July 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFCORE-2468) Definition Elytron key-manager with key-store (which needs password) without filled credential-reference causes ugly failure-description with senseless Exception.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2468?page=com.atlassian.jira.plugi... ] Darran Lofthouse updated WFCORE-2468: ------------------------------------- Fix Version/s: (was: 4.0.0.Alpha1) > Definition Elytron key-manager with key-store (which needs password) without filled credential-reference causes ugly failure-description with senseless Exception. > ------------------------------------------------------------------------------------------------------------------------------------------------------------------ > > Key: WFCORE-2468 > URL: https://issues.jboss.org/browse/WFCORE-2468 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > > Definition Elytron key-manager with key-store (which needs password) without filled credential-reference causes ugly failure-description with senseless Exception. > *Steps to reproduce* > * firefly.keystore which is attached copy to eap_home/standalone/data/cs. > * /subsystem=elytron/key-store=ff001:add(path=cs/firefly.keystore,relative-to=jboss.server.data.dir,type=JKS,credential-reference= {clear-text=Elytron}) > */subsystem=elytron/key-managers=keymanager001:add(algorithm=SunX509, key-store=ff001) > And you get this output: > {code} > { > "outcome" => "failed", > "failure-description" => { > "WFLYCTL0080: Failed services" => {"org.wildfly.security.key-managers.km002" => "org.jboss.msc.service.StartException in service org.wildfly.security.key-managers.km002: Failed to start service > Caused by: java.lang.NullPointerException"}, > "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.key-managers.km002"], > "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined > }, > "rolled-back" => true > } > {code} > There must be some kind of information about missing credential-reference or at least missing (wrong) password to key-store. > When I add there credential-reference with pass to Key-store then operation passes > /subsystem=elytron/key-managers=keymanager001:add(algorithm=SunX509, key-store=ff001, credential-reference={clear-text=Elytron}) > *Suggestions to improvement* > failure-description must not contain Exception or snippet stacktrace. > Please replace WFLYCTL0080 part to better message. > e.g. "credential-reference is required", "Missing password to key-store access" -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2466) Elytron, IBM java, SPNEGO continuation required situation

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2466?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-2466. -------------------------------------- Fix Version/s: 3.0.0.Beta29 Resolution: Done > Elytron, IBM java, SPNEGO continuation required situation > --------------------------------------------------------- > > Key: WFCORE-2466 > URL: https://issues.jboss.org/browse/WFCORE-2466 > Project: WildFly Core > Issue Type: Bug > Components: Security > Affects Versions: 3.0.0.Beta7 > Reporter: Martin Choma > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: 3.0.0.Beta29 > > Attachments: ContinuationRequiredIBM.pcap, server.log > > > I have problem to achieve this scenario with elytron on IBM java: > # Using IBM Java > # Client sends non kerberos OID mechanism as most preferred with non kerberos ticket > # Server response with "continuation required" > # Client sends kerberos ticket > # Server response with 401 instead of 200 > # In server there is error > {code} > 10:43:35,570 TRACE [org.wildfly.security] (default task-3) GSSContext message exchange failed: org.ietf.jgss.GSSException, major code: 10, minor code: 0 > major string: Defective token > minor string: Bad token tag: -95 > at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:5) > at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:33) > at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:102) > at com.ibm.security.jgss.TokenHeader.<init>(TokenHeader.java:70) > at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:119) > at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:186) > at org.wildfly.security.http.impl.SpnegoAuthenticationMechanism.evaluateRequest(SpnegoAuthenticationMechanism.java:138) > at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115) > at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77) > at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:106) > at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:90) > at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:74) > at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:82) > {code} > Basically, it is same scenario as tested in [1] (for legacy security). > This scenario works correctly > * on Oracle and OpenJDK java with elytron in EAP 7.1 > * with legacy security on IBM java in EAP 7.1 > Setting high priority as: > * It works in legacy security, so customers won't be able to migrate > * Similar error was resolved in EAP 7.0 (JBEAP-3709) as blocker because customer case existed for that. > [1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13d... > [2] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13d... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2473) It is possible to create constant-name-rewriter without defined constant

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2473?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-2473. -------------------------------------- Fix Version/s: (was: 4.0.0.Alpha1) Resolution: Out of Date > It is possible to create constant-name-rewriter without defined constant > ------------------------------------------------------------------------ > > Key: WFCORE-2473 > URL: https://issues.jboss.org/browse/WFCORE-2473 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Jan Tymel > Assignee: Darran Lofthouse > Labels: user_experience > > If user adds a new {{constant-name-rewriter}} via following command {{/subsystem=elytron/constant-name-rewriter=name-rewriter:add(constant)}} then is a new rewriter created. > It shouldn't be possible since {{constant}} attribute isn't filled correctly. However, there is added a new rewriter with {{true}} value [1] instead. > [1] <constant-name-rewriter name="name-rewriter" constant="true"/> -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2469) Complex type mechanism-provider-filtering-sasl-server-factory in Elytron subsystem

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2469?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-2469. -------------------------------------- Fix Version/s: 3.0.0.Beta29 (was: 4.0.0.Alpha1) Resolution: Won't Fix > Complex type mechanism-provider-filtering-sasl-server-factory in Elytron subsystem > ---------------------------------------------------------------------------------- > > Key: WFCORE-2469 > URL: https://issues.jboss.org/browse/WFCORE-2469 > Project: WildFly Core > Issue Type: Bug > Components: Security > Affects Versions: 3.0.0.Beta7 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Fix For: 3.0.0.Beta29 > > > Elytron subsystem uses complex type in mechanism-provider-filtering-sasl-server-factory resource which is difficult to use and can result to bad user experience, see description of JBEAP-6100 for more details. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2476) Inconsistencies in using fileType/path+relative-to in Elytron XSD/DMR

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2476?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-2476. -------------------------------------- Fix Version/s: 3.0.0.Beta29 (was: 4.0.0.Alpha1) Resolution: Won't Fix > Inconsistencies in using fileType/path+relative-to in Elytron XSD/DMR > --------------------------------------------------------------------- > > Key: WFCORE-2476 > URL: https://issues.jboss.org/browse/WFCORE-2476 > Project: WildFly Core > Issue Type: Bug > Components: Security > Affects Versions: 3.0.0.Beta7 > Reporter: Ondrej Kotek > Assignee: Darran Lofthouse > Labels: user_experience > Fix For: 3.0.0.Beta29 > > > *Issue description:* > In _wildfly-elytron_1_0.xsd_, a file type is represented inconsistently. There are {{basicFileType}} and {{fileType}} complex types used, but there are also {{path}} and {{relative-to}} attributes used ({{providerLoadersType}}, {{kerberosSecurityFactory}}). > In DMR, file is represented as object (e.g. {{properties-realm}}) or as attributes (e.g. {{filesystem-realm}}, {{key-store}}). > *Suggestions for improvement:* > The file representation should be consistent in XSD/DMR. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2481) Elytron, Can't access application secured with SPNEGO fallbacking to FORM

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2481?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-2481. -------------------------------------- Fix Version/s: 3.0.0.Beta29 Resolution: Done > Elytron, Can't access application secured with SPNEGO fallbacking to FORM > ------------------------------------------------------------------------- > > Key: WFCORE-2481 > URL: https://issues.jboss.org/browse/WFCORE-2481 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Martin Choma > Assignee: Darran Lofthouse > Priority: Blocker > Fix For: 3.0.0.Beta29 > > > When accessing application configured with SPNEGO + FORM fallback, then user get 404 on first http GET. > {code} > [mchoma@localhost ~]$ curl -v http://localhost.localdomain:8080/be4459d3-1eb1-4aa9-a42a-e6a63c1d33c5/pr... > * Hostname was NOT found in DNS cache > * Trying 127.0.0.1... > * Connected to localhost.localdomain (127.0.0.1) port 8080 (#0) > > GET /be4459d3-1eb1-4aa9-a42a-e6a63c1d33c5/protected/SimpleSecuredServlet HTTP/1.1 > > User-Agent: curl/7.37.0 > > Host: localhost.localdomain:8080 > > Accept: */* > > > < HTTP/1.1 404 Not Found > < Expires: 0 > < Cache-Control: no-cache, no-store, must-revalidate > < X-Powered-By: Undertow/1 > < Set-Cookie: JSESSIONID=0O3kk4WJTVuH0XuWriO_d_M6HMCb83Ri7UZmtUU0.localhost; path=/be4459d3-1eb1-4aa9-a42a-e6a63c1d33c5 > * Server JBoss-EAP/7 is not blacklisted > < Server: JBoss-EAP/7 > < Pragma: no-cache > < Date: Fri, 03 Mar 2017 09:15:41 GMT > < Connection: keep-alive > < WWW-Authenticate: Negotiate > < Content-Type: text/html;charset=UTF-8 > < Content-Length: 149 > < > * Connection #0 to host localhost.localdomain left intact > <html><head><title>Error</title></head><body>/be4459d3-1eb1-4aa9-a42a-e6a63c1d33c5/protected/http:/localhost.localdomain:8080/login.jsp</body></html>[mchoma@localhost ~]$ > {code} > Changing in web.xml {{<auth-method>SPNEGO,FORM</auth-method>}} to {{<auth-method>SPNEGO</auth-method>}} makes SPNEGO work again. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2490) Multiple CredentialStores with ONE backed credential store file can rewrite values each other.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2490?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-2490. -------------------------------------- Resolution: Rejected > Multiple CredentialStores with ONE backed credential store file can rewrite values each other. > ---------------------------------------------------------------------------------------------- > > Key: WFCORE-2490 > URL: https://issues.jboss.org/browse/WFCORE-2490 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > Assignee: Peter Skopek > Priority: Blocker > > Multiple CredentialStores with ONE backed credential store file can rewrite values each other. > *How to reproduce* > {code} > /subsystem=elytron/credential-store=credStore001:add(uri="cr-store://test/cs001.jceks?store.password=pass123;create.storage=true") > /subsystem=elytron/credential-store=credStore001/alias="alias1":add(secret-value=Elytron) > {code} > {code} > /subsystem=elytron/credential-store=credStore002:add(uri="cr-store://test/cs001.jceks?store.password=pass123") > {code} > check CS file > there is "alias1" entry > {code} > /subsystem=elytron/credential-store=credStore001/alias="alias2":add(secret-value=Elytron) > {code} > check CS file > there are "alias1" and "alias2" entries > {code} > /subsystem=elytron/credential-store=credStore002/alias="alias123":add(secret-value=Elytron) > {code} > check CS file > there are "alias1" and "alias123" entries". > *NOTE* > It is problem, because we have one backed file. In memory we have right values for all Credential Stores, but after restart we can lost new entries. > In my opinion reason for this behaviour is: > We have CS loaded in memory and when we add new alias to CS then we save whole CS from memory to file. > We can set CS as non-modifiable when we use same backed file for CredentialStore but we must find better default behaviour. > *My suggestion for default behaviour* > When we want to add new alias to CredentialStore we can do this: > # refresh CS from file (and this file lock) > # add new alias to CS > # save CS to file > # unlock file > *But there is posible problem with performance....* -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2489) CS tool, add prompt when --secret is missing

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2489?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-2489. -------------------------------------- Fix Version/s: 3.0.0.Beta29 Resolution: Done > CS tool, add prompt when --secret is missing > -------------------------------------------- > > Key: WFCORE-2489 > URL: https://issues.jboss.org/browse/WFCORE-2489 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Martin Choma > Assignee: Darran Lofthouse > Priority: Blocker > Labels: credential-store > Fix For: 3.0.0.Beta29 > > > Use case: > - User have automation script using cs tool and user don't want secret value be stored in file. > - User don't want secret value to be stored in shell history after execution. > - User don't want secret value to be listed in {{ps -aux}} output. > There have to be possibility to omit --secret attribute. When omitting --secret attribute user interaction prompt should follow with possibility to input secret value. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2487) Elytron mapped-regex-realm-mapper "name" attribute has wrong description.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2487?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-2487. -------------------------------------- Fix Version/s: 3.0.0.Beta29 Resolution: Done > Elytron mapped-regex-realm-mapper "name" attribute has wrong description. > ------------------------------------------------------------------------- > > Key: WFCORE-2487 > URL: https://issues.jboss.org/browse/WFCORE-2487 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > Assignee: Dmitrii Tikhomirov > Fix For: 3.0.0.Beta29 > > > Elytron mapped-regex-realm-mapper "name" attribute has wrong description. > {code} > https://github.com/wildfly-security/elytron-subsystem/blob/580569d17cb6c3... > {code} > *Actual description* > {code} > The unique name for the RealmMapper, note names used for NameRewriters must be unique > across the whole context. > {code} > *Expected description* > {code} > The unique name for the RealmMapper, note names used for RealmMappers must be unique > across the whole context. > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2494) Auto-completion does not work for default-realm of Elytron security-domain in CLI

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2494?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-2494. -------------------------------------- Resolution: Deferred Marking as differed until the core management model supports arbitrary tab completion. > Auto-completion does not work for default-realm of Elytron security-domain in CLI > --------------------------------------------------------------------------------- > > Key: WFCORE-2494 > URL: https://issues.jboss.org/browse/WFCORE-2494 > Project: WildFly Core > Issue Type: Enhancement > Components: Security > Affects Versions: 3.0.0.Beta7 > Reporter: Ondrej Lukas > Assignee: Jan Kalina > Priority: Minor > Labels: user_experience > > Auto-completion does not work for default-realm of Elytron security-domain in CLI. All attributes of security-domain support auto-completion through {{<TAB>}} button. The only one which does not support it is default-realm. It is probably caused by missing capability-reference. > Example: > {code} > /subsystem=elytron/security-domain=domain:add(default-realm=<TAB> > {code} > Does not show any security realms. However: > {code} > /subsystem=elytron/security-domain=domain:add(permission-mapper=<TAB> > {code} > Shows possible permission mappers. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira July 2017