R1 no-loop when\n" +
> " $i: Integer()\n" +
> "then\n" +
> " update($i);\n" +
> "end\n" +
> "rule R2 when\n" +
> " $n: Number() over window:length(1)\n" +
> "then\n" +
> "end";
> KieSession ksession = new KieHelper().addContent( drl, ResourceType.DRL )
> .build( EventProcessingOption.STREAM )
> .newKieSession();
> ksession.insert(1);
> ksession.fireAllRules();
> }
> {code}
> causes a CCE like the following:
> {code}
> java.lang.ClassCastException: org.drools.core.reteoo.WindowNode cannot be cast to org.drools.core.reteoo.BetaNode
> at org.drools.core.reteoo.EntryPointNode.removeRightTuplesMatchingOTN(EntryPointNode.java:263)
> at org.drools.core.reteoo.EntryPointNode.propagateModify(EntryPointNode.java:253)
> at org.drools.core.reteoo.EntryPointNode.propagateModify(EntryPointNode.java:245)
> at org.drools.core.phreak.PropagationEntry$Update.execute(PropagationEntry.java:217)
> at org.drools.core.phreak.SynchronizedPropagationList.flush(SynchronizedPropagationList.java:93)
> at org.drools.core.phreak.SynchronizedPropagationList.flush(SynchronizedPropagationList.java:83)
> at org.drools.core.common.DefaultAgenda.flushPropagations(DefaultAgenda.java:1275)
> at org.drools.core.phreak.RuleExecutor.fire(RuleExecutor.java:143)
> at org.drools.core.phreak.RuleExecutor.evaluateNetworkAndFire(RuleExecutor.java:89)
> at org.drools.core.concurrent.AbstractRuleEvaluator.internalEvaluateAndFire(AbstractRuleEvaluator.java:37)
> at org.drools.core.concurrent.SequentialRuleEvaluator.evaluateAndFire(SequentialRuleEvaluator.java:43)
> at org.drools.core.common.DefaultAgenda.fireLoop(DefaultAgenda.java:1074)
> at org.drools.core.common.DefaultAgenda.internalFireAllRules(DefaultAgenda.java:1021)
> at org.drools.core.common.DefaultAgenda.fireAllRules(DefaultAgenda.java:1013)
> at org.drools.core.impl.StatefulKnowledgeSessionImpl.internalFireAllRules(StatefulKnowledgeSessionImpl.java:1315)
> at org.drools.core.impl.StatefulKnowledgeSessionImpl.fireAllRules(StatefulKnowledgeSessionImpl.java:1306)
> at org.drools.core.impl.StatefulKnowledgeSessionImpl.fireAllRules(StatefulKnowledgeSessionImpl.java:1290)
> at org.drools.compiler.integrationtests.PolymorphismTest.testModifySubclassOverWindow(PolymorphismTest.java:50)
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (DROOLS-1501) CCE modifying a polymorphic object over a window
by Mario Fusco (JIRA)
Mario Fusco created DROOLS-1501:
-----------------------------------
Summary: CCE modifying a polymorphic object over a window
Key: DROOLS-1501
URL: https://issues.jboss.org/browse/DROOLS-1501
Project: Drools
Issue Type: Bug
Components: core engine
Reporter: Mario Fusco
Assignee: Mario Fusco
Modifying an object matched in a polymorphic way and using a window like in this test case:
{code}
@Test
public void testModifySubclassOverWindow() {
// DROOLS-
String drl = "declare Number @role( event ) end\n" +
"declare Integer @role( event ) end\n" +
"\n" +
"rule R1 no-loop when\n" +
" $i: Integer()\n" +
"then\n" +
" update($i);\n" +
"end\n" +
"rule R2 when\n" +
" $n: Number() over window:length(1)\n" +
"then\n" +
"end";
KieSession ksession = new KieHelper().addContent( drl, ResourceType.DRL )
.build( EventProcessingOption.STREAM )
.newKieSession();
ksession.insert(1);
ksession.fireAllRules();
}
{code}
causes a CCE like the following:
{code}
java.lang.ClassCastException: org.drools.core.reteoo.WindowNode cannot be cast to org.drools.core.reteoo.BetaNode
at org.drools.core.reteoo.EntryPointNode.removeRightTuplesMatchingOTN(EntryPointNode.java:263)
at org.drools.core.reteoo.EntryPointNode.propagateModify(EntryPointNode.java:253)
at org.drools.core.reteoo.EntryPointNode.propagateModify(EntryPointNode.java:245)
at org.drools.core.phreak.PropagationEntry$Update.execute(PropagationEntry.java:217)
at org.drools.core.phreak.SynchronizedPropagationList.flush(SynchronizedPropagationList.java:93)
at org.drools.core.phreak.SynchronizedPropagationList.flush(SynchronizedPropagationList.java:83)
at org.drools.core.common.DefaultAgenda.flushPropagations(DefaultAgenda.java:1275)
at org.drools.core.phreak.RuleExecutor.fire(RuleExecutor.java:143)
at org.drools.core.phreak.RuleExecutor.evaluateNetworkAndFire(RuleExecutor.java:89)
at org.drools.core.concurrent.AbstractRuleEvaluator.internalEvaluateAndFire(AbstractRuleEvaluator.java:37)
at org.drools.core.concurrent.SequentialRuleEvaluator.evaluateAndFire(SequentialRuleEvaluator.java:43)
at org.drools.core.common.DefaultAgenda.fireLoop(DefaultAgenda.java:1074)
at org.drools.core.common.DefaultAgenda.internalFireAllRules(DefaultAgenda.java:1021)
at org.drools.core.common.DefaultAgenda.fireAllRules(DefaultAgenda.java:1013)
at org.drools.core.impl.StatefulKnowledgeSessionImpl.internalFireAllRules(StatefulKnowledgeSessionImpl.java:1315)
at org.drools.core.impl.StatefulKnowledgeSessionImpl.fireAllRules(StatefulKnowledgeSessionImpl.java:1306)
at org.drools.core.impl.StatefulKnowledgeSessionImpl.fireAllRules(StatefulKnowledgeSessionImpl.java:1290)
at org.drools.compiler.integrationtests.PolymorphismTest.testModifySubclassOverWindow(PolymorphismTest.java:50)
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (LOGMGR-150) Add support for a more generic error handler
by James Perkins (JIRA)
James Perkins created LOGMGR-150:
------------------------------------
Summary: Add support for a more generic error handler
Key: LOGMGR-150
URL: https://issues.jboss.org/browse/LOGMGR-150
Project: JBoss Log Manager
Issue Type: Enhancement
Reporter: James Perkins
There are places, such as in the {{org.jboss.logmanager.LoggerNode}}, where exceptions are swallowed. Handlers have use an {{java.util.logging.ErrorHandler}}, but formatters and loggers do not. It would be helpful to have a way to either reuse or create a similar error handler concept for loggers and formatters.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month