[JBoss JIRA] (ELY-1070) Elytron, WWW-Authenticate Negotiate header is send although SPNEGO is misconfigured
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-1070?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse commented on ELY-1070:
---------------------------------------
I can't quite reproduce this one but I can see a location where the mechanism should be throwing an exception if it can not obtain a server identity.
> Elytron, WWW-Authenticate Negotiate header is send although SPNEGO is misconfigured
> -----------------------------------------------------------------------------------
>
> Key: ELY-1070
> URL: https://issues.jboss.org/browse/ELY-1070
> Project: WildFly Elytron
> Issue Type: Bug
> Components: HTTP
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Critical
> Labels: kerberos
> Attachments: kerberos_http_interface.pcap
>
>
> If SPNEGO is misconfigured Negotiate header is still send back to client, although SPNEGO can't be used.
> {code}
> 13:19:20,861 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='BASIC' host-name='localhost.localdomain' protocol='http'
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling AvailableRealmsCallback: realms = [fileSystemFallbackRealm]
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='CLIENT_CERT' host-name='localhost.localdomain' protocol='http'
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='CLIENT_CERT', hostName='localhost.localdomain', protocol='http'.
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='DIGEST' host-name='localhost.localdomain' protocol='http'
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='DIGEST', hostName='localhost.localdomain', protocol='http'.
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='FORM' host-name='localhost.localdomain' protocol='http'
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='FORM', hostName='localhost.localdomain', protocol='http'.
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http'
> 13:19:20,863 TRACE [org.wildfly.security] (management task-6) Evaluating SPNEGO request: cached GSSContext = null
> 13:19:20,863 TRACE [org.wildfly.security] (management task-6) Obtaining GSSCredential for the service from callback handler...
> 13:19:20,863 TRACE [org.wildfly.security] (management task-6) No valid cached credential, obtaining new one...
> 13:19:20,863 TRACE [org.wildfly.security] (management task-6) Logging in using LoginContext and subject [Subject:
> ]
> 13:19:20,863 INFO [stdout] (management task-6) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4985635734744374940.keytab refreshKrb5Config is false principal is HTTP/wronghost(a)JBOSS.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> 13:19:20,863 INFO [stdout] (management task-6) principal is HTTP/wronghost(a)JBOSS.ORG
> 13:19:20,863 INFO [stdout] (management task-6) Will use keytab
> 13:19:20,863 INFO [stdout] (management task-6) Commit Succeeded
> 13:19:20,863 INFO [stdout] (management task-6)
> 13:19:20,863 TRACE [org.wildfly.security] (management task-6) Logging in using LoginContext and subject [Subject:
> Principal: HTTP/wronghost(a)JBOSS.ORG
> Private Credential: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4985635734744374940.keytab for HTTP/wronghost(a)JBOSS.ORG
> ] succeed
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Creating GSSName for Principal 'HTTP/wronghost(a)JBOSS.ORG'
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Obtained GSSCredentialCredential [org.wildfly.security.credential.GSSKerberosCredential@1f]
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Using SpnegoAuthenticationMechanism to authenticate HTTP/wronghost(a)JBOSS.ORG using the following mechanisms: [[Lorg.ietf.jgss.Oid;@4133c756]
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Caching GSSContext sun.security.jgss.GSSContextImpl@3adbbdae
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Caching KerberosTicket null
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Sent HTTP authorizations: [null]
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Request lacks valid authentication credentials
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='BEARER_TOKEN' host-name='localhost.localdomain' protocol='http'
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='BEARER_TOKEN', hostName='localhost.localdomain', protocol='http'.
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (WFCORE-2457) Insufficient failure-description for filters of Elytron configurable-sasl-server-factory
by Yeray Borges (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2457?page=com.atlassian.jira.plugi... ]
Yeray Borges reassigned WFCORE-2457:
------------------------------------
Assignee: Yeray Borges (was: Darran Lofthouse)
> Insufficient failure-description for filters of Elytron configurable-sasl-server-factory
> ----------------------------------------------------------------------------------------
>
> Key: WFCORE-2457
> URL: https://issues.jboss.org/browse/WFCORE-2457
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Ondrej Lukas
> Assignee: Yeray Borges
> Labels: user_experience
>
> In case when both {{pattern-filter}} and {{predefined-filter}} are set in one Object in CLI command for {{filters}} of Elytron {{configurable-sasl-server-factory}} then it finishes with insufficient failure-description:
> {code}
> /subsystem=elytron/configurable-sasl-server-factory=someFactory:add(sasl-server-factory=global,filters=[{pattern-filter=(.*),predefined-filter=BINDING}])
> {
> "outcome" => "failed",
> "failure-description" => "WFLYELY01014: Invalid [filters] definition.",
> "rolled-back" => true
> }
> {code}
> This failure-description is not wrong but it is also not helpful. Improve failure-description to say that only one of {{pattern-filter}} and {{predefined-filter}} can be set in one Object in list of filters.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (WFLY-2387) CDI injection in entity listeners failing
by Scott Marlow (JIRA)
[ https://issues.jboss.org/browse/WFLY-2387?page=com.atlassian.jira.plugin.... ]
Scott Marlow commented on WFLY-2387:
------------------------------------
Thanks for the update [~tisoft], I'll see if I can recreate with [https://github.com/wildfly/wildfly/tree/master/testsuite/integration/basi...]. We may need a new WFLY jira if this is a bug.
> CDI injection in entity listeners failing
> -----------------------------------------
>
> Key: WFLY-2387
> URL: https://issues.jboss.org/browse/WFLY-2387
> Project: WildFly
> Issue Type: Bug
> Components: CDI / Weld, Class Loading, JPA / Hibernate
> Affects Versions: 8.0.0.Beta1
> Reporter: Emond Papegaaij
> Assignee: Scott Marlow
> Fix For: 11.0.0.Alpha1
>
> Attachments: TEST-org.jboss.as.test.integration.ee.injection.support.jpa.EntityListenerInjectionSupportTestCase.xml
>
>
> When trying to use CDI injection in JPA entity listeners, deployment fails with the following exception:
> {code}
> 16:16:37,448 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 15) MSC000001: Failed to start service jboss.persistenceunit."inject-ear.ear#primary": org.jboss.msc.service.StartException in service jboss.persistenceunit."inject-ear.ear#primary": java.lang.IllegalStateException: JBAS016071: Singleton not set for org.hibernate.boot.registry.classloading.internal.ClassLoaderServiceImpl$AggregatedClassLoader@4eeb95dc. This means that you are trying to access a weld deployment with a Thread Context ClassLoader that is not associated with the deployment.
> at org.jboss.as.jpa.service.PersistenceUnitServiceImpl$1$1.run(PersistenceUnitServiceImpl.java:169)
> at org.jboss.as.jpa.service.PersistenceUnitServiceImpl$1$1.run(PersistenceUnitServiceImpl.java:117)
> at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_25]
> at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:463) [wildfly-security-manager-1.0.0.Beta3.jar:1.0.0.Beta3]
> at org.jboss.as.jpa.service.PersistenceUnitServiceImpl$1.run(PersistenceUnitServiceImpl.java:178)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_25]
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_25]
> at java.lang.Thread.run(Thread.java:724) [rt.jar:1.7.0_25]
> at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.1.Final.jar:2.1.1.Final]
> Caused by: java.lang.IllegalStateException: JBAS016071: Singleton not set for org.hibernate.boot.registry.classloading.internal.ClassLoaderServiceImpl$AggregatedClassLoader@4eeb95dc. This means that you are trying to access a weld deployment with a Thread Context ClassLoader that is not associated with the deployment.
> at org.jboss.as.weld.services.ModuleGroupSingletonProvider$TCCLSingleton.get(ModuleGroupSingletonProvider.java:75)
> at org.jboss.as.weld.services.ModuleGroupSingletonProvider$TCCLSingleton.get(ModuleGroupSingletonProvider.java:128)
> at org.jboss.weld.Container.instance(Container.java:65)
> at org.jboss.weld.manager.BeanManagerImpl.getBeans(BeanManagerImpl.java:563)
> at org.jboss.weld.injection.FieldInjectionPoint.inject(FieldInjectionPoint.java:90)
> at org.jboss.weld.util.Beans.injectBoundFields(Beans.java:358)
> at org.jboss.weld.util.Beans.injectFieldsAndInitializers(Beans.java:369)
> at org.jboss.weld.injection.producer.DefaultInjector.inject(DefaultInjector.java:72)
> at org.jboss.weld.injection.producer.ResourceInjector.inject(ResourceInjector.java:60)
> at org.jboss.weld.injection.producer.DefaultInjector$1.proceed(DefaultInjector.java:66)
> at org.jboss.weld.injection.InjectionContextImpl.run(InjectionContextImpl.java:48)
> at org.jboss.weld.injection.producer.DefaultInjector.inject(DefaultInjector.java:64)
> at org.jboss.weld.injection.producer.BasicInjectionTarget.inject(BasicInjectionTarget.java:90)
> at org.hibernate.jpa.event.internal.jpa.BeanManagerListenerFactory$BeanMetaData.<init>(BeanManagerListenerFactory.java:82)
> at org.hibernate.jpa.event.internal.jpa.BeanManagerListenerFactory$BeanMetaData.<init>(BeanManagerListenerFactory.java:71)
> at org.hibernate.jpa.event.internal.jpa.BeanManagerListenerFactory.buildListener(BeanManagerListenerFactory.java:57)
> at org.hibernate.jpa.event.internal.jpa.LegacyCallbackProcessor.resolveCallbacks(LegacyCallbackProcessor.java:168)
> at org.hibernate.jpa.event.internal.jpa.LegacyCallbackProcessor.processCallbacksForEntity(LegacyCallbackProcessor.java:71)
> at org.hibernate.jpa.event.spi.JpaIntegrator.integrate(JpaIntegrator.java:150)
> at org.hibernate.internal.SessionFactoryImpl.<init>(SessionFactoryImpl.java:310)
> at org.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:1837)
> at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl$4.perform(EntityManagerFactoryBuilderImpl.java:854)
> at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl$4.perform(EntityManagerFactoryBuilderImpl.java:847)
> at org.hibernate.boot.registry.classloading.internal.ClassLoaderServiceImpl.withTccl(ClassLoaderServiceImpl.java:396)
> at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:846)
> at org.jboss.as.jpa.hibernate4.TwoPhaseBootstrapImpl.build(TwoPhaseBootstrapImpl.java:44)
> at org.jboss.as.jpa.service.PersistenceUnitServiceImpl$1$1.run(PersistenceUnitServiceImpl.java:151)
> ... 8 more
> {code}
> I've created a small showcase of the problem: https://github.com/papegaaij/listener-injection
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (ELY-1072) Add a way to acquire the domain for an identity
by David Lloyd (JIRA)
David Lloyd created ELY-1072:
--------------------------------
Summary: Add a way to acquire the domain for an identity
Key: ELY-1072
URL: https://issues.jboss.org/browse/ELY-1072
Project: WildFly Elytron
Issue Type: Enhancement
Components: API / SPI
Reporter: David Lloyd
Assignee: David Lloyd
Fix For: 1.1.0.Beta36
Add a way to get the domain for an identity. The rationale is, users can already acquire the current security domain via a global context-sensitive method, if they have the appropriate SM permission.
The method could be on SecurityDomain in order to keep it local to the getCurrent() method as its behavior and security requirements are similar.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months