December 2018 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-11013) Hash encoding Exception when using @DatabaseIdentityStoreDefinition

by Darran Lofthouse (Jira)

[ https://issues.jboss.org/browse/WFLY-11013?page=com.atlassian.jira.plugin... ] Darran Lofthouse updated WFLY-11013: ------------------------------------ Fix Version/s: 16.0.0.Beta1 > Hash encoding Exception when using @DatabaseIdentityStoreDefinition > ------------------------------------------------------------------- > > Key: WFLY-11013 > URL: https://issues.jboss.org/browse/WFLY-11013 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 14.0.0.Final > Environment: WildFly 14. Generic Linux. JDK 8/9 > Reporter: Francesco Marchioni > Assignee: Darran Lofthouse > Priority: Major > Fix For: 16.0.0.Beta1 > > Attachments: javaee8-secure-servlet.zip > > > When deploying one application using @DatabaseIdentityStoreDefinition, upon successful login, the following exception is thrown > {code:java} > java.lang.IllegalArgumentException: Bad hash encoding > at org.glassfish.soteria.identitystores.hash.Pbkdf2PasswordHashImpl$EncodedPasswordHash.decode(Pbkdf2PasswordHashImpl.java:209) > at org.glassfish.soteria.identitystores.hash.Pbkdf2PasswordHashImpl$EncodedPasswordHash.<init>(Pbkdf2PasswordHashImpl.java:191) > at org.glassfish.soteria.identitystores.hash.Pbkdf2PasswordHashImpl.verify(Pbkdf2PasswordHashImpl.java:147) > at org.glassfish.soteria.identitystores.DatabaseIdentityStore.validate(DatabaseIdentityStore.java:121) > at org.glassfish.soteria.identitystores.DatabaseIdentityStore.validate(DatabaseIdentityStore.java:101) > at org.jboss.weldx.security.enterprise.identitystore.IdentityStore$635317201$Proxy$_$$_WeldClientProxy.validate(Unknown Source) > at org.glassfish.soteria.cdi.DefaultIdentityStoreHandler.validate(DefaultIdentityStoreHandler.java:97) > {code} -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-4018) Remove alias and read-aliases in a batch causes blocking behavior

by Darran Lofthouse (Jira)

[ https://issues.jboss.org/browse/WFCORE-4018?page=com.atlassian.jira.plugi... ] Darran Lofthouse resolved WFCORE-4018. -------------------------------------- Resolution: Explained > Remove alias and read-aliases in a batch causes blocking behavior > ----------------------------------------------------------------- > > Key: WFCORE-4018 > URL: https://issues.jboss.org/browse/WFCORE-4018 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Claudio Miranda > Assignee: Michal Petrov > Priority: Major > > Calling :remove-alias and :read-aliases on key-store resource in a composite operation makes the resource blocked. > Generate two self signed certificates on a key-store resource and store it. > {code} > /host=master/server=server-three/subsystem=elytron/key-store=keysto1:generate-key-pair(alias=foobar,distinguished-name="cn=claudio,c=BR") > /host=master/server=server-three/subsystem=elytron/key-store=keysto1:generate-key-pair(alias=foobar2,distinguished-name="cn=claudio2,c=BR") > /host=master/server=server-three/subsystem=elytron/key-store=keysto1:store() > /host=master/server=server-three/subsystem=elytron/key-store=keysto1:read-aliases > { > "outcome" => "success", > "result" => [ > "foobar2", > "foobar" > ] > } > {code} > {code} > batch > /host=master/server=server-three/subsystem=elytron/key-store=keysto1:remove-alias(alias=foobar) > /host=master/server=server-three/subsystem=elytron/key-store=keysto1:read-aliases > run-batch > {code} > The above just blocks the prompt. > Then the blocking operation is show as: > {code} > /host=master/core-service=management/service=management-operations:read-resource(include-runtime,recursive) > { > "outcome" => "success", > "result" => {"active-operation" => { > "352328021" => { > "access-mechanism" => "NATIVE", > "address" => [ > ("host" => "master"), > ("core-service" => "management"), > ("service" => "management-operations") > ], > "caller-thread" => "management-handler-thread - 1", > "cancelled" => false, > "domain-rollout" => false, > "domain-uuid" => undefined, > "exclusive-running-time" => -1L, > "execution-status" => "executing", > "operation" => "read-resource", > "running-time" => 10032404L > }, > "-1467399640" => { > "access-mechanism" => "NATIVE", > "address" => [], > "caller-thread" => "management-handler-thread - 2", > "cancelled" => false, > "domain-rollout" => false, > "domain-uuid" => undefined, > "exclusive-running-time" => -1L, > "execution-status" => "executing", > "operation" => "composite", > "running-time" => 260150849919L > } > }} > } > {code} > After timeout there is the following message on CLI prompt > {code} > The batch failed with the following error (you are remaining in the batch editing mode to have a chance to correct the error): > WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed: > Step: step-2 > Operation: /host=master/server=server-three/subsystem=elytron/key-store=keysto1:read-aliases > Failure: WFLYCTL0409: Execution of operation 'read-aliases' on remote process at address '[ > ("host" => "master"), > ("server" => "server-three") > ]' timed out after 305000 ms while awaiting initial response; remote process has been notified to terminate operation > {code} > To fix the problem in HAL I will run it as individual commands. -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3969) ALIAS_FILTER in Elytron trustmanager ignored when crl used

by Darran Lofthouse (Jira)

[ https://issues.jboss.org/browse/WFCORE-3969?page=com.atlassian.jira.plugi... ] Darran Lofthouse commented on WFCORE-3969: ------------------------------------------ [~mmazanek] Did you want to see if this is still relevant with the new OCSP direction? > ALIAS_FILTER in Elytron trustmanager ignored when crl used > ---------------------------------------------------------- > > Key: WFCORE-3969 > URL: https://issues.jboss.org/browse/WFCORE-3969 > Project: WildFly Core > Issue Type: Bug > Components: Security > Affects Versions: 6.0.0.Alpha2 > Reporter: Jan Kalina > Assignee: Martin Mazanek > Priority: Major > -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3969) ALIAS_FILTER in Elytron trustmanager ignored when crl used

by Darran Lofthouse (Jira)

[ https://issues.jboss.org/browse/WFCORE-3969?page=com.atlassian.jira.plugi... ] Darran Lofthouse reassigned WFCORE-3969: ---------------------------------------- Assignee: Martin Mazanek > ALIAS_FILTER in Elytron trustmanager ignored when crl used > ---------------------------------------------------------- > > Key: WFCORE-3969 > URL: https://issues.jboss.org/browse/WFCORE-3969 > Project: WildFly Core > Issue Type: Bug > Components: Security > Affects Versions: 6.0.0.Alpha2 > Reporter: Jan Kalina > Assignee: Martin Mazanek > Priority: Major > -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3832) Support hex encoding in jdbc-realm for elytron

by Darran Lofthouse (Jira)

[ https://issues.jboss.org/browse/WFCORE-3832?page=com.atlassian.jira.plugi... ] Darran Lofthouse updated WFCORE-3832: ------------------------------------- Fix Version/s: 8.0.0.Beta2 > Support hex encoding in jdbc-realm for elytron > ---------------------------------------------- > > Key: WFCORE-3832 > URL: https://issues.jboss.org/browse/WFCORE-3832 > Project: WildFly Core > Issue Type: Feature Request > Components: Security > Affects Versions: 5.0.0.Alpha7 > Reporter: Jan Kalina > Assignee: Darran Lofthouse > Priority: Major > Labels: elytron > Fix For: 8.0.0.Beta2 > > > Old database login-module can be configured passing the attribute {{hashEncoding}}, for example: > {code:xml} > <login-module code="Database" flag="required"> > <module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS"/> > <module-option name="principalsQuery" value="SELECT password FROM User WHERE username = ?"/> > <module-option name="rolesQuery" value="SELECT role, 'Roles' FROM User WHERE username = ?"/> > <module-option name="hashAlgorithm" value="SHA-1"/> > <module-option name="hashEncoding" value="hex"/> > <module-option name="hashCharset" value="UTF-8"/> > </login-module> > {code} > Currently jdbc-realm in elytron only uses base64 encoding if hash is stored in a text column. This way the migration is more complicated cos the password hash is not valid changing from old security system to elytron. > Think also about the charset attribute. -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3832) Support hex encoding in jdbc-realm for elytron

by Darran Lofthouse (Jira)

[ https://issues.jboss.org/browse/WFCORE-3832?page=com.atlassian.jira.plugi... ] Darran Lofthouse reassigned WFCORE-3832: ---------------------------------------- Assignee: Darran Lofthouse > Support hex encoding in jdbc-realm for elytron > ---------------------------------------------- > > Key: WFCORE-3832 > URL: https://issues.jboss.org/browse/WFCORE-3832 > Project: WildFly Core > Issue Type: Feature Request > Components: Security > Affects Versions: 5.0.0.Alpha7 > Reporter: Jan Kalina > Assignee: Darran Lofthouse > Priority: Major > Labels: elytron > Fix For: 8.0.0.Beta2 > > > Old database login-module can be configured passing the attribute {{hashEncoding}}, for example: > {code:xml} > <login-module code="Database" flag="required"> > <module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS"/> > <module-option name="principalsQuery" value="SELECT password FROM User WHERE username = ?"/> > <module-option name="rolesQuery" value="SELECT role, 'Roles' FROM User WHERE username = ?"/> > <module-option name="hashAlgorithm" value="SHA-1"/> > <module-option name="hashEncoding" value="hex"/> > <module-option name="hashCharset" value="UTF-8"/> > </login-module> > {code} > Currently jdbc-realm in elytron only uses base64 encoding if hash is stored in a text column. This way the migration is more complicated cos the password hash is not valid changing from old security system to elytron. > Think also about the charset attribute. -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3542) Elytron JDBC realm password mapping is not consistent with underlying implementation

by Darran Lofthouse (Jira)

[ https://issues.jboss.org/browse/WFCORE-3542?page=com.atlassian.jira.plugi... ] Darran Lofthouse updated WFCORE-3542: ------------------------------------- Fix Version/s: 8.0.0.Beta2 > Elytron JDBC realm password mapping is not consistent with underlying implementation > ------------------------------------------------------------------------------------ > > Key: WFCORE-3542 > URL: https://issues.jboss.org/browse/WFCORE-3542 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: David Lloyd > Assignee: Darran Lofthouse > Priority: Major > Fix For: 8.0.0.Beta2 > > > There is no way to configure the JDBC realm to use modular crypt in WildFly, even though the underlying realm does support it. > The problem is that the *{{salt-index}} and {{itereration-count-index}} attributes should be optional*, and if they not given, a value of {{-1}} should be passed to the mapper. By omitting both of these values, the database column values will then be recognized as modular-crypt strings. -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3542) Elytron JDBC realm password mapping is not consistent with underlying implementation

by Darran Lofthouse (Jira)

[ https://issues.jboss.org/browse/WFCORE-3542?page=com.atlassian.jira.plugi... ] Darran Lofthouse reassigned WFCORE-3542: ---------------------------------------- Assignee: Darran Lofthouse > Elytron JDBC realm password mapping is not consistent with underlying implementation > ------------------------------------------------------------------------------------ > > Key: WFCORE-3542 > URL: https://issues.jboss.org/browse/WFCORE-3542 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: David Lloyd > Assignee: Darran Lofthouse > Priority: Major > Fix For: 8.0.0.Beta2 > > > There is no way to configure the JDBC realm to use modular crypt in WildFly, even though the underlying realm does support it. > The problem is that the *{{salt-index}} and {{itereration-count-index}} attributes should be optional*, and if they not given, a value of {{-1}} should be passed to the mapper. By omitting both of these values, the database column values will then be recognized as modular-crypt strings. -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFLY-11130) javax.security.enterprise.SecurityContext.isCallerInRole throws NullPointerException if the caller is not authenticated (New Java EE 8 Security)

by Darran Lofthouse (Jira)

[ https://issues.jboss.org/browse/WFLY-11130?page=com.atlassian.jira.plugin... ] Darran Lofthouse commented on WFLY-11130: ----------------------------------------- Can you please try again with WildFly 15 backed by WildFly Elytron, if the issue is still present there I will take a look. > javax.security.enterprise.SecurityContext.isCallerInRole throws NullPointerException if the caller is not authenticated (New Java EE 8 Security) > ------------------------------------------------------------------------------------------------------------------------------------------------ > > Key: WFLY-11130 > URL: https://issues.jboss.org/browse/WFLY-11130 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 14.0.1.Final > Reporter: Instantiation Exception > Assignee: Darran Lofthouse > Priority: Major > > I tried to use new Java EE 8 Security API and noticed that javax.security.enterprise.SecurityContext.isCallerInRole throws NullPointerException if the caller is not authenticated. But according to JavaDoc it should return false in this situation. -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 6 months

1
0
0 / 0

[JBoss JIRA] (WFLY-11131) @LoginToContinue.errorPage doesn't work for pages in WEB-INF (New Java EE 8 Security)

by Darran Lofthouse (Jira)

[ https://issues.jboss.org/browse/WFLY-11131?page=com.atlassian.jira.plugin... ] Darran Lofthouse commented on WFLY-11131: ----------------------------------------- Can you please try again with WildFly 15 backed by WildFly Elytron - if this issue is still present there I will take a look. > @LoginToContinue.errorPage doesn't work for pages in WEB-INF (New Java EE 8 Security) > ------------------------------------------------------------------------------------- > > Key: WFLY-11131 > URL: https://issues.jboss.org/browse/WFLY-11131 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 14.0.1.Final > Reporter: Instantiation Exception > Assignee: Darran Lofthouse > Priority: Major > > I have this configuration: > {code:java} > @FormAuthenticationMechanismDefinition( > loginToContinue = @LoginToContinue( > loginPage = "/WEB-INF/account/login.xhtml", > errorPage = "/WEB-INF/account/login.xhtml?error=true")) > @ApplicationScoped > public class SecurityConfiguration {} > {code} > When I open browser and go to restricted page, I am forwarded to login page. Then I input invalid username and password and submit form (action="j_security_check"). My browser sends me redirect to http://localhost:8080/WEB-INF/account/login.xhtml?error=true. I believe it should forward request to /WEB-INF/account/login.xhtml?error=true because standard FORM login-config in web.xml worked this way. -- This message was sent by Atlassian Jira (v7.12.1#712002)

5 years, 6 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira December 2018