[JBoss JIRA] (WFLY-8908) PicketBoxBasedIdentity.exists() should check if a valid JAAS Subject exists instead of always returning true
by Stefan Guilhen (JIRA)
[ https://issues.jboss.org/browse/WFLY-8908?page=com.atlassian.jira.plugin.... ]
Stefan Guilhen updated WFLY-8908:
---------------------------------
Description:
The RealmIdentity.exists() method should be used to verify if a valid identity exists before an attempt to call other non-authentication methods - e.g. getAuthorizationIdentity() - is made.
The PicketBoxBasedIdentity implementation in the SecurityDomainContextRealm is erroneously returning true when in fact it should be checking if a valid Subject was established as part of a previous JAAS authentication.
The getAuthorizationIdentity() method can then simply throw an Exception if it is called without a valid JAAS Subject in place. Client code should check the result of the exists() method before attempting to get an AuthorizationIdentity so any code invoking getAuthorizationIdentity() without checking first if a valid identity exists should fail.
> PicketBoxBasedIdentity.exists() should check if a valid JAAS Subject exists instead of always returning true
> ------------------------------------------------------------------------------------------------------------
>
> Key: WFLY-8908
> URL: https://issues.jboss.org/browse/WFLY-8908
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Stefan Guilhen
> Assignee: Stefan Guilhen
>
> The RealmIdentity.exists() method should be used to verify if a valid identity exists before an attempt to call other non-authentication methods - e.g. getAuthorizationIdentity() - is made.
> The PicketBoxBasedIdentity implementation in the SecurityDomainContextRealm is erroneously returning true when in fact it should be checking if a valid Subject was established as part of a previous JAAS authentication.
> The getAuthorizationIdentity() method can then simply throw an Exception if it is called without a valid JAAS Subject in place. Client code should check the result of the exists() method before attempting to get an AuthorizationIdentity so any code invoking getAuthorizationIdentity() without checking first if a valid identity exists should fail.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month
[JBoss JIRA] (ELY-1100) Configured set-protocol in Elytron Client configuration file is not used
by David Lloyd (JIRA)
[ https://issues.jboss.org/browse/ELY-1100?page=com.atlassian.jira.plugin.s... ]
David Lloyd resolved ELY-1100.
------------------------------
Resolution: Rejected
This one was actually a Remoting bug, REM3-270.
> Configured set-protocol in Elytron Client configuration file is not used
> ------------------------------------------------------------------------
>
> Key: ELY-1100
> URL: https://issues.jboss.org/browse/ELY-1100
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Authentication Client
> Affects Versions: 1.1.0.Beta34
> Reporter: Ondrej Lukas
> Assignee: David Lloyd
> Priority: Blocker
>
> When some configuration in Elytron Client configuration file uses set-protocol then value of this element is not used for outgoing connection. Elements set-host and set-port are used correctly.
> Following authentication configuration part of wildfly-config.xml should use URL {{remote+http://localhost:9990}} for outgoing connection, but protocol {{remote+http}} from {{set-protocol}} is not used:
> {code}
> <authentication-configurations>
> <configuration name="auth-config">
> <set-user-name name="user"/>
> <set-protocol name="remote+http"/>
> <set-host name="localhost"/>
> <set-port number="9990"/>
> <credentials>
> <clear-password password="password"/>
> </credentials>
> </configuration>
> </authentication-configurations>
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 1 month