[JBoss JIRA] (WFLY-11013) Hash encoding Exception when using @DatabaseIdentityStoreDefinition
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-11013?page=com.atlassian.jira.plugin... ]
Darran Lofthouse updated WFLY-11013:
------------------------------------
Fix Version/s: 16.0.0.Beta1
> Hash encoding Exception when using @DatabaseIdentityStoreDefinition
> -------------------------------------------------------------------
>
> Key: WFLY-11013
> URL: https://issues.jboss.org/browse/WFLY-11013
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 14.0.0.Final
> Environment: WildFly 14. Generic Linux. JDK 8/9
> Reporter: Francesco Marchioni
> Assignee: Darran Lofthouse
> Priority: Major
> Fix For: 16.0.0.Beta1
>
> Attachments: javaee8-secure-servlet.zip
>
>
> When deploying one application using @DatabaseIdentityStoreDefinition, upon successful login, the following exception is thrown
> {code:java}
> java.lang.IllegalArgumentException: Bad hash encoding
> at org.glassfish.soteria.identitystores.hash.Pbkdf2PasswordHashImpl$EncodedPasswordHash.decode(Pbkdf2PasswordHashImpl.java:209)
> at org.glassfish.soteria.identitystores.hash.Pbkdf2PasswordHashImpl$EncodedPasswordHash.<init>(Pbkdf2PasswordHashImpl.java:191)
> at org.glassfish.soteria.identitystores.hash.Pbkdf2PasswordHashImpl.verify(Pbkdf2PasswordHashImpl.java:147)
> at org.glassfish.soteria.identitystores.DatabaseIdentityStore.validate(DatabaseIdentityStore.java:121)
> at org.glassfish.soteria.identitystores.DatabaseIdentityStore.validate(DatabaseIdentityStore.java:101)
> at org.jboss.weldx.security.enterprise.identitystore.IdentityStore$635317201$Proxy$_$$_WeldClientProxy.validate(Unknown Source)
> at org.glassfish.soteria.cdi.DefaultIdentityStoreHandler.validate(DefaultIdentityStoreHandler.java:97)
> {code}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFCORE-4018) Remove alias and read-aliases in a batch causes blocking behavior
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFCORE-4018?page=com.atlassian.jira.plugi... ]
Darran Lofthouse resolved WFCORE-4018.
--------------------------------------
Resolution: Explained
> Remove alias and read-aliases in a batch causes blocking behavior
> -----------------------------------------------------------------
>
> Key: WFCORE-4018
> URL: https://issues.jboss.org/browse/WFCORE-4018
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Claudio Miranda
> Assignee: Michal Petrov
> Priority: Major
>
> Calling :remove-alias and :read-aliases on key-store resource in a composite operation makes the resource blocked.
> Generate two self signed certificates on a key-store resource and store it.
> {code}
> /host=master/server=server-three/subsystem=elytron/key-store=keysto1:generate-key-pair(alias=foobar,distinguished-name="cn=claudio,c=BR")
> /host=master/server=server-three/subsystem=elytron/key-store=keysto1:generate-key-pair(alias=foobar2,distinguished-name="cn=claudio2,c=BR")
> /host=master/server=server-three/subsystem=elytron/key-store=keysto1:store()
> /host=master/server=server-three/subsystem=elytron/key-store=keysto1:read-aliases
> {
> "outcome" => "success",
> "result" => [
> "foobar2",
> "foobar"
> ]
> }
> {code}
> {code}
> batch
> /host=master/server=server-three/subsystem=elytron/key-store=keysto1:remove-alias(alias=foobar)
> /host=master/server=server-three/subsystem=elytron/key-store=keysto1:read-aliases
> run-batch
> {code}
> The above just blocks the prompt.
> Then the blocking operation is show as:
> {code}
> /host=master/core-service=management/service=management-operations:read-resource(include-runtime,recursive)
> {
> "outcome" => "success",
> "result" => {"active-operation" => {
> "352328021" => {
> "access-mechanism" => "NATIVE",
> "address" => [
> ("host" => "master"),
> ("core-service" => "management"),
> ("service" => "management-operations")
> ],
> "caller-thread" => "management-handler-thread - 1",
> "cancelled" => false,
> "domain-rollout" => false,
> "domain-uuid" => undefined,
> "exclusive-running-time" => -1L,
> "execution-status" => "executing",
> "operation" => "read-resource",
> "running-time" => 10032404L
> },
> "-1467399640" => {
> "access-mechanism" => "NATIVE",
> "address" => [],
> "caller-thread" => "management-handler-thread - 2",
> "cancelled" => false,
> "domain-rollout" => false,
> "domain-uuid" => undefined,
> "exclusive-running-time" => -1L,
> "execution-status" => "executing",
> "operation" => "composite",
> "running-time" => 260150849919L
> }
> }}
> }
> {code}
> After timeout there is the following message on CLI prompt
> {code}
> The batch failed with the following error (you are remaining in the batch editing mode to have a chance to correct the error):
> WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:
> Step: step-2
> Operation: /host=master/server=server-three/subsystem=elytron/key-store=keysto1:read-aliases
> Failure: WFLYCTL0409: Execution of operation 'read-aliases' on remote process at address '[
> ("host" => "master"),
> ("server" => "server-three")
> ]' timed out after 305000 ms while awaiting initial response; remote process has been notified to terminate operation
> {code}
> To fix the problem in HAL I will run it as individual commands.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFCORE-3832) Support hex encoding in jdbc-realm for elytron
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFCORE-3832?page=com.atlassian.jira.plugi... ]
Darran Lofthouse updated WFCORE-3832:
-------------------------------------
Fix Version/s: 8.0.0.Beta2
> Support hex encoding in jdbc-realm for elytron
> ----------------------------------------------
>
> Key: WFCORE-3832
> URL: https://issues.jboss.org/browse/WFCORE-3832
> Project: WildFly Core
> Issue Type: Feature Request
> Components: Security
> Affects Versions: 5.0.0.Alpha7
> Reporter: Jan Kalina
> Assignee: Darran Lofthouse
> Priority: Major
> Labels: elytron
> Fix For: 8.0.0.Beta2
>
>
> Old database login-module can be configured passing the attribute {{hashEncoding}}, for example:
> {code:xml}
> <login-module code="Database" flag="required">
> <module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS"/>
> <module-option name="principalsQuery" value="SELECT password FROM User WHERE username = ?"/>
> <module-option name="rolesQuery" value="SELECT role, 'Roles' FROM User WHERE username = ?"/>
> <module-option name="hashAlgorithm" value="SHA-1"/>
> <module-option name="hashEncoding" value="hex"/>
> <module-option name="hashCharset" value="UTF-8"/>
> </login-module>
> {code}
> Currently jdbc-realm in elytron only uses base64 encoding if hash is stored in a text column. This way the migration is more complicated cos the password hash is not valid changing from old security system to elytron.
> Think also about the charset attribute.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFCORE-3832) Support hex encoding in jdbc-realm for elytron
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFCORE-3832?page=com.atlassian.jira.plugi... ]
Darran Lofthouse reassigned WFCORE-3832:
----------------------------------------
Assignee: Darran Lofthouse
> Support hex encoding in jdbc-realm for elytron
> ----------------------------------------------
>
> Key: WFCORE-3832
> URL: https://issues.jboss.org/browse/WFCORE-3832
> Project: WildFly Core
> Issue Type: Feature Request
> Components: Security
> Affects Versions: 5.0.0.Alpha7
> Reporter: Jan Kalina
> Assignee: Darran Lofthouse
> Priority: Major
> Labels: elytron
> Fix For: 8.0.0.Beta2
>
>
> Old database login-module can be configured passing the attribute {{hashEncoding}}, for example:
> {code:xml}
> <login-module code="Database" flag="required">
> <module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS"/>
> <module-option name="principalsQuery" value="SELECT password FROM User WHERE username = ?"/>
> <module-option name="rolesQuery" value="SELECT role, 'Roles' FROM User WHERE username = ?"/>
> <module-option name="hashAlgorithm" value="SHA-1"/>
> <module-option name="hashEncoding" value="hex"/>
> <module-option name="hashCharset" value="UTF-8"/>
> </login-module>
> {code}
> Currently jdbc-realm in elytron only uses base64 encoding if hash is stored in a text column. This way the migration is more complicated cos the password hash is not valid changing from old security system to elytron.
> Think also about the charset attribute.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFCORE-3542) Elytron JDBC realm password mapping is not consistent with underlying implementation
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFCORE-3542?page=com.atlassian.jira.plugi... ]
Darran Lofthouse updated WFCORE-3542:
-------------------------------------
Fix Version/s: 8.0.0.Beta2
> Elytron JDBC realm password mapping is not consistent with underlying implementation
> ------------------------------------------------------------------------------------
>
> Key: WFCORE-3542
> URL: https://issues.jboss.org/browse/WFCORE-3542
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: David Lloyd
> Assignee: Darran Lofthouse
> Priority: Major
> Fix For: 8.0.0.Beta2
>
>
> There is no way to configure the JDBC realm to use modular crypt in WildFly, even though the underlying realm does support it.
> The problem is that the *{{salt-index}} and {{itereration-count-index}} attributes should be optional*, and if they not given, a value of {{-1}} should be passed to the mapper. By omitting both of these values, the database column values will then be recognized as modular-crypt strings.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFCORE-3542) Elytron JDBC realm password mapping is not consistent with underlying implementation
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFCORE-3542?page=com.atlassian.jira.plugi... ]
Darran Lofthouse reassigned WFCORE-3542:
----------------------------------------
Assignee: Darran Lofthouse
> Elytron JDBC realm password mapping is not consistent with underlying implementation
> ------------------------------------------------------------------------------------
>
> Key: WFCORE-3542
> URL: https://issues.jboss.org/browse/WFCORE-3542
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: David Lloyd
> Assignee: Darran Lofthouse
> Priority: Major
> Fix For: 8.0.0.Beta2
>
>
> There is no way to configure the JDBC realm to use modular crypt in WildFly, even though the underlying realm does support it.
> The problem is that the *{{salt-index}} and {{itereration-count-index}} attributes should be optional*, and if they not given, a value of {{-1}} should be passed to the mapper. By omitting both of these values, the database column values will then be recognized as modular-crypt strings.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-11131) @LoginToContinue.errorPage doesn't work for pages in WEB-INF (New Java EE 8 Security)
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-11131?page=com.atlassian.jira.plugin... ]
Darran Lofthouse commented on WFLY-11131:
-----------------------------------------
Can you please try again with WildFly 15 backed by WildFly Elytron - if this issue is still present there I will take a look.
> @LoginToContinue.errorPage doesn't work for pages in WEB-INF (New Java EE 8 Security)
> -------------------------------------------------------------------------------------
>
> Key: WFLY-11131
> URL: https://issues.jboss.org/browse/WFLY-11131
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 14.0.1.Final
> Reporter: Instantiation Exception
> Assignee: Darran Lofthouse
> Priority: Major
>
> I have this configuration:
> {code:java}
> @FormAuthenticationMechanismDefinition(
> loginToContinue = @LoginToContinue(
> loginPage = "/WEB-INF/account/login.xhtml",
> errorPage = "/WEB-INF/account/login.xhtml?error=true"))
> @ApplicationScoped
> public class SecurityConfiguration {}
> {code}
> When I open browser and go to restricted page, I am forwarded to login page. Then I input invalid username and password and submit form (action="j_security_check"). My browser sends me redirect to http://localhost:8080/WEB-INF/account/login.xhtml?error=true. I believe it should forward request to /WEB-INF/account/login.xhtml?error=true because standard FORM login-config in web.xml worked this way.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months