July 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFCORE-2414) Coverity static analysis: Non-Serializable SecurityIdentity is contained in Serializable ElytronAccount

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2414?page=com.atlassian.jira.plugi... ] Darran Lofthouse reassigned WFCORE-2414: ---------------------------------------- Assignee: (was: Darran Lofthouse) > Coverity static analysis: Non-Serializable SecurityIdentity is contained in Serializable ElytronAccount > ------------------------------------------------------------------------------------------------------- > > Key: WFCORE-2414 > URL: https://issues.jboss.org/browse/WFCORE-2414 > Project: WildFly Core > Issue Type: Bug > Components: Security > Affects Versions: 3.0.0.Beta7 > Reporter: Martin Choma > > Coverity static analysis found Serializable ElytronAccount contains non-Serializable SecurityIdentity. > https://scan7.coverity.com/reports.htm#v23632/p12664/fileInstanceId=86223... > Please resolve this inconsistent situation. > By dev feedback SecurityIdentity can't be made Serializable. Rework to remove SecurityIdentity from ElytronAccount was suggested. > {code:title=hipchat.log} > [3:23 PM] Martin Choma: Shouldn't be SecurityIdentity Serializable? - because of HttpSession replication? > [3:23 PM] Darran Lofthouse: No it can't be > [3:24 PM] Darran Lofthouse: it is backed by implementation as well as state > [3:25 PM] David M. Lloyd: right it would essentially be a security hole to be able to deserialize an identity > [3:26 PM] David M. Lloyd: among other problems > [3:26 PM] Darran Lofthouse: on the far side we restore the identity instead of deserializing it > [3:31 PM] Martin Choma: I got it. Thing is static analyzer is complaining elytron-web ElytronAccount (Serializable class) is referencing SecurityIdentity, but probably problem is ElytronAccount does not have to be mark as Serializable, right? > [3:34 PM] Darran Lofthouse: @MartinChoma we may be able to re-work that and remove the reference to SI > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2412) Complex type key-store in Elytron subsystem

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2412?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-2412. -------------------------------------- Fix Version/s: (was: 4.0.0.Alpha1) Resolution: Rejected > Complex type key-store in Elytron subsystem > ------------------------------------------- > > Key: WFCORE-2412 > URL: https://issues.jboss.org/browse/WFCORE-2412 > Project: WildFly Core > Issue Type: Bug > Components: Security > Affects Versions: 3.0.0.Beta7 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Priority: Critical > > Elytron subsystem uses complex type in key-store resource which is difficult to use and can result to bad user experience, see description of JBEAP-6100 for more details. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2408) Description of Elytron oauth2-introspection resource is copy/pasted from jwt

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2408?page=com.atlassian.jira.plugi... ] Darran Lofthouse reassigned WFCORE-2408: ---------------------------------------- Assignee: (was: Darran Lofthouse) > Description of Elytron oauth2-introspection resource is copy/pasted from jwt > ---------------------------------------------------------------------------- > > Key: WFCORE-2408 > URL: https://issues.jboss.org/browse/WFCORE-2408 > Project: WildFly Core > Issue Type: Bug > Components: Security > Affects Versions: 3.0.0.Beta7 > Reporter: Ondrej Lukas > Labels: user_experience > > Description of {{oauth2-introspection}} resource from Elytron {{token-realm}} is copy/pasted from description of {{jwt}}. > It is similar as WFLY-7573, but its description (and also its linked fix) talks only about description of attributes. This Jira is related to description of whole resource which currently says: > "A token validator to be used in conjunction with a token-based realm that handles security tokens based on the JWT/JWS standard." -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2408) Description of Elytron oauth2-introspection resource is copy/pasted from jwt

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2408?page=com.atlassian.jira.plugi... ] Darran Lofthouse updated WFCORE-2408: ------------------------------------- Fix Version/s: (was: 4.0.0.Alpha1) > Description of Elytron oauth2-introspection resource is copy/pasted from jwt > ---------------------------------------------------------------------------- > > Key: WFCORE-2408 > URL: https://issues.jboss.org/browse/WFCORE-2408 > Project: WildFly Core > Issue Type: Bug > Components: Security > Affects Versions: 3.0.0.Beta7 > Reporter: Ondrej Lukas > Labels: user_experience > > Description of {{oauth2-introspection}} resource from Elytron {{token-realm}} is copy/pasted from description of {{jwt}}. > It is similar as WFLY-7573, but its description (and also its linked fix) talks only about description of attributes. This Jira is related to description of whole resource which currently says: > "A token validator to be used in conjunction with a token-based realm that handles security tokens based on the JWT/JWS standard." -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2416) Elytron properties-realm enforces REALM_NAME comment

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2416?page=com.atlassian.jira.plugi... ] Darran Lofthouse reassigned WFCORE-2416: ---------------------------------------- Assignee: (was: Darran Lofthouse) > Elytron properties-realm enforces REALM_NAME comment > ---------------------------------------------------- > > Key: WFCORE-2416 > URL: https://issues.jboss.org/browse/WFCORE-2416 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Josef Cacek > > Elytron enforces existence of {{"#$REALM_NAME=...$"}} comment in property file referenced from properties-realms. > When using legacy security and this line is missing, server starts without error. > *Expected behavior:* > Elytron's properties-realm *doesn't require* this comment. If the comment is present, it *may* verify if its content fits the realm name. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2416) Elytron properties-realm enforces REALM_NAME comment

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2416?page=com.atlassian.jira.plugi... ] Darran Lofthouse updated WFCORE-2416: ------------------------------------- Fix Version/s: (was: 4.0.0.Alpha1) > Elytron properties-realm enforces REALM_NAME comment > ---------------------------------------------------- > > Key: WFCORE-2416 > URL: https://issues.jboss.org/browse/WFCORE-2416 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Josef Cacek > > Elytron enforces existence of {{"#$REALM_NAME=...$"}} comment in property file referenced from properties-realms. > When using legacy security and this line is missing, server starts without error. > *Expected behavior:* > Elytron's properties-realm *doesn't require* this comment. If the comment is present, it *may* verify if its content fits the realm name. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2417) Inconsistency in attribute name of Elytron name-rewriter/final-name-rewriter

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2417?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-2417. -------------------------------------- Fix Version/s: (was: 4.0.0.Alpha1) Resolution: Rejected > Inconsistency in attribute name of Elytron name-rewriter/final-name-rewriter > ---------------------------------------------------------------------------- > > Key: WFCORE-2417 > URL: https://issues.jboss.org/browse/WFCORE-2417 > Project: WildFly Core > Issue Type: Bug > Components: Security > Affects Versions: 3.0.0.Beta7 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Labels: user_experience > > In Elytron subsystem there are attributes {{name-rewriter}} and {{final-name-rewriter}} which serves for the same purpose. Both of them are used for final name rewriting. It can be confusing when two different names are used for the same type of attribute. > Attribute {{name-rewriter}} is used in: > * {{realms}} attribute in {{security-domain}} > Attribute {{final-name-rewriter}} is used in: > * {{mechanism-configurations}} in both {{http-authentication-factory}} and {{sasl-authentication-factory}} > * {{mechanism-realm-configurations}} in {{mechanism-configurations}} in both {{http-authentication-factory}} and {{sasl-authentication-factory}} > Names of {{name-rewriter}} and {{final-name-rewriter}} should be unified for this resources in DMR and also in XSD. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2420) JMS client dependencies doesn't contain a default wildfly-config.xml

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2420?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-2420. -------------------------------------- Resolution: Out of Date > JMS client dependencies doesn't contain a default wildfly-config.xml > -------------------------------------------------------------------- > > Key: WFCORE-2420 > URL: https://issues.jboss.org/browse/WFCORE-2420 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Josef Cacek > Assignee: Jeff Mesnil > Priority: Critical > > Using the {{wildfly-jms-client-bom}} dependency for JMS clients doesn't introduce a default {{wildfly-config.xml}} with Elytron client configuration. As the result, clients are not able to authenticate (e.g. using JBOSS-LOCAL-USER SASL mechanism). > The default configuration in {{wildfly-config.xml}} should allow similar behavior as with legacy security. So the following call should pass: > {code} > ConnectionFactory connectionFactory = (ConnectionFactory) namingContext.lookup("jms/RemoteConnectionFactory"); > {code} > Currently the call throws exception: > {code} > SEVERE: Naming problem occured > javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host [Root exception is javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server are supported] > at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:110) > at org.wildfly.naming.client.remote.RemoteContext.lookupNative(RemoteContext.java:91) > at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:78) > at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:64) > at org.wildfly.naming.client.WildFlyRootContext.lookup(WildFlyRootContext.java:123) > at org.wildfly.naming.client.WildFlyRootContext.lookup(WildFlyRootContext.java:113) > at javax.naming.InitialContext.lookup(InitialContext.java:417) > at org.wildfly.security.elytron.demo.JmsClient.main(JmsClient.java:45) > Caused by: javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server are supported > at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:412) > at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:239) > at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) > at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) > at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:567) > at ...asynchronous invocation...(Unknown Source) > at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:466) > at org.jboss.remoting3.FutureConnection.connect(FutureConnection.java:113) > at org.jboss.remoting3.FutureConnection.init(FutureConnection.java:75) > at org.jboss.remoting3.FutureConnection.get(FutureConnection.java:151) > at org.jboss.remoting3.EndpointImpl.getConnection(EndpointImpl.java:422) > at org.jboss.remoting3.UncloseableEndpoint.getConnection(UncloseableEndpoint.java:57) > at org.jboss.remoting3.Endpoint.getConnection(Endpoint.java:105) > at org.wildfly.naming.client.remote.RemoteNamingProvider.lambda$new$0(RemoteNamingProvider.java:68) > at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentity(RemoteNamingProvider.java:126) > at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:108) > ... 7 more > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2419) Complex type simple-permission-mapper in Elytron subsystem

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2419?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-2419. -------------------------------------- Fix Version/s: (was: 4.0.0.Alpha1) Resolution: Rejected > Complex type simple-permission-mapper in Elytron subsystem > ---------------------------------------------------------- > > Key: WFCORE-2419 > URL: https://issues.jboss.org/browse/WFCORE-2419 > Project: WildFly Core > Issue Type: Bug > Components: Security > Affects Versions: 3.0.0.Beta7 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Priority: Critical > > Elytron subsystem uses complex type in simple-permission-mapper resource which is difficult to use and can result to bad user experience, see description of JBEAP-6100 for more details. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2418) CS tool, invalid options are accepted

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2418?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-2418. -------------------------------------- Fix Version/s: 3.0.0.Beta29 Resolution: Done > CS tool, invalid options are accepted > ------------------------------------- > > Key: WFCORE-2418 > URL: https://issues.jboss.org/browse/WFCORE-2418 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Martin Choma > Assignee: Darran Lofthouse > Priority: Critical > Labels: credential-store, wildfly-elytron-tool > Fix For: 3.0.0.Beta29 > > > Curently if I provide invalid option (e.g. --option_does_not_exists) it is accepted(ignored) and command is performed > {code} > [mchoma@localhost bin]$ java -jar wildfly-elytron-tool.jar credential-store --add myalias --secret supersecretpassword --location="/tmp/test.store" --uri "cr-store://test?modifiable=true;create=true;keyStoreType=JCEKS" --password mycspassword --salt 12345678 --iteration 230 --summary --option_does_not_exists > Alias "myalias" has been successfully stored > Credential store command summary: > -------------------------------------- > /subsystem=elytron/credential-store=test:add(uri="cr-store://test?modifiable=true;create=true;keyStoreType=JCEKS",relative-to=jboss.server.data.dir,credential-reference={clear-text="MASK-uNWeyrmbByBEjgZM1FAPQW==;12345678;230"}) > {code} > It will be safer if command fail instead. It will guard users from unintentional command beeing performed. > {code} > [mchoma@localhost bin]$ java -jar wildfly-elytron-tool.jar credential-store --add myalias --secret supersecretpassword --location="/tmp/test.store" --uri "cr-store://test?modifiable=true;create=true;keyStoreType=JCEKS" --password mycspassword --salt 12345678 --iteration 230 --summary --option_does_not_exists > wildfly-elytron-tool: invalid option -- 'option_does_not_exists' > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira July 2017