[JBoss JIRA] (WFCORE-2905) Server-identity/secret integration with credential reference is not correct.
by ehsavoie Hugonnet (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2905?page=com.atlassian.jira.plugi... ]
ehsavoie Hugonnet reassigned WFCORE-2905:
-----------------------------------------
Assignee: ehsavoie Hugonnet (was: Darran Lofthouse)
> Server-identity/secret integration with credential reference is not correct.
> ----------------------------------------------------------------------------
>
> Key: WFCORE-2905
> URL: https://issues.jboss.org/browse/WFCORE-2905
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: ehsavoie Hugonnet
> Priority: Blocker
>
> Server-identity/secret integration with credential reference is not correct.
> When is set Server-identity/secret to use password obtained from credential-store then there is a problem with it.
> I observe that SecretIdentityService expects password as constructor argument [1][2] and afterwards is resolved password from credential-store. But it fails because of regular password isn't defined and it is used as method argument [3].
> *Server log*
> {code:collapse}
> [Host Controller] [0m[31m12:27:48,205 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8) MSC000001: Failed to start service org.wildfly.core.management.security.realm.ManagementRealm.secret: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.ManagementRealm.secret: Failed to start service[0m
> [Host Controller] [31m at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978)[0m
> [Host Controller] [31m at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)[0m
> [Host Controller] [31m at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)[0m
> [Host Controller] [31m at java.lang.Thread.run(Thread.java:745)[0m
> [Host Controller] [31mCaused by: java.lang.IllegalArgumentException: Last unit does not have enough valid bits[0m
> [Host Controller] [31m at java.util.Base64$Decoder.decode0(Base64.java:734)[0m
> [Host Controller] [31m at java.util.Base64$Decoder.decode(Base64.java:526)[0m
> [Host Controller] [31m at java.util.Base64$Decoder.decode(Base64.java:549)[0m
> [Host Controller] [31m at org.jboss.as.domain.management.security.SecretIdentityService.start(SecretIdentityService.java:77)[0m
> [Host Controller] [31m at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)[0m
> [Host Controller] [31m at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)[0m
> [Host Controller] [31m ... 3 more[0m
> {code}
> [1] https://github.com/wildfly/wildfly-core/blob/3.0.0.Beta22/domain-manageme...
> [2] https://github.com/wildfly/wildfly-core/blob/3.0.0.Beta22/domain-manageme...
> [3] https://github.com/wildfly/wildfly-core/blob/3.0.0.Beta22/domain-manageme...
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 11 months
[JBoss JIRA] (WFCORE-2904) management/security-realm/authentication/users has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.
by ehsavoie Hugonnet (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2904?page=com.atlassian.jira.plugi... ]
ehsavoie Hugonnet commented on WFCORE-2904:
-------------------------------------------
Using a batch is working properly :
{code:java}
[standalone@localhost:9990 /] batch
[standalone@localhost:9990 / #] /core-service=management/security-realm=ManagementRealm/authentication=users/user=pepa:undefine-attribute(name=password)
[standalone@localhost:9990 / #] /core-service=management/security-realm=ManagementRealm/authentication=users/user=pepa:write-attribute(name=credential-reference, value={clear-text=password123})
[standalone@localhost:9990 / #] run-batch
The batch executed successfully
process-state: reload-required
{code}
> management/security-realm/authentication/users has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2904
> URL: https://issues.jboss.org/browse/WFCORE-2904
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Darran Lofthouse
> Priority: Blocker
>
> management/security-realm/authentication/users has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.
> "Value" and credential-reference are mutually exclusive and one of them must be set.
> *There must be a way how to update existing management/security-realm/authentication/users for change "value" to credential-reference and vice versa.*
> *Scenario*
> Prerequisites
> {code:collapse}
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=properties:remove()
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users:add()
> {code}
> Add new user with password
> {code}
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users/user=pepa:add(password=testpassword)
> {"outcome" => "success"}
> {code}
> Change password to credential-reference
> {code}
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users/user=pepa:undefine-attribute(name=password)
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0172: password is required",
> "rolled-back" => true
> }
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users/user=pepa:write-attribute(name=credential-reference, value={clear-text=password123})
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0105: password is invalid in combination with credential-reference",
> "rolled-back" => true
> }
> {code}
> *read-resource-description*
> {code:collapse}
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users:read-resource-description
> {
> "outcome" => "success",
> "result" => {
> "description" => "Configuration to use a list users stored directly within the standalone.xml or host.xml configuration file as the user repository.",
> "deprecated" => {
> "since" => "1.7.0",
> "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions."
> },
> "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}},
> "attributes" => {},
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {"user" => {
> "description" => "An authorized user.",
> "model-description" => undefined
> }}
> }
> }
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users:read-resource-description(recursive=true
> {
> "outcome" => "success",
> "result" => {
> "description" => "Configuration to use a list users stored directly within the standalone.xml or host.xml configuration file as the user repository.",
> "deprecated" => {
> "since" => "1.7.0",
> "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions."
> },
> "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}},
> "attributes" => {},
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {"user" => {
> "description" => "An authorized user.",
> "model-description" => {"*" => {
> "description" => "An authorized user.",
> "deprecated" => {
> "since" => "1.7.0",
> "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions."
> },
> "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}},
> "attributes" => {
> "credential-reference" => {
> "type" => OBJECT,
> "description" => "The reference to credential for the password stored in CredentialStore under defined alias or clear text password.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "alternatives" => ["value"],
> "access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}},
> "value-type" => {
> "store" => {
> "type" => STRING,
> "description" => "The name of the credential store holding the alias to credential.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "alternatives" => ["clear-text"],
> "requires" => ["alias"],
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "alias" => {
> "type" => STRING,
> "description" => "The alias which denotes stored secret or credential in the store.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "requires" => ["store"],
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "type" => {
> "type" => STRING,
> "description" => "The type of credential this reference is denoting.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "clear-text" => {
> "type" => STRING,
> "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "alternatives" => ["store"],
> "min-length" => 1L,
> "max-length" => 2147483647L
> }
> },
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> "password" => {
> "type" => STRING,
> "description" => "The user's password.",
> "expressions-allowed" => true,
> "required" => true,
> "nillable" => true,
> "alternatives" => ["credential-reference"],
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> }
> },
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {}
> }}
> }}
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 11 months
[JBoss JIRA] (WFCORE-2906) Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.
by ehsavoie Hugonnet (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2906?page=com.atlassian.jira.plugi... ]
ehsavoie Hugonnet reassigned WFCORE-2906:
-----------------------------------------
Assignee: ehsavoie Hugonnet (was: Darran Lofthouse)
> Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2906
> URL: https://issues.jboss.org/browse/WFCORE-2906
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: ehsavoie Hugonnet
> Priority: Blocker
>
> Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.
> "Value" and credential-reference are mutually exclusive and one of them must be set.
> *There must be a way how to update existing server-identity/secret for change "value" to credential-reference and vice versa.*
> *User is not able to do some like that:*
> {code}
> /core-service=management/security-realm=ManagementRealm/server-identity=secret:write-attribute(name=credential-reference, value={clear-text=pass123})
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0105: credential-reference is invalid in combination with value",
> "rolled-back" => true
> }
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/server-identity=secret:undefine-attribute(name=value
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0172: value is required",
> "rolled-back" => true
> }
> {code}
> *resource-description*
> {code:collapse}
> [domain@localhost:9990 /] /host=master/core-service=management/security-realm=ManagementRealm/server-identity=secret:read-resource-description
> {
> "outcome" => "success",
> "result" => {
> "description" => "Configuration of the secret/password-based identity of a server or host controller.",
> "deprecated" => {
> "since" => "1.7.0",
> "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions."
> },
> "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}},
> "attributes" => {
> "credential-reference" => {
> "type" => OBJECT,
> "description" => "The reference to credential for the secret / password stored in CredentialStore under defined alias or clear text password.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "alternatives" => ["value"],
> "access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}},
> "value-type" => {
> "store" => {
> "type" => STRING,
> "description" => "The name of the credential store holding the alias to credential.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "alternatives" => ["clear-text"],
> "requires" => ["alias"],
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "alias" => {
> "type" => STRING,
> "description" => "The alias which denotes stored secret or credential in the store.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "requires" => ["store"],
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "type" => {
> "type" => STRING,
> "description" => "The type of credential this reference is denoting.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "clear-text" => {
> "type" => STRING,
> "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "alternatives" => ["store"],
> "min-length" => 1L,
> "max-length" => 2147483647L
> }
> },
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> "value" => {
> "type" => STRING,
> "description" => "The secret / password - Base64 Encoded.",
> "expressions-allowed" => true,
> "required" => true,
> "nillable" => true,
> "alternatives" => ["credential-reference"],
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> }
> },
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {}
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 11 months
[JBoss JIRA] (WFCORE-2906) Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.
by ehsavoie Hugonnet (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2906?page=com.atlassian.jira.plugi... ]
ehsavoie Hugonnet commented on WFCORE-2906:
-------------------------------------------
Using a batch is working properly :
{code:java}
[standalone@localhost:9990 /] batch
[standalone@localhost:9990 / #] /core-service=management/security-realm=ManagementRealm/server-identity=secret:undefine-attribute(name=value)
[standalone@localhost:9990 / #] /core-service=management/security-realm=ManagementRealm/server-identity=secret:write-attribute(name=credential-reference, value={clear-text=pass123})
[standalone@localhost:9990 / #] run-batch
The batch executed successfully
process-state: reload-required
[standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/server-identity=secret:read-resource
{
"outcome" => "success",
"result" => {
"credential-reference" => {"clear-text" => "pass123"},
"value" => undefined
},
"response-headers" => {"process-state" => "reload-required"}
}
[standalone@localhost:9990 /]
{code}
> Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2906
> URL: https://issues.jboss.org/browse/WFCORE-2906
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: ehsavoie Hugonnet
> Priority: Blocker
>
> Server-identity/secret has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.
> "Value" and credential-reference are mutually exclusive and one of them must be set.
> *There must be a way how to update existing server-identity/secret for change "value" to credential-reference and vice versa.*
> *User is not able to do some like that:*
> {code}
> /core-service=management/security-realm=ManagementRealm/server-identity=secret:write-attribute(name=credential-reference, value={clear-text=pass123})
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0105: credential-reference is invalid in combination with value",
> "rolled-back" => true
> }
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/server-identity=secret:undefine-attribute(name=value
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0172: value is required",
> "rolled-back" => true
> }
> {code}
> *resource-description*
> {code:collapse}
> [domain@localhost:9990 /] /host=master/core-service=management/security-realm=ManagementRealm/server-identity=secret:read-resource-description
> {
> "outcome" => "success",
> "result" => {
> "description" => "Configuration of the secret/password-based identity of a server or host controller.",
> "deprecated" => {
> "since" => "1.7.0",
> "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions."
> },
> "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}},
> "attributes" => {
> "credential-reference" => {
> "type" => OBJECT,
> "description" => "The reference to credential for the secret / password stored in CredentialStore under defined alias or clear text password.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "alternatives" => ["value"],
> "access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}},
> "value-type" => {
> "store" => {
> "type" => STRING,
> "description" => "The name of the credential store holding the alias to credential.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "alternatives" => ["clear-text"],
> "requires" => ["alias"],
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "alias" => {
> "type" => STRING,
> "description" => "The alias which denotes stored secret or credential in the store.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "requires" => ["store"],
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "type" => {
> "type" => STRING,
> "description" => "The type of credential this reference is denoting.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "clear-text" => {
> "type" => STRING,
> "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "alternatives" => ["store"],
> "min-length" => 1L,
> "max-length" => 2147483647L
> }
> },
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> "value" => {
> "type" => STRING,
> "description" => "The secret / password - Base64 Encoded.",
> "expressions-allowed" => true,
> "required" => true,
> "nillable" => true,
> "alternatives" => ["credential-reference"],
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> }
> },
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {}
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 11 months
[JBoss JIRA] (WFCORE-2904) management/security-realm/authentication/users has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.
by ehsavoie Hugonnet (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2904?page=com.atlassian.jira.plugi... ]
ehsavoie Hugonnet reassigned WFCORE-2904:
-----------------------------------------
Assignee: ehsavoie Hugonnet (was: Darran Lofthouse)
> management/security-realm/authentication/users has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2904
> URL: https://issues.jboss.org/browse/WFCORE-2904
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: ehsavoie Hugonnet
> Priority: Blocker
>
> management/security-realm/authentication/users has required "value" attribute, but there is now credential-reference too and there is no way how to update existing resource to use another option.
> "Value" and credential-reference are mutually exclusive and one of them must be set.
> *There must be a way how to update existing management/security-realm/authentication/users for change "value" to credential-reference and vice versa.*
> *Scenario*
> Prerequisites
> {code:collapse}
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=properties:remove()
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users:add()
> {code}
> Add new user with password
> {code}
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users/user=pepa:add(password=testpassword)
> {"outcome" => "success"}
> {code}
> Change password to credential-reference
> {code}
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users/user=pepa:undefine-attribute(name=password)
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0172: password is required",
> "rolled-back" => true
> }
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users/user=pepa:write-attribute(name=credential-reference, value={clear-text=password123})
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0105: password is invalid in combination with credential-reference",
> "rolled-back" => true
> }
> {code}
> *read-resource-description*
> {code:collapse}
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users:read-resource-description
> {
> "outcome" => "success",
> "result" => {
> "description" => "Configuration to use a list users stored directly within the standalone.xml or host.xml configuration file as the user repository.",
> "deprecated" => {
> "since" => "1.7.0",
> "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions."
> },
> "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}},
> "attributes" => {},
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {"user" => {
> "description" => "An authorized user.",
> "model-description" => undefined
> }}
> }
> }
> [standalone@localhost:9990 /] /core-service=management/security-realm=ManagementRealm/authentication=users:read-resource-description(recursive=true
> {
> "outcome" => "success",
> "result" => {
> "description" => "Configuration to use a list users stored directly within the standalone.xml or host.xml configuration file as the user repository.",
> "deprecated" => {
> "since" => "1.7.0",
> "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions."
> },
> "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}},
> "attributes" => {},
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {"user" => {
> "description" => "An authorized user.",
> "model-description" => {"*" => {
> "description" => "An authorized user.",
> "deprecated" => {
> "since" => "1.7.0",
> "reason" => "The security-realm configuration is deprecated and may be removed or moved in future versions."
> },
> "access-constraints" => {"sensitive" => {"security-realm" => {"type" => "core"}}},
> "attributes" => {
> "credential-reference" => {
> "type" => OBJECT,
> "description" => "The reference to credential for the password stored in CredentialStore under defined alias or clear text password.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "alternatives" => ["value"],
> "access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}},
> "value-type" => {
> "store" => {
> "type" => STRING,
> "description" => "The name of the credential store holding the alias to credential.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "alternatives" => ["clear-text"],
> "requires" => ["alias"],
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "alias" => {
> "type" => STRING,
> "description" => "The alias which denotes stored secret or credential in the store.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "requires" => ["store"],
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "type" => {
> "type" => STRING,
> "description" => "The type of credential this reference is denoting.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "clear-text" => {
> "type" => STRING,
> "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.",
> "expressions-allowed" => true,
> "required" => false,
> "nillable" => true,
> "alternatives" => ["store"],
> "min-length" => 1L,
> "max-length" => 2147483647L
> }
> },
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> "password" => {
> "type" => STRING,
> "description" => "The user's password.",
> "expressions-allowed" => true,
> "required" => true,
> "nillable" => true,
> "alternatives" => ["credential-reference"],
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> }
> },
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {}
> }}
> }}
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 11 months
[JBoss JIRA] (WFCORE-2907) Regression, Unable to create TLS in FIPS mode
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2907?page=com.atlassian.jira.plugi... ]
Darran Lofthouse updated WFCORE-2907:
-------------------------------------
Fix Version/s: 3.0.0.Beta24
> Regression, Unable to create TLS in FIPS mode
> ---------------------------------------------
>
> Key: WFCORE-2907
> URL: https://issues.jboss.org/browse/WFCORE-2907
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta23
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Priority: Blocker
> Labels: eap7.1-rfe-failure
> Fix For: 3.0.0.Beta24
>
>
> In DR19 there was introduced DelegatingKeyManager [1], which is used by default. That breaks FIPS TLS on Oracle/OpenJDK java, because only JSSE keymanagers are permitted in FIPS mode [2]
> {code:java|title=SSLContextImpl.java}
> // In FIPS mode, require that one of SunJSSE's own keymanagers
> // is used. Otherwise, we cannot be sure that only keys from
> // the FIPS token are used.
> if ((km instanceof X509KeyManagerImpl) || (km instanceof SunX509KeyManagerImpl)) {
> return (X509ExtendedKeyManager)km;
> } else {
> // throw exception, we don't want to silently use the
> // dummy keymanager without telling the user.
> throw new KeyManagementException ("FIPS mode: only SunJSSE KeyManagers may be used");
> }
> {code}
> Note, in my opinion it will be not enough to restrict reload operation only to file-based keystores. From my point of view reload would be also valid operation on PKCS11 module.
> But more importantly there also exists file based FIPS keystore type - BCFKS (Bouncy Castle FIPS).
> [1] https://github.com/wildfly/wildfly-core/commit/de41fa268cca32cebb13e21d85...
> [2] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u...
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 11 months
[JBoss JIRA] (WFCORE-2907) Regression, Unable to create TLS in FIPS mode
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2907?page=com.atlassian.jira.plugi... ]
Darran Lofthouse moved JBEAP-11310 to WFCORE-2907:
--------------------------------------------------
Project: WildFly Core (was: JBoss Enterprise Application Platform)
Key: WFCORE-2907 (was: JBEAP-11310)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta23
(was: 7.1.0.DR19)
> Regression, Unable to create TLS in FIPS mode
> ---------------------------------------------
>
> Key: WFCORE-2907
> URL: https://issues.jboss.org/browse/WFCORE-2907
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta23
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Priority: Blocker
> Labels: eap7.1-rfe-failure
> Fix For: 3.0.0.Beta24
>
>
> In DR19 there was introduced DelegatingKeyManager [1], which is used by default. That breaks FIPS TLS on Oracle/OpenJDK java, because only JSSE keymanagers are permitted in FIPS mode [2]
> {code:java|title=SSLContextImpl.java}
> // In FIPS mode, require that one of SunJSSE's own keymanagers
> // is used. Otherwise, we cannot be sure that only keys from
> // the FIPS token are used.
> if ((km instanceof X509KeyManagerImpl) || (km instanceof SunX509KeyManagerImpl)) {
> return (X509ExtendedKeyManager)km;
> } else {
> // throw exception, we don't want to silently use the
> // dummy keymanager without telling the user.
> throw new KeyManagementException ("FIPS mode: only SunJSSE KeyManagers may be used");
> }
> {code}
> Note, in my opinion it will be not enough to restrict reload operation only to file-based keystores. From my point of view reload would be also valid operation on PKCS11 module.
> But more importantly there also exists file based FIPS keystore type - BCFKS (Bouncy Castle FIPS).
> [1] https://github.com/wildfly/wildfly-core/commit/de41fa268cca32cebb13e21d85...
> [2] http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8u...
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 11 months
[JBoss JIRA] (DROOLS-1594) Remove MiscTest test class
by Tibor Zimányi (JIRA)
Tibor Zimányi created DROOLS-1594:
-------------------------------------
Summary: Remove MiscTest test class
Key: DROOLS-1594
URL: https://issues.jboss.org/browse/DROOLS-1594
Project: Drools
Issue Type: Task
Affects Versions: 7.1.0.Final
Reporter: Tibor Zimányi
Assignee: Tibor Zimányi
Priority: Minor
MiscTest class grew to a huge class that has more than 10000 lines. It is not a good habit to put tests in such one class. They should be categorized in appropriate smaller classes.
I will provide PR for this.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 11 months
[JBoss JIRA] (WFLY-8868) per application Expressions
by Juergen Weber (JIRA)
[ https://issues.jboss.org/browse/WFLY-8868?page=com.atlassian.jira.plugin.... ]
Juergen Weber commented on WFLY-8868:
-------------------------------------
META-INF/jboss.properties is an interesting mechanism, but it still requires individual patching of an ear or deployment overlays (which do only work for CLI).
Concerning ease of deployment it makes no difference if I write the queue name into ear/ejb/ejb-jar.xml/<activation-config-property-value>
or into ear/META-INF/jboss.properties, for both I have to patch the application on deployment.
An alternative to my suggested <application-properties>
would be a jboss-application.properties in the server config dir with entries like
myMDB_DEV_QUEUE_1.ear.queuename=DEV_QUEUE_1
which should resolve via
<activation-config-property-value>${this:queuename}
> per application Expressions
> ---------------------------
>
> Key: WFLY-8868
> URL: https://issues.jboss.org/browse/WFLY-8868
> Project: WildFly
> Issue Type: Feature Request
> Reporter: Juergen Weber
> Assignee: Jason Greene
>
> Wildfly supports Expression Substitution in descriptors [1]. These expressions are server global.
> This should be enhanced to support application scoped expressions:
> ${this:aProperty}
> It would be especially useful for Message Driven Beans, as an ActivationConfigProperty can only be set in a descriptor or via an annotation, but not in application code, so ActivationConfigProperties are effectively fixed.
> Then you could deploy the same Message Driven Bean multiple times with a different name:
> myMDB1.ear
> myMDB2.ear
> having
> <activation-config-property-value>${this:queuename}</activation-config-property-value>
> and define
> <application-properties>
> <application name="myMDB_DEV_QUEUE_1.ear">
> <property name="queuename" value="DEV_QUEUE_1"/>
> </application>
> <application name="myMDB_DEV_QUEUE_2.ear">
> <property name="queuename" value="DEV_QUEUE_2"/>
> </application>
> </application-properties>
> whereas for production the queuename properties would be different.
> [1] https://docs.jboss.org/author/display/WFLY10/Expressions
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 11 months