[JBoss JIRA] (WFLY-8918) EJB run-as identity gets lost if an unsecured ejb in the call stack
by Derek Horton (JIRA)
Derek Horton created WFLY-8918:
----------------------------------
Summary: EJB run-as identity gets lost if an unsecured ejb in the call stack
Key: WFLY-8918
URL: https://issues.jboss.org/browse/WFLY-8918
Project: WildFly
Issue Type: Bug
Components: EJB, Security
Affects Versions: 11.0.0.Alpha1
Reporter: Derek Horton
Assignee: Darran Lofthouse
Attachments: SimpleEAR_EJB3.ear
Having an unsecured EJB in the call stack will cause the RunAs identity to get lost.
An example might look like this:
unsecured web app (RunAs: JBossAdmin) -> unsecured EJB -> secured EJB (RolesAllowed: JBossAdmin)
This will fail as the unsecured ejb causes the RunAs identity to get dropped/lost.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (WFLY-8917) EJB run-as identity gets lost if an unsecured ejb in the call stack
by Derek Horton (JIRA)
[ https://issues.jboss.org/browse/WFLY-8917?page=com.atlassian.jira.plugin.... ]
Derek Horton updated WFLY-8917:
-------------------------------
Attachment: SimpleEAR_EJB3.ear
> EJB run-as identity gets lost if an unsecured ejb in the call stack
> --------------------------------------------------------------------
>
> Key: WFLY-8917
> URL: https://issues.jboss.org/browse/WFLY-8917
> Project: WildFly
> Issue Type: Bug
> Components: EJB, Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Derek Horton
> Assignee: Darran Lofthouse
> Attachments: SimpleEAR_EJB3.ear
>
>
> Having an unsecured EJB in the call stack will cause the RunAs identity to get lost.
> An example might look like this:
> unsecured web app (RunAs: JBossAdmin) -> unsecured EJB -> secured EJB (RolesAllowed: JBossAdmin)
> This will fail as the unsecured ejb causes the RunAs identity to get dropped/lost.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (WFLY-8917) EJB run-as identity gets lost if an unsecured ejb in the call stack
by Derek Horton (JIRA)
[ https://issues.jboss.org/browse/WFLY-8917?page=com.atlassian.jira.plugin.... ]
Derek Horton updated WFLY-8917:
-------------------------------
Summary: EJB run-as identity gets lost if an unsecured ejb in the call stack (was: EJB run-as identities get lost if an unsecured ejb in the call stack )
> EJB run-as identity gets lost if an unsecured ejb in the call stack
> --------------------------------------------------------------------
>
> Key: WFLY-8917
> URL: https://issues.jboss.org/browse/WFLY-8917
> Project: WildFly
> Issue Type: Bug
> Components: EJB, Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Derek Horton
> Assignee: Darran Lofthouse
>
> Having an unsecured EJB in the call stack will cause the RunAs identity to get lost.
> An example might look like this:
> unsecured web app (RunAs: JBossAdmin) -> unsecured EJB -> secured EJB (RolesAllowed: JBossAdmin)
> This will fail as the unsecured ejb causes the RunAs identity to get dropped/lost.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (WFLY-8917) EJB run-as identities get lost if an unsecured ejb in the call stack
by Derek Horton (JIRA)
Derek Horton created WFLY-8917:
----------------------------------
Summary: EJB run-as identities get lost if an unsecured ejb in the call stack
Key: WFLY-8917
URL: https://issues.jboss.org/browse/WFLY-8917
Project: WildFly
Issue Type: Bug
Components: EJB, Security
Affects Versions: 11.0.0.Alpha1
Reporter: Derek Horton
Assignee: Darran Lofthouse
Having an unsecured EJB in the call stack will cause the RunAs identity to get lost.
An example might look like this:
unsecured web app (RunAs: JBossAdmin) -> unsecured EJB -> secured EJB (RolesAllowed: JBossAdmin)
This will fail as the unsecured ejb causes the RunAs identity to get dropped/lost.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (ELY-1237) Coverity, Resource leak in SecurityIdentity (Elytron)
by David Lloyd (JIRA)
[ https://issues.jboss.org/browse/ELY-1237?page=com.atlassian.jira.plugin.s... ]
David Lloyd commented on ELY-1237:
----------------------------------
This is somewhat deceptive, because in this case AutoCloseable is a convenience interface. If success() or fail() are called, this also "closes" the context.
That said, using try-with-resources wherever possible and convenient is probably a good idea. The runAsIdentity cases definitely need to be fixed because they are not calling close() nor success() or fail().
> Coverity, Resource leak in SecurityIdentity (Elytron)
> -----------------------------------------------------
>
> Key: ELY-1237
> URL: https://issues.jboss.org/browse/ELY-1237
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Martin Choma
> Assignee: Ilia Vassilev
> Priority: Critical
>
> Coverity found possible resource leak. On 2 places there is created ServerAuthenticationContext in SecurityIdentity but is not closed.
> {code}
> public SecurityIdentity createRunAsIdentity(Principal principal, boolean authorize) throws SecurityException {
> Assert.checkNotNullParam("principal", principal);
> // rewrite principal
> final SecurityManager sm = System.getSecurityManager();
> if (sm != null) {
> sm.checkPermission(SET_RUN_AS_PERMISSION);
> }
> final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY));
> try {
> if (! (context.importIdentity(this) && context.authorize(principal, authorize))) {
> throw log.runAsAuthorizationFailed(this.principal, principal, null);
> }
> } catch (RealmUnavailableException e) {
> throw log.runAsAuthorizationFailed(this.principal, context.getAuthenticationPrincipal(), e);
> }
> return context.getAuthorizedIdentity();
> }
> public SecurityIdentity createRunAsAnonymous(boolean authorize) throws SecurityException {
> final SecurityManager sm = System.getSecurityManager();
> if (sm != null) {
> sm.checkPermission(SET_RUN_AS_PERMISSION);
> }
> final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY));
> if (! context.authorizeAnonymous(authorize)) {
> throw log.runAsAuthorizationFailed(principal, AnonymousPrincipal.getInstance(), null);
> }
> return context.getAuthorizedIdentity();
> }
> {code}
> In SecurityDomainTrustManager newly created ServerAuthenticationContext is closed in try-with-resource
> {code}
> try (final ServerAuthenticationContext authenticationContext = securityDomain.createNewAuthenticationContext(mechanismConfigurationSelector)) {
> {code}
> https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=22525...
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (WFLY-3887) UnsupportedClassVersionError is thrown while adding user.
by Cristiano burgo (JIRA)
[ https://issues.jboss.org/browse/WFLY-3887?page=com.atlassian.jira.plugin.... ]
Cristiano burgo commented on WFLY-3887:
---------------------------------------
The solution is to set the JAVA variable statically into the add-user.bat at the beginning:
set "JAVA_HOME=C:\Program Files\Java\jdk1.8.0_121"
set "JBOSS_HOME=C:\WILDFLY\wildfly-10.1.0.Final"
Consider that the java 8 installation now belong to file hard-linking and so the coesistnece of multiple JAVA verison on a windows 10 system must be carefully implemented.
> UnsupportedClassVersionError is thrown while adding user.
> ---------------------------------------------------------
>
> Key: WFLY-3887
> URL: https://issues.jboss.org/browse/WFLY-3887
> Project: WildFly
> Issue Type: Bug
> Components: Domain Management, Security
> Affects Versions: 8.1.0.Final, 9.0.0.Alpha1
> Environment: Windows Server 2008
> Java 8u20
> Reporter: shinzey shinzey
> Assignee: Darran Lofthouse
> Labels: domain, security
> Fix For: 8.1.0.Final
>
>
> The server can be successfully started, but I'm unable to manage it because running add-user.bat immediately fails with the following error:
> Exception in thread "main" java.lang.UnsupportedClassVersionError: org/jboss/as/domain/management/security/adduser/AddUser : Unsupported major.minor version 51.0
> at java.lang.ClassLoader.defineClass1(Native Method)
> at java.lang.ClassLoader.defineClassCond(ClassLoader.java:631)
> at java.lang.ClassLoader.defineClass(ClassLoader.java:615)
> at org.jboss.modules.ModuleClassLoader.doDefineOrLoadClass(ModuleClassLoader.java:361)
> at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:482)
> at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:277)
> at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:92)
> at org.jboss.modules.Module.loadModuleClass(Module.java:568)
> at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:205)
> at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:459)
> at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:447)
> at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:414)
> at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:389)
> at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:134)
> at java.lang.Class.forName0(Native Method)
> at java.lang.Class.forName(Class.java:247)
> at org.jboss.modules.Module.run(Module.java:300)
> at org.jboss.modules.Main.main(Main.java:460)
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (WFLY-8916) Unexpected update of configuration file standalone.xml if an archive is dropped to deployments folder
by Wolf-Dieter Fink (JIRA)
Wolf-Dieter Fink created WFLY-8916:
--------------------------------------
Summary: Unexpected update of configuration file standalone.xml if an archive is dropped to deployments folder
Key: WFLY-8916
URL: https://issues.jboss.org/browse/WFLY-8916
Project: WildFly
Issue Type: Bug
Affects Versions: 11.0.0.Alpha1
Reporter: Wolf-Dieter Fink
Assignee: Jason Greene
Priority: Minor
It is not expected that the standalone.xml is written and versions or other content is updated.
e.g. the top level element
<server xmlns="urn:jboss:domain:x.y">
It is expected that the standalone configuration is updated with the latest namespace versions, or other changes, if the configuration needs to be persisted.
But for any unmanged deployment it is not expected and not necessary to update the configuration file.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (ELY-53) GSSAPI Make Delegated Credential Available
by David Lloyd (JIRA)
[ https://issues.jboss.org/browse/ELY-53?page=com.atlassian.jira.plugin.sys... ]
David Lloyd reassigned ELY-53:
------------------------------
Assignee: David Lloyd (was: Darran Lofthouse)
> GSSAPI Make Delegated Credential Available
> ------------------------------------------
>
> Key: ELY-53
> URL: https://issues.jboss.org/browse/ELY-53
> Project: WildFly Elytron
> Issue Type: Feature Request
> Components: SASL
> Reporter: Darran Lofthouse
> Assignee: David Lloyd
> Fix For: 1.1.0.Beta54
>
>
> The server side of the mechanism can receive a delegated credential but there is no way to obtain it, we should provide a way for it to be obtained or provided.
> _Note: This may be an Elytron integration point rather than something supported in the pure SASL mechanism._
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month