[JBoss JIRA] (WFCORE-2506) Roles are not assigned if access=identity uses Elytron security domain based on legacy security domain
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFCORE-2506?page=com.atlassian.jira.plugi... ]
Darran Lofthouse resolved WFCORE-2506.
--------------------------------------
Assignee: Darran Lofthouse
Resolution: Rejected
Rejected as this is pushing the limits of what is achievable with the PicketBox wrapping.
> Roles are not assigned if access=identity uses Elytron security domain based on legacy security domain
> ------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2506
> URL: https://issues.jboss.org/browse/WFCORE-2506
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Major
>
> In case when Elytron security domain, which uses legacy security domain (provided through elytron-integration in legacy security subsystem), is used for identity inflow in access=identity, and authentication is provided by security domain which uses some Elytron security realm, then no roles/groups from legacy security domain are assigned to the secured identity. See reproducer for more details.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-8568) Elytron outflow-security-domains doesn't work for Servlet-to-EJB calls
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-8568?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse reassigned WFLY-8568:
--------------------------------------
Assignee: (was: Darran Lofthouse)
> Elytron outflow-security-domains doesn't work for Servlet-to-EJB calls
> ----------------------------------------------------------------------
>
> Key: WFLY-8568
> URL: https://issues.jboss.org/browse/WFLY-8568
> Project: WildFly
> Issue Type: Bug
> Components: EJB, Security, Web (Undertow)
> Reporter: Josef Cacek
> Priority: Major
>
> Security context propagation with using Elytron {{outflow-security-domains}} attribute in security domain doesn't work for Servlet-to-EJB calls.
> This could also be a test configuration issue, but as there is not yet documentation covering this area, I can't guess what could be wrong in the scenario.
> 1. I have 2 similar web applications with servlets and EJBs:
> * the `secured-webapp` is mapped to `web-tests` security domain
> * the `second` application is mapped to `second-domain` security domain
> 2. Undertow and EJB subsystems maps the application domains `web-tests` and `second-domain` to Elytron domains with the same name.
> 3. trust between the domains is defined in following way:
> {code}
> /subsystem=elytron/security-domain=second-domain:write-attribute(name=outflow-security-domains,value=[web-tests])
> /subsystem=elytron/security-domain=second-domain:write-attribute(name=trusted-security-domains, value=[web-tests])
> /subsystem=elytron/security-domain=web-tests:write-attribute(name=trusted-security-domains, value=[second-domain])
> {code}
> 4. the test itself calls servlet from the `second` web application and it calls protected EJB from the `secured-webapp`.
> The EJB call fails with EJBAccessException
> {noformat}
> 14:30:04,631 ERROR [org.jboss.as.ejb3.invocation] (default task-3) WFLYEJB0034: EJB Invocation failed on component HelloBean for method public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello(): javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello() of bean: HelloBean is not allowed
> {noformat}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-3313) Websocket Auth - Container is not aware of the Principal
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-3313?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse resolved WFLY-3313.
------------------------------------
Resolution: Out of Date
Marking as out of date as no further info since WildFly 11 - please fee free to reopen if additional info is available.
> Websocket Auth - Container is not aware of the Principal
> --------------------------------------------------------
>
> Key: WFLY-3313
> URL: https://issues.jboss.org/browse/WFLY-3313
> Project: WildFly
> Issue Type: Bug
> Components: EJB, Security, Web (Undertow), Web Sockets
> Affects Versions: 8.1.0.CR1, 10.0.0.Final
> Reporter: Markus D
> Assignee: Stuart Douglas
> Priority: Major
> Attachments: websocket-different-principals-ejb-vs-socket.png
>
>
> The Websocket is protected by the web.xml. The session object of the callback object correctly returns the principal.
> When an EJB is called the callerPrincipal is always anonymous.
> @Resource
> private SessionContext ctx;
> Principal callerPrincipal = ctx.getCallerPrincipal();
> Running thread here:
> https://community.jboss.org/thread/240617
> Shouldn't the principal be propagated to the EJB container when a websocket callback method triggered?
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-2100) Vault.sh logging improvements
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-2100?page=com.atlassian.jira.plugin.... ]
Darran Lofthouse resolved WFLY-2100.
------------------------------------
Resolution: Rejected
Rejecting as the vault is a part of PicketBox which is now deprecated.
> Vault.sh logging improvements
> -----------------------------
>
> Key: WFLY-2100
> URL: https://issues.jboss.org/browse/WFLY-2100
> Project: WildFly
> Issue Type: Feature Request
> Components: Security
> Affects Versions: 8.0.0.Alpha4
> Reporter: Chris Dolphy
> Assignee: Peter Skopek
> Priority: Major
>
> Several errors with vault.sh (ineractive Vault Tool) do not display enough information to debug.
> For example, "Exception occurred:PBOX000128: Unable to encrypt data". It would be nice if there was some way to see the cause of this exception either with additional logging options, a verbose option or by default. This one is caused by VaultInteraction.java only displaying the localized error message of the exception.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFCORE-3114) Wildfly 10.1.0 add-user command
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFCORE-3114?page=com.atlassian.jira.plugi... ]
Darran Lofthouse resolved WFCORE-3114.
--------------------------------------
Assignee: Darran Lofthouse
Resolution: Rejected
This tool will be revisited at some point when we move the server to use the filesystem realm by default.
> Wildfly 10.1.0 add-user command
> --------------------------------
>
> Key: WFCORE-3114
> URL: https://issues.jboss.org/browse/WFCORE-3114
> Project: WildFly Core
> Issue Type: Bug
> Components: Scripts, Security
> Affects Versions: 2.2.1.Final
> Environment: Windows 10 64 bit
> Wildfly 10.1.0
> Reporter: Bobby Bassman
> Assignee: Darran Lofthouse
> Priority: Major
>
> If Wildfly 10 does not initially have the 'admin' user. It must be created using the 'add-user' command line. When the command ('add-user') is used, without any warning, it may update the property files belonging to a different Jboss installation, rendering that installation broken.
> This is because 'add-user' relies on environment variable 'JBOSS_HOME' - which may be set to a JBoss installation other than the Wildfly installation to which the 'add-user' command applies.
> It appears that 'add-user.bat' has some code to detect this scenario, but it didn't work.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months