[JBoss JIRA] (WFLY-9058) Inconsistent attribute desription of security domain
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-9058?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse resolved WFLY-9058.
------------------------------------
Resolution: Won't Fix
Marking as 'Won't Fix' as this is in relation to PicketBox which is deprecated.
> Inconsistent attribute desription of security domain
> ----------------------------------------------------
>
> Key: WFLY-9058
> URL: https://issues.jboss.org/browse/WFLY-9058
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Juraj Duráni
> Priority: Minor
> Fix For: Awaiting Volunteers
>
>
> Some attributes have inconsistent description (obtained using 'read-resource-description' operation):
> - Missing module attribute:
> {code:plain|title=Missing module attribute}
> [standalone@localhost:9990 /] /subsystem=security/security-domain=other/mapping=classic:read-resource-description
> {
> "outcome" => "success",
> "result" => {
> "description" => "Mapping configuration. Configures a list of mapping modules to be used for principal, role, attribute and credential mapping.",
> "deprecated" => {
> "since" => "1.3.0",
> "reason" => "The Security subsystem is deprecated and may be removed, significantly revised, or limited to managed domain legacy server use in future versions."
> },
> "access-constraints" => {
> "sensitive" => {"security-domain" => {"type" => "core"}},
> "application" => {"security-domain" => {"type" => "security"}}
> },
> "attributes" => {"mapping-modules" => {
> "type" => LIST,
> "description" => "List of modules that map principal, role, and credential information",
> "expressions-allowed" => false,
> "nillable" => true,
> "deprecated" => {
> "since" => "1.2.0",
> "reason" => "Use of this attribute is deprecated, use resource"
> },
> "value-type" => {
> "code" => {
> "description" => "Class name of the module to be instantiated.",
> "type" => STRING,
> "nillable" => false,
> "min-length" => 1
> },
> "type" => {
> "description" => "Type of mapping this module performs. Allowed values are principal, role, attribute or credential..",
> "type" => STRING,
> "nillable" => false
> },
> "module-options" => {
> "description" => "List of module options containing a name/value pair.",
> "type" => OBJECT,
> "value-type" => STRING,
> "nillable" => true
> }
> },
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "all-services"
> }},
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {"mapping-module" => {
> "description" => "List of modules that map principal, role, and credential information",
> "model-description" => undefined
> }}
> }
> }
> {code}
> - Module description in policy-module refers to "login module"
> {code:plain|title=Inaccurate description}
> [standalone@localhost:9990 /] /subsystem=security/security-domain=other/authorization=classic/policy-module=a:read-resource-description
> {
> "outcome" => "success",
> "result" => {
> "description" => "List of authentication modules",
> "access-constraints" => {
> "sensitive" => {"security-domain" => {"type" => "core"}},
> "application" => {"security-domain" => {"type" => "security"}}
> },
> "attributes" => {
> "code" => {
> "type" => STRING,
> "description" => "Class name of the module to be instantiated.",
> "expressions-allowed" => false,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> "flag" => {
> "type" => STRING,
> "description" => "The flag controls how the module participates in the overall procedure. Allowed values are requisite, required, sufficient or optional.",
> "expressions-allowed" => true,
> "nillable" => false,
> "allowed" => [
> "required",
> "requisite",
> "sufficient",
> "optional"
> ],
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> "module" => {
> "type" => STRING,
> "description" => "Name of JBoss Module where the login module is located.",
> "expressions-allowed" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> "module-options" => {
> "type" => OBJECT,
> "description" => "List of module options containing a name/value pair.",
> "expressions-allowed" => true,
> "nillable" => true,
> "value-type" => STRING,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> }
> },
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {}
> }
> }
> {code}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFCORE-4223) IllegalArgumentException when add a server-ssl-sni-context with no host-context-map
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFCORE-4223?page=com.atlassian.jira.plugi... ]
Darran Lofthouse updated WFCORE-4223:
-------------------------------------
Fix Version/s: 8.0.0.Beta2
> IllegalArgumentException when add a server-ssl-sni-context with no host-context-map
> -----------------------------------------------------------------------------------
>
> Key: WFCORE-4223
> URL: https://issues.jboss.org/browse/WFCORE-4223
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Claudio Miranda
> Assignee: Martin Mazanek
> Priority: Minor
> Fix For: 8.0.0.Beta2
>
>
> "add" operation for /subsystem=elytron/server-ssl-sni-context doesn't require "host-context-map" attribute, however add a server-ssl-sni-context without this attribute results in an IllegalArgumentException. Set the "host-context-map" and the "add" operation works.
> {code}
> [standalone@localhost:9990 /] /subsystem=elytron/server-ssl-sni-context=sn3:add(default-ssl-context=wssl_ctx)
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException",
> "rolled-back" => true,
> "response-headers" => {"process-state" => "reload-required"}
> }
> {code}
> {code}
> 11:29:09,803 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 3) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("server-ssl-sni-context" => "sn3")
> ]): java.lang.IllegalArgumentException
> at org.jboss.dmr.ModelValue.getKeys(ModelValue.java:139)
> at org.jboss.dmr.ModelNode.keys(ModelNode.java:1580)
> at org.wildfly.extension.elytron.SSLDefinitions$7.getValueSupplier(SSLDefinitions.java:1046)
> at org.wildfly.extension.elytron.TrivialAddHandler.performRuntime(TrivialAddHandler.java:68)
> at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:159)
> at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999)
> at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743)
> at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467)
> at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1411)
> at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:423)
> at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:243)
> at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:289)
> at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:255)
> at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:243)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:240)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:138)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:162)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:158)
> at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:313)
> at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:270)
> at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254)
> {code}
> {code}
> /subsystem=elytron/server-ssl-sni-context=sn1:read-operation-description(name=add)
> {
> "outcome" => "success",
> "result" => {
> "operation-name" => "add",
> "description" => "Adds a SNI context",
> "request-properties" => {
> "default-ssl-context" => {
> "type" => STRING,
> "description" => "The context to use if no SNI information is present, or if it does not match any mappings",
> "expressions-allowed" => false,
> "required" => true,
> "nillable" => false,
> "capability-reference" => "org.wildfly.security.ssl-context",
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "host-context-map" => {
> "type" => OBJECT,
> "description" => "A mapping between a server name and an SSContext",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "capability-reference" => "org.wildfly.security.ssl-context",
> "value-type" => STRING
> }
> },
> "reply-properties" => {},
> "read-only" => false,
> "restart-required" => "resource-services",
> "runtime-only" => false
> },
> "response-headers" => {"process-state" => "reload-required"}
> }
> {code}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFCORE-3306) add-user.sh shouldn't throw AddUserFailedException if '%' character is used in user name
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFCORE-3306?page=com.atlassian.jira.plugi... ]
Darran Lofthouse resolved WFCORE-3306.
--------------------------------------
Resolution: Rejected
> add-user.sh shouldn't throw AddUserFailedException if '%' character is used in user name
> ----------------------------------------------------------------------------------------
>
> Key: WFCORE-3306
> URL: https://issues.jboss.org/browse/WFCORE-3306
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Aurel Pintea
> Assignee: Aurel Pintea
> Priority: Minor
>
> h3. Original Issue Number: https://issues.jboss.org/browse/JBEAP-6637
> *Description of problem:*
> add-user.sh shouldn't throw AddUserFailedException if '%' character is used in user name. If other wrong character is used, AddUserFailedException is not thrown.
> *How reproducible:*
> Always.
> *Steps to Reproduce:*
> {noformat}
> [mkopecky@localhost bin]$ ./add-user.sh
> What type of user do you wish to add?
> a) Management User (mgmt-users.properties)
> b) Application User (application-users.properties)
> (a): a
> Enter the details of the new user to add.
> Using realm 'ManagementRealm' as discovered from the existing property files.
> Username : marek^
> * Error *
> WFLYDM0028: Username must be alphanumeric with the exception of the following accepted symbols (",", "-", ".", "/", "=", "@", "\")
> Username (marek^) : marek%
> * Error *
> WFLYDM0028: Username must be alphanumeric with the exception of the following accepted symbols (",", "-", ".", "/", "=", "@", "\")
> Exception in thread "main" java.util.UnknownFormatConversionException: Conversion = ')'
> at java.util.Formatter.checkText(Formatter.java:2579)
> at java.util.Formatter.parse(Formatter.java:2565)
> at java.util.Formatter.format(Formatter.java:2501)
> at java.util.Formatter.format(Formatter.java:2455)
> at java.io.Console.format(Console.java:170)
> at java.io.Console.printf(Console.java:209)
> at org.jboss.as.domain.management.security.adduser.JavaConsole.printf(JavaConsole.java:54)
> at org.jboss.as.domain.management.security.adduser.PromptNewUserState.execute(PromptNewUserState.java:52)
> at org.jboss.as.domain.management.security.adduser.AddUser.run(AddUser.java:133)
> at org.jboss.as.domain.management.security.adduser.AddUser.main(AddUser.java:240)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.modules.Module.run(Module.java:336)
> at org.jboss.modules.Main.main(Main.java:520)
> [mkopecky@localhost bin]$
> {noformat}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-814) vault util requests a URL but expects an absolute path.
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-814?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse resolved WFLY-814.
-----------------------------------
Resolution: Won't Fix
Marking as 'Won't Fix' as this is in relation to PicketBox which is deprecated.
> vault util requests a URL but expects an absolute path.
> -------------------------------------------------------
>
> Key: WFLY-814
> URL: https://issues.jboss.org/browse/WFLY-814
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Darran Lofthouse
> Assignee: Peter Skopek
> Priority: Major
>
> The vault utility asks for a URL to the keystore but then treats it as an absolute path: -
> {code}
> Enter Keystore URL:file:///home/darranl/tmp/vault/vault.keystore
> Enter Keystore password:
> Enter Keystore password again:
> Values match
> Enter 8 character salt:abcdefgh
> Enter iteration count as a number (Eg: 44):13
> Exception encountered:Keystore [file:///home/darranl/tmp/vault/vault.keystore] doesn't exist.
> {code}
> Also is there really a need to take the password twice? That is normally used on setting a new password to ensure it is set correctly, in this case the password could easily be verified against the keystore.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-11529) Expose WildFly metrics in /metrics endpoints
by Jeff Mesnil (Jira)
[ https://issues.jboss.org/browse/WFLY-11529?page=com.atlassian.jira.plugin... ]
Jeff Mesnil updated WFLY-11529:
-------------------------------
Priority: Major (was: Critical)
> Expose WildFly metrics in /metrics endpoints
> --------------------------------------------
>
> Key: WFLY-11529
> URL: https://issues.jboss.org/browse/WFLY-11529
> Project: WildFly
> Issue Type: Bug
> Components: MP Metrics
> Reporter: Jeff Mesnil
> Assignee: Jeff Mesnil
> Priority: Major
>
> MicroProfile Metrics mandates that metrics names are unique and does not able to have multiple suppliers for the same metric with different labels.
> Due to this restriction, the names of WildFly metrics are long and convoluted; e.g. `deployment/example.war/subsystem/undertow/servlet/org.example.MyServlet/request-count`
> This type of names prevents any aggregation in Prometheus and is very different from the names configured in the imx-exporter for older WildFly versions (https://github.com/jboss-openshift/cct_module/pull/314)
> Instead, the name of the metric should be "simple" (e.g. undertow_request_count) and the different supplies should provide labels:
> {code}
> undertow_request_count{deployment="foo.war", servlet="MyServletA"} 5.0
> undertow_request_count{deployment="foo.war", servlet="MyServletB"} 10.0
> {code}
> In its current state the WildFly metrics are not usable and we should disable them until they are properly exposed in a correct state.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-4238) Vault script not showing shared key
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-4238?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse resolved WFLY-4238.
------------------------------------
Resolution: Won't Fix
Marking as 'Won't Fix' as this is in relation to PicketBox which is deprecated.
> Vault script not showing shared key
> -----------------------------------
>
> Key: WFLY-4238
> URL: https://issues.jboss.org/browse/WFLY-4238
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 8.1.0.Final
> Environment: Windows 7 with jdk1.7.0_51
> Reporter: Abhinav Gupta
> Assignee: Peter Skopek
> Priority: Major
>
> Team,
> while using vault.bat , we are not able to see shared key. For every password entered I get a key as : VAULT::test1::pas::1
> Below is console for vault.bat
> Microsoft Windows [Version 6.1.7601]
> Copyright (c) 2009 Microsoft Corporation. All rights reserved.
> D:\e3c\E3C_Install_ZipTask_SCE_B3\sw\System\WildFly\bin>vault.bat
> =========================================================================
> JBoss Vault Tool
> JBOSS_HOME: "D:\e3c\E3C_Install_ZipTask_SCE_B3\sw\System\WildFly"
> JAVA: "C:\jdk1.7.0_51\bin\java"
> JAVA_OPTS: ""
> =========================================================================
> **********************************
> **** JBoss Vault ***************
> **********************************
> Please enter a Digit:: 0: Start Interactive Session 1: Remove Interactive Session 2: Exit
> 0
> Starting an interactive session
> Enter directory to store encrypted files:D:\e3c\E3C_Install_ZipTask_SCE_B3\sw\System\WildFly\vault
> Enter Keystore URL:D:\e3c\E3C_Install_ZipTask_SCE_B3\sw\System\WildFly\vault\vault.keystore
> Enter Keystore password:
> Enter Keystore password again:
> Values match
> Enter 8 character salt:12345678
> Enter iteration count as a number (e.g.: 44):50
> Enter Keystore Alias:vault
> Initializing Vault
> Jan 12, 2015 1:03:22 PM org.picketbox.plugins.vault.PicketBoxSecurityVault init
> INFO: PBOX000361: Default Security Vault Implementation Initialized and Ready
> Vault Configuration in WildFly configuration file:
> ********************************************
> ...
> </extensions>
> <vault>
> <vault-option name="KEYSTORE_URL" value="D:\e3c\E3C_Install_ZipTask_SCE_B3\sw\System\WildFly\vault\vault.keystore"/>
> <vault-option name="KEYSTORE_PASSWORD" value="MASK-InRT5Cuu6V"/>
> <vault-option name="KEYSTORE_ALIAS" value="vault"/>
> <vault-option name="SALT" value="12345678"/>
> <vault-option name="ITERATION_COUNT" value="50"/>
> <vault-option name="ENC_FILE_DIR" value="D:\e3c\E3C_Install_ZipTask_SCE_B3\sw\System\WildFly\vault\"/>
> </vault><management> ...
> ********************************************
> Vault is initialized and ready for use
> Handshake with Vault complete
> Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit
> 0
> Task: Store a secured attribute
> Please enter secured attribute value (such as password):
> Please enter secured attribute value (such as password) again:
> Values match
> Enter Vault Block:test1
> Enter Attribute Name:pas
> Secured attribute value has been stored in Vault.
> Please make note of the following:
> ********************************************
> Vault Block:test1
> Attribute Name:pas
> Configuration should be done as follows:
> VAULT::test1::pas::1
> ********************************************
> Please enter a Digit:: 0: Store a secured attribute 1: Check whether a secured attribute exists 2: Exit
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-11529) Expose WildFly metrics in /metrics endpoints
by Jeff Mesnil (Jira)
[ https://issues.jboss.org/browse/WFLY-11529?page=com.atlassian.jira.plugin... ]
Jeff Mesnil updated WFLY-11529:
-------------------------------
Issue Type: Enhancement (was: Bug)
> Expose WildFly metrics in /metrics endpoints
> --------------------------------------------
>
> Key: WFLY-11529
> URL: https://issues.jboss.org/browse/WFLY-11529
> Project: WildFly
> Issue Type: Enhancement
> Components: MP Metrics
> Reporter: Jeff Mesnil
> Assignee: Jeff Mesnil
> Priority: Major
>
> MicroProfile Metrics mandates that metrics names are unique and does not able to have multiple suppliers for the same metric with different labels.
> Due to this restriction, the names of WildFly metrics are long and convoluted; e.g. `deployment/example.war/subsystem/undertow/servlet/org.example.MyServlet/request-count`
> This type of names prevents any aggregation in Prometheus and is very different from the names configured in the imx-exporter for older WildFly versions (https://github.com/jboss-openshift/cct_module/pull/314)
> Instead, the name of the metric should be "simple" (e.g. undertow_request_count) and the different supplies should provide labels:
> {code}
> undertow_request_count{deployment="foo.war", servlet="MyServletA"} 5.0
> undertow_request_count{deployment="foo.war", servlet="MyServletB"} 10.0
> {code}
> In its current state the WildFly metrics are not usable and we should disable them until they are properly exposed in a correct state.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-11529) Expose WildFly metrics in /metrics endpoints
by Jeff Mesnil (Jira)
[ https://issues.jboss.org/browse/WFLY-11529?page=com.atlassian.jira.plugin... ]
Jeff Mesnil updated WFLY-11529:
-------------------------------
Fix Version/s: (was: 15.0.0.Final)
> Expose WildFly metrics in /metrics endpoints
> --------------------------------------------
>
> Key: WFLY-11529
> URL: https://issues.jboss.org/browse/WFLY-11529
> Project: WildFly
> Issue Type: Enhancement
> Components: MP Metrics
> Reporter: Jeff Mesnil
> Assignee: Jeff Mesnil
> Priority: Major
>
> MicroProfile Metrics mandates that metrics names are unique and does not able to have multiple suppliers for the same metric with different labels.
> Due to this restriction, the names of WildFly metrics are long and convoluted; e.g. `deployment/example.war/subsystem/undertow/servlet/org.example.MyServlet/request-count`
> This type of names prevents any aggregation in Prometheus and is very different from the names configured in the imx-exporter for older WildFly versions (https://github.com/jboss-openshift/cct_module/pull/314)
> Instead, the name of the metric should be "simple" (e.g. undertow_request_count) and the different supplies should provide labels:
> {code}
> undertow_request_count{deployment="foo.war", servlet="MyServletA"} 5.0
> undertow_request_count{deployment="foo.war", servlet="MyServletB"} 10.0
> {code}
> In its current state the WildFly metrics are not usable and we should disable them until they are properly exposed in a correct state.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months