[JBoss JIRA] (ELY-1374) The elytron-1_0.xsd has elements the parser does not accept
by Ilia Vassilev (JIRA)
Ilia Vassilev created ELY-1374:
----------------------------------
Summary: The elytron-1_0.xsd has elements the parser does not accept
Key: ELY-1374
URL: https://issues.jboss.org/browse/ELY-1374
Project: WildFly Elytron
Issue Type: Bug
Reporter: Ilia Vassilev
Assignee: Ilia Vassilev
There are elements in the {{elytron-1_0.xsd}} that the parser does not accept. While I didn't check them all here are at least a few that are in the XSD that the parser will reject:
* {{allow-sasl-mechanisms}}
* {{allow-all-sasl-mechanisms}}
* {{forbid-sasl-mechanisms}}
This may be all of them, but it should likely be validated that those are the only ones.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 2 months
[JBoss JIRA] (SECURITY-978) Remove DEBUG message in server logs while calling isCallerInRole(String roleName) method
by Ilia Vassilev (JIRA)
[ https://issues.jboss.org/browse/SECURITY-978?page=com.atlassian.jira.plug... ]
Ilia Vassilev commented on SECURITY-978:
----------------------------------------
PR: https://github.com/picketbox/picketbox/pull/72
> Remove DEBUG message in server logs while calling isCallerInRole(String roleName) method
> ----------------------------------------------------------------------------------------
>
> Key: SECURITY-978
> URL: https://issues.jboss.org/browse/SECURITY-978
> Project: PicketBox
> Issue Type: Bug
> Environment: Red Hat JBoss Enterprise Application Platform 7.0.x
> Reporter: Ilia Vassilev
> Assignee: Ilia Vassilev
>
> While explicitly checking the user roles in the ejb code using context.isCallerInRole(String roleName) and when it return false below exception message got printed at the DEBUG level in server.log file.
> {code:java}
> 2017-09-13 21:10:24,549 DEBUG [org.jboss.security] sessionhash="b34cb4c5c50e3eefbe4f924ee42fa658" requestid="33015X1505317224509" username="adm2.lg" src_ip="127.0.0.1" PBOX00326: isCallerInRole processing failed: org.jboss.security.authorization.AuthorizationException: PBOX00017: Acces denied: authorization failed
> at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:274)
> at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:71)
> at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:147)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:143)
> at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:438)
> at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:115)
> at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.isCallerInRole(EJBAuthorizationHelper.java:187)
> at org.jboss.as.security.service.SimpleSecurityManager.isCallerInRole(SimpleSecurityManager.java:229)
> at org.jboss.as.ejb3.component.EJBComponent.isCallerInRole(EJBComponent.java:400)
> at org.jboss.as.ejb3.context.EJBContextImpl.isCallerInRole(EJBContextImpl.java:115)
> {code}
> The exception seems to be printed in DEBUG in the below line
> {code:java}
> https://github.com/picketbox/picketbox/blob/master/security-jboss-sx/jbos...
> {code}
> This should not be logged as an exception message may be just a line in DEBUG logs should be enough.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 2 months
[JBoss JIRA] (WFCORE-3322) Invalid socket-binding config in remoting connector resource does not lead to model integrity failure
by Brian Stansberry (JIRA)
Brian Stansberry created WFCORE-3322:
----------------------------------------
Summary: Invalid socket-binding config in remoting connector resource does not lead to model integrity failure
Key: WFCORE-3322
URL: https://issues.jboss.org/browse/WFCORE-3322
Project: WildFly Core
Issue Type: Bug
Components: Remoting
Reporter: Brian Stansberry
Assignee: Brian Stansberry
A remoting connector with a socket-binding attribute pointing to a non-existing s-b does not fail with a capability validation failure:
{code}
[standalone@localhost:9990 /] /subsystem=remoting/connector=remoting-connector:add(security-realm=ApplicationRealm,socket-binding=remoting)
{
"outcome" => "failed",
"failure-description" => {
"WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.network.socket-binding.remoting"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.remoting.server.remoting-connector is missing [org.wildfly.network.socket-binding.remoting]"]
},
"rolled-back" => true
}
{code}
As in all such cases of missing cap validation, that means it doesn't fail at all in admin-only:
{code}
[standalone@localhost:9990 /] reload --admin-only=true
[standalone@localhost:9990 /] /subsystem=remoting/connector=remoting-connector:add(security-realm=ApplicationRealm,socket-binding=remoting)
{"outcome" => "success"}
{code}
Problem is ConnectorAdd isn't passing its attributes into the superclass, which means the superclass' recording of capability requirements isn't done.
I'll check for other occurrences of this pattern in the subsystem.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 3 months