[JBoss JIRA] (WFCORE-2614) Elytron SecurityRealm included more times in a SecurityDomain breaks the domain service
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2614?page=com.atlassian.jira.plugi... ]
Darran Lofthouse commented on WFCORE-2614:
------------------------------------------
Discussed with Brian, we do need to add an additional step to verify no duplicates to allow for composite operations.
Additionally we previously added support to verify the default realm is within the list of referenced realms, this should also be in an additional step so both can be added to a dedicated op at the end of Stage.MODEL and verified together.
> Elytron SecurityRealm included more times in a SecurityDomain breaks the domain service
> ---------------------------------------------------------------------------------------
>
> Key: WFCORE-2614
> URL: https://issues.jboss.org/browse/WFCORE-2614
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta12
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Priority: Critical
> Labels: eap71_beta, management-model, security-domain
> Fix For: 3.0.0.Beta13
>
>
> Elytron subsystem allows to add the same realm more times into a single security domain. Nevertheless in such case domain stops to work with following error message:
> {noformat}
> 16:14:17,411 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 54) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("security-domain" => "ManagementDomain")
> ]) - failure description: "WFLYELY00002: Can not inject the same realm 'local' in a single security domain."
> {noformat}
> If such the changed domain is ManagementDomain, then the server stops to start at all.
> *Suggested fix*
> * either allow to have the same realm in a security domain more times
> * or check for duplicate realms already when adding/changing the domain
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 6 months
[JBoss JIRA] (ELY-1049) Coverity, division by zero in KeyStoreCredentialStore (Elytron)
by Ilia Vassilev (JIRA)
[ https://issues.jboss.org/browse/ELY-1049?page=com.atlassian.jira.plugin.s... ]
Ilia Vassilev reassigned ELY-1049:
----------------------------------
Assignee: Ilia Vassilev (was: Darran Lofthouse)
> Coverity, division by zero in KeyStoreCredentialStore (Elytron)
> ---------------------------------------------------------------
>
> Key: ELY-1049
> URL: https://issues.jboss.org/browse/ELY-1049
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Martin Choma
> Assignee: Ilia Vassilev
> Priority: Critical
>
> Coverity found possible division by zero code.
> https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=12563...
> {code:java|title=KeyStoreCredentialStore.java}
> private byte[] pkcs7Pad(byte[] buffer, int blockSize) {
> int len = buffer.length;
> int toFill = blockSize - (len % blockSize);
> byte[] padded = Arrays.copyOf(buffer, toFill + len);
> Arrays.fill(padded, len, padded.length, (byte) toFill);
> return padded;
> }
> {code}
> blockSize could be 0 as {{encrypt.getBlockSize()}} return 0 if used algorithm is not blocked-based. Although default cyptographic algoritm is block-based {{DEFAULT_CRYPTOGRAPHIC_ALGORITHM = "AES/CBC/NoPadding"}} , this is configurable with {{cryptoAlg}} option and thus non-block-based algorithm can be configured.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 6 months
[JBoss JIRA] (WFCORE-2467) Specify detailed HttpServerAuthenticationMechanismFactory interface contract
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2467?page=com.atlassian.jira.plugi... ]
Martin Choma updated WFCORE-2467:
---------------------------------
Description:
Please specify detailed contract of HttpServerAuthenticationMechanismFactory.
Describe which params are allowed to be null and what happens in that case. Also describe if null return values are allowed from interface methods and when does that could happen.
You can consider {{javax.security.sasl.SaslServerFactory}} as example of detailed contract.
For example:
* Is {{properties}} parameter of {{getMechanismNames()}} allowed to be null?
* is {{getMechanismNames()}} allowed to return null ?
* Are any of {{createAuthenticationMechanism()}} parameters allowed to be null?
** For {{ServerMechanismFactoryImpl}} implementation {{properties}} could not be null - is it general rule?
{code}
java.lang.IllegalArgumentException: Parameter 'properties' may not be null
at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:69)
at org.wildfly.common.Assert.checkNotNullParam(Assert.java:47)
at org.wildfly.security.http.impl.ServerMechanismFactoryImpl.createAuthenticationMechanism(ServerMechanismFactoryImpl.java:79)
{code}
** For {{ServerMechanismFactoryImpl}} implementation {{callbackHandler}} could not be null - is it general rule?
{code}
java.lang.IllegalArgumentException: Parameter 'callbackHandler' may not be null
at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:69)
at org.wildfly.common.Assert.checkNotNullParam(Assert.java:47)
at org.wildfly.security.http.impl.ServerMechanismFactoryImpl.createAuthenticationMechanism(ServerMechanismFactoryImpl.java:80)
{code}
** For {{ServerMechanismFactoryImpl}} implementation {{mechanismName}} could not be null - is it general rule?
{code}
java.lang.IllegalArgumentException: Parameter 'mechanismName' may not be null
at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:69)
at org.wildfly.common.Assert.checkNotNullParam(Assert.java:47)
at org.wildfly.security.http.impl.ServerMechanismFactoryImpl.createAuthenticationMechanism(ServerMechanismFactoryImpl.java:78)
{code}
I would suggest to wrap {{java.lang.IllegalArgumentException}} to HttpAuthenticationException. Otherwise possibility of {{IllegalArgumentException}} should be documented in contract.
Filing as Critical, as this interface is expected to be implemented by custom factories.
was:
Please specify detailed contract of HttpServerAuthenticationMechanismFactory.
Describe which params are allowed to be null and what happens in that case. Also describe if null return values are allowed from interface methods and when does that could happen.
You can consider {{javax.security.sasl.SaslServerFactory}} as example of detailed contract.
For example:
* Is {{properties}} parameter of {{getMechanismNames()}} allowed to be null?
* is {{getMechanismNames()}} allowed to return null ?
* Are any of {{createAuthenticationMechanism()}} parameters allowed to be null?
** For {{ServerMechanismFactoryImpl}} implementation {{properties}} could not be null - is it general rule?
{code}
java.lang.IllegalArgumentException: Parameter 'properties' may not be null
at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:69)
at org.wildfly.common.Assert.checkNotNullParam(Assert.java:47)
at org.wildfly.security.http.impl.ServerMechanismFactoryImpl.createAuthenticationMechanism(ServerMechanismFactoryImpl.java:79)
{code}
** For {{ServerMechanismFactoryImpl}} implementation {{callbackHandler}} could not be null - is it general rule?
{code}
java.lang.IllegalArgumentException: Parameter 'callbackHandler' may not be null
at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:69)
at org.wildfly.common.Assert.checkNotNullParam(Assert.java:47)
at org.wildfly.security.http.impl.ServerMechanismFactoryImpl.createAuthenticationMechanism(ServerMechanismFactoryImpl.java:80)
{code}
** For {{ServerMechanismFactoryImpl}} implementation {{mechanismName}} could not be null - is it general rule?
{code}
java.lang.IllegalArgumentException: Parameter 'mechanismName' may not be null
at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:69)
at org.wildfly.common.Assert.checkNotNullParam(Assert.java:47)
at org.wildfly.security.http.impl.ServerMechanismFactoryImpl.createAuthenticationMechanism(ServerMechanismFactoryImpl.java:78)
{code}
I would suggest to wrap {{java.lang.IllegalArgumentException}} to HttpAuthenticationException. Otherwise possibility of {{IllegalArgumentException}} should be documented in contract.
* Is {{createAuthenticationMechanism()}} allowed to return null?
Filing as Critical, as this interface is expected to be implemented by custom factories.
> Specify detailed HttpServerAuthenticationMechanismFactory interface contract
> ----------------------------------------------------------------------------
>
> Key: WFCORE-2467
> URL: https://issues.jboss.org/browse/WFCORE-2467
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Priority: Critical
>
> Please specify detailed contract of HttpServerAuthenticationMechanismFactory.
> Describe which params are allowed to be null and what happens in that case. Also describe if null return values are allowed from interface methods and when does that could happen.
> You can consider {{javax.security.sasl.SaslServerFactory}} as example of detailed contract.
> For example:
> * Is {{properties}} parameter of {{getMechanismNames()}} allowed to be null?
> * is {{getMechanismNames()}} allowed to return null ?
> * Are any of {{createAuthenticationMechanism()}} parameters allowed to be null?
> ** For {{ServerMechanismFactoryImpl}} implementation {{properties}} could not be null - is it general rule?
> {code}
> java.lang.IllegalArgumentException: Parameter 'properties' may not be null
> at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:69)
> at org.wildfly.common.Assert.checkNotNullParam(Assert.java:47)
> at org.wildfly.security.http.impl.ServerMechanismFactoryImpl.createAuthenticationMechanism(ServerMechanismFactoryImpl.java:79)
> {code}
> ** For {{ServerMechanismFactoryImpl}} implementation {{callbackHandler}} could not be null - is it general rule?
> {code}
> java.lang.IllegalArgumentException: Parameter 'callbackHandler' may not be null
> at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:69)
> at org.wildfly.common.Assert.checkNotNullParam(Assert.java:47)
> at org.wildfly.security.http.impl.ServerMechanismFactoryImpl.createAuthenticationMechanism(ServerMechanismFactoryImpl.java:80)
> {code}
> ** For {{ServerMechanismFactoryImpl}} implementation {{mechanismName}} could not be null - is it general rule?
> {code}
> java.lang.IllegalArgumentException: Parameter 'mechanismName' may not be null
> at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:69)
> at org.wildfly.common.Assert.checkNotNullParam(Assert.java:47)
> at org.wildfly.security.http.impl.ServerMechanismFactoryImpl.createAuthenticationMechanism(ServerMechanismFactoryImpl.java:78)
> {code}
> I would suggest to wrap {{java.lang.IllegalArgumentException}} to HttpAuthenticationException. Otherwise possibility of {{IllegalArgumentException}} should be documented in contract.
> Filing as Critical, as this interface is expected to be implemented by custom factories.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 6 months
[JBoss JIRA] (WFLY-8490) NO AJP listenening socket when setting IP with -Djboss.bind.address=XX -Djboss.bind.address.management=XX
by Tomaz Cerar (JIRA)
[ https://issues.jboss.org/browse/WFLY-8490?page=com.atlassian.jira.plugin.... ]
Tomaz Cerar closed WFLY-8490.
-----------------------------
Assignee: (was: Thomas Diesler)
Resolution: Rejected
Given that AJP is not configured by default, this would mean you have configured it wrongly when you added it.
In this case you probably used hardcoded address instead of having expression with default as it is used elsewhere
If anything this is something that should be discussed in forums at https://developer.jboss.org/en/wildfly
> NO AJP listenening socket when setting IP with -Djboss.bind.address=XX -Djboss.bind.address.management=XX
> ------------------------------------------------------------------------------------------------------------
>
> Key: WFLY-8490
> URL: https://issues.jboss.org/browse/WFLY-8490
> Project: WildFly
> Issue Type: Bug
> Affects Versions: 10.1.0.Final
> Environment: ubuntu 16.04
> Reporter: Gaétan QUENTIN
>
> When launching WFLY with ./standalone.sh --server-config=standalone-full.xml without bind address parameter, ajplistener is well launch on ip 127.0.0.1
> when binding ip adress , ajp listener disappears:
> ./standalone.sh --server-config=standalone-full.xml -Djboss.bind.address=172.20.12.192 -Djboss.bind.address.management=172.20.12.192&
> nothing is listenting on port 8009
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 6 months
[JBoss JIRA] (ELY-1050) Coverity, derefere null return value in KeyStoreCredentialStore.saveSecretKey
by Ilia Vassilev (JIRA)
[ https://issues.jboss.org/browse/ELY-1050?page=com.atlassian.jira.plugin.s... ]
Ilia Vassilev reassigned ELY-1050:
----------------------------------
Assignee: Ilia Vassilev (was: Darran Lofthouse)
> Coverity, derefere null return value in KeyStoreCredentialStore.saveSecretKey
> -----------------------------------------------------------------------------
>
> Key: ELY-1050
> URL: https://issues.jboss.org/browse/ELY-1050
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Martin Choma
> Assignee: Ilia Vassilev
> Priority: Critical
>
> Coverity found possible null dereference, as {{encrypt.getIV()}} could return null in cases when option {{cryptoAlg}} is configured to some algorithm, which does not use IV.
> https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=12563...
> {code:java|title=KeyStoreCredentialStore.java}
> private void saveSecretKey(String ksAlias, ObjectOutputStream oos, KeyStore.SecretKeyEntry entry) throws IOException, GeneralSecurityException {
> ByteArrayOutputStream entryData = new ByteArrayOutputStream(1024);
> ObjectOutputStream entryOos = new ObjectOutputStream(entryData);
> entryOos.writeUTF(ksAlias);
> writeBytes(entry.getSecretKey().getEncoded(), entryOos);
> entryOos.flush();
> encrypt.init(Cipher.ENCRYPT_MODE, storageSecretKey);
> int blockSize = encrypt.getBlockSize();
> Assert.checkMaximumParameter("cipher block size", 256, blockSize);
> byte[] padded = pkcs7Pad(entryData.toByteArray(), blockSize);
> byte[] encrypted = encrypt.doFinal(padded);
> byte[] iv = encrypt.getIV();
> oos.writeInt(SECRET_KEY_ENTRY_TYPE);
> writeBytes(encrypted, oos);
> writeBytes(iv, oos);
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 6 months