[JBoss JIRA] (WFLY-6237) JASPI: Principal does not get registered with the session when request is forwarded/dispatched
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-6237?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse resolved WFLY-6237.
------------------------------------
Assignee: Darran Lofthouse
Resolution: Won't Fix
Marking as 'Won't Fix' as this is in relation to PicketBox which is deprecated.
> JASPI: Principal does not get registered with the session when request is forwarded/dispatched
> ----------------------------------------------------------------------------------------------
>
> Key: WFLY-6237
> URL: https://issues.jboss.org/browse/WFLY-6237
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 10.0.0.Final
> Environment: Java 8u74, OS X 10.11
> Reporter: Alexander Sparkowsky
> Assignee: Darran Lofthouse
> Priority: Major
>
> Up to WildFly 9 I had a working JASPI SAM that would register a successful authentication by using {{messageInfo.getMap().put("javax.servlet.http.registerSession", TRUE.toString());}} and then forward the request using {{request.getRequestDispatcher(target).forward(request, response);}}.
> The Module stopped working in WildFly 10. The request is forwarded but the authenticated principal is not registered with the session or to be more precise a new session seems to be generated during the dispatch. As a matter of facts the dispatched request will be rejected as unauthorized.
> I'm providing a sample project to reproduce the problem (see below)
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-5396) Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-5396?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse resolved WFLY-5396.
------------------------------------
Release Notes Text: Marking as 'Won't Fix' as this is in relation to PicketBox which is deprecated.
Assignee: Darran Lofthouse
Resolution: Won't Fix
> Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
> -----------------------------------------------------------------------------
>
> Key: WFLY-5396
> URL: https://issues.jboss.org/browse/WFLY-5396
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 10.0.0.CR1
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Major
>
> Search scope OBJECT_SCOPE does not work correctly for AdvancedLdapLoginModule
> LDAP authentication fails (HTTP 401 returned) when login module option searchScope=OBJECT_SCOPE is used.
> This problem is caused by searching attributes for role DN which starts with comma - e.g. ",cn=JBossAdmin,ou=Roles,dc=jboss,dc=org".
> You can reproduce it by following configuration:
> Security domain:
> {code:xml}
> <security-domain name="ldap">
> <authentication>
> <login-module code="AdvancedLdap" flag="required">
> <module-option name="bindDN" value="uid=admin,ou=system"/>
> <module-option name="bindCredential" value="secret"/>
> <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
> <module-option name="searchScope" value="OBJECT_SCOPE"/>
> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
> <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
> <module-option name="throwValidateError" value="true"/>
> <module-option name="baseFilter" value="(uid={0})"/>
> <module-option name="roleFilter" value="(member={1})"/>
> <module-option name="roleAttributeID" value="cn"/>
> <module-option name="rolesCtxDN" value="cn=JBossAdmin,ou=Roles,dc=jboss,dc=org"/>
> <module-option name="java.naming.security.authentication" value="simple"/>
> </login-module>
> </authentication>
> </security-domain>
> {code}
> LDIF for role:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=jduke,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: jduke
> cn: Java Duke
> sn: Duke
> userPassword: Password1
> dn: ou=Roles,dc=jboss,dc=org
> objectClass: top
> objectClass: organizationalUnit
> ou: Roles
> dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org
> objectClass: top
> objectClass: groupOfNames
> cn: JBossAdmin
> member: uid=jduke,ou=People,dc=jboss,dc=org
> {code}
> It seems the method AdvancedLdapLoginModule.canonicalize() causes this problem.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-5395) Search scope OBJECT_SCOPE does not work correctly for LdapExtLoginModule
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-5395?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse resolved WFLY-5395.
------------------------------------
Assignee: Darran Lofthouse
Resolution: Won't Fix
Marking as 'Won't Fix' as this is in relation to PicketBox which is deprecated.
> Search scope OBJECT_SCOPE does not work correctly for LdapExtLoginModule
> ------------------------------------------------------------------------
>
> Key: WFLY-5395
> URL: https://issues.jboss.org/browse/WFLY-5395
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 10.0.0.CR1
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Major
>
> LDAP authentication fails (HTTP 401 returned) when login module option searchScope=OBJECT_SCOPE is used.
> This problem is caused by searching attributes for role DN which starts with comma - e.g. ",cn=JBossAdmin,ou=Roles,dc=jboss,dc=org".
> You can reproduce it by following configuration:
> Security domain:
> {code:xml}
> <security-domain name="ldap">
> <authentication>
> <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
> <module-option name="searchScope" value="OBJECT_SCOPE"/>
> <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
> <module-option name="java.naming.provider.url" value="ldap://localhost:10389"/>
> <module-option name="roleAttributeIsDN" value="true"/>
> <module-option name="roleFilter" value="(member={1})"/>
> <module-option name="roleAttributeID" value="cn"/>
> <module-option name="rolesCtxDN" value="cn=JBossAdmin,ou=Roles,dc=jboss,dc=org"/>
> <module-option name="java.naming.security.authentication" value="simple"/>
> <module-option name="bindDN" value="uid=admin,ou=system"/>
> <module-option name="bindCredential" value="secret"/>
> <module-option name="baseCtxDN" value="ou=People,dc=jboss,dc=org"/>
> <module-option name="throwValidateError" value="true"/>
> <module-option name="baseFilter" value="(uid={0})"/>
> <module-option name="roleNameAttributeID" value="cn"/>
> </login-module>
> </authentication>
> </security-domain>
> {code}
> LDIF for role:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=jduke,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: jduke
> cn: Java Duke
> sn: Duke
> userPassword: Password1
> dn: ou=Roles,dc=jboss,dc=org
> objectClass: top
> objectClass: organizationalUnit
> ou: Roles
> dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org
> objectClass: top
> objectClass: groupOfNames
> cn: JBossAdmin
> member: uid=jduke,ou=People,dc=jboss,dc=org
> {code}
> It seems the method LdapExtLoginModule.canonicalize() causes this problem.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-4626) Jaspic Module javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-4626?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse resolved WFLY-4626.
------------------------------------
Assignee: Darran Lofthouse
Resolution: Won't Fix
Marking as 'Wont Fix' as this is in relation to PicketBox which is deprecated.
> Jaspic Module javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
> ---------------------------------------------------------------------
>
> Key: WFLY-4626
> URL: https://issues.jboss.org/browse/WFLY-4626
> Project: WildFly
> Issue Type: Bug
> Components: EJB, Security
> Affects Versions: 9.0.0.CR1
> Reporter: Philipp Plogmann
> Assignee: Darran Lofthouse
> Priority: Major
> Attachments: AutorizationTest.zip
>
>
> I am currently evaluating using a JASPIC module for authentication and encountering the following issue. It happens ob WFLY 8.2 an 9 CR1.
> When registering a JASPIC security module the user is not propagated correctly from web to ejb layer.
> I used some code from the wildfly arqillian tests to get started with Jaspic and have a very simple test application with one Jax-RS endpoint which is an EJB.
> The following exception occurs:
> 2015-05-12 09:04:48,389 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: EJB Invocation failed on component Test for method public java.lang.String net.hellmann.hps.autorizationtest.Test.test(): javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
> at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:69)
> at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49)
> at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:97)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:66)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:356)
> at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:634)
> at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:356)
> at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:195)
> at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73)
> at net.hellmann.hps.autorizationtest.Test$$$view1.test(Unknown Source)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:237)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:744)
> 2015-05-12 09:04:48,541 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /AutorizationTest-2.0.0-SNAPSHOT/test: org.jboss.resteasy.spi.UnhandledException: javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:744)
> Caused by: javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
> at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:69)
> at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49)
> at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:97)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:66)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:356)
> at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:634)
> at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:356)
> at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:195)
> at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)
> at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
> at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
> at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73)
> at net.hellmann.hps.autorizationtest.Test$$$view1.test(Unknown Source)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:237)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
> ... 35 more
> standalone.xml is unmodified except for adding the security domain:
> <security-domain name="jaspitest" cache-type="default">
> <authentication-jaspi>
> <login-module-stack name="dummy">
> <login-module code="Dummy" flag="optional"/>
> </login-module-stack>
> <auth-module code="Dummy"/>
> </authentication-jaspi>
> </security-domain>
> and added it as default to ejb subsystem.
> This might be the same / related to https://issues.jboss.org/browse/WFLY-4625
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-3915) Dynamic configuration of outbound SSL connections
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-3915?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse resolved WFLY-3915.
------------------------------------
Assignee: Darran Lofthouse
Resolution: Out of Date
Marking as out of date, we have recently added support for setting the default SSLContext - additionally we have other issues open to look at dynamically selecting a context based on the destination.
> Dynamic configuration of outbound SSL connections
> -------------------------------------------------
>
> Key: WFLY-3915
> URL: https://issues.jboss.org/browse/WFLY-3915
> Project: WildFly
> Issue Type: Feature Request
> Components: Security
> Reporter: James Livingston
> Assignee: Darran Lofthouse
> Priority: Major
>
> WebSphere has a feature called "Dynamic outbound SSL configuration" (http://www-01.ibm.com/support/knowledgecenter/SSCKBL_8.5.5/com.ibm.websph...), which allows the configuration of SSL parameters for connections which are not opened directly by the container.
> That can be useful for configuring the SSL usage of components such as resource adapters, JDBC drivers, and application-packaged web service libraries. For example the truststore/keystore could be configured different for all requests to the database host, so that the global javax.net.ssl settings to not need to be modified if the driver does not itself provide a way to configure it.
> I believe that it is implemented by using javax.net.ssl.SSLContext.setDefault() to replace the standard socket factory. The socket factory could then look at the passed hostname/port, and potentially the calling application to configure the SSL socket appropriately before returning it to the caller.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-1371) AuthorizationModule.destroy is never called
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-1371?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse resolved WFLY-1371.
------------------------------------
Assignee: Darran Lofthouse
Resolution: Won't Fix
Marking as 'Won't Fix' as this is in relation to PicketBox which is deprecated.
> AuthorizationModule.destroy is never called
> -------------------------------------------
>
> Key: WFLY-1371
> URL: https://issues.jboss.org/browse/WFLY-1371
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 8.0.0.Alpha1
> Reporter: Vlad Arkhipov
> Assignee: Darran Lofthouse
> Priority: Major
>
> If you define a custom authorization module in configuration XML, it's org.jboss.security.authorization.AuthorizationModule.destroy() is never called. So if you have some stuff in it's sharedState field, it leads to a memory leak. I'm not quite sure which project is responsible for the calling of this method PicketBox of WildFly.
> As a workaround I currently clear sharedState field in abort() and commit() methods.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-1191) Vault usage in a master-slave setup in AS7/EAP6
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-1191?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse resolved WFLY-1191.
------------------------------------
Assignee: Darran Lofthouse
Resolution: Won't Do
Marking as 'Won't do' as in relation to the vault which is a deprecated PicketBox components, we are presently evaluating a set of new credential store enhancements.
> Vault usage in a master-slave setup in AS7/EAP6
> -----------------------------------------------
>
> Key: WFLY-1191
> URL: https://issues.jboss.org/browse/WFLY-1191
> Project: WildFly
> Issue Type: Feature Request
> Components: Security
> Reporter: Hisanobu Okuda
> Assignee: Darran Lofthouse
> Priority: Major
>
> In domain mode, you need to copy over the vault files(keystore, Shared.dat, ENC.dat) to each machine within the domain. This is a very bad solution when your security policy requires password updates frequently.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-442) Review of AccessController and PrivilegedAction use across the application server.
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-442?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated WFLY-442:
----------------------------------
Summary: Review of AccessController and PrivilegedAction use across the application server. (was: Review of AccessController and PrivilegedAction use across AS7)
> Review of AccessController and PrivilegedAction use across the application server.
> ----------------------------------------------------------------------------------
>
> Key: WFLY-442
> URL: https://issues.jboss.org/browse/WFLY-442
> Project: WildFly
> Issue Type: Task
> Components: Security
> Reporter: Darran Lofthouse
> Priority: Major
> Labels: investigation_required
>
> The following needs reviewing across AS7: -
> - On demand instantiation of PrivilegedActions where singletons would suffice (Consider frequency of calls, gc may be preferable).
> - Use of AccessController even though there is no SecurityManager set.
> - Code duplication, in every case I have seen so far the code is the same regardless of if PRIVILEGED or NON_PRIVILEGED
> - Utility methods with visibility too high.
> - In depth review of the other methods, i.e. if the first thing a public method does is set the class loader based on a parameter passed in it could be used badly - it may even be a justification for that method to NOT use a PrivilegedAction.
> - Code that requires to be executed using a PrivilegedAction should also be double checked that it is not doing too much as the identity of the caller.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months