[JBoss JIRA] (WFLY-11348) EESecurityAuthMechanismTestCase fails with security manager
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-11348?page=com.atlassian.jira.plugin... ]
Darran Lofthouse resolved WFLY-11348.
-------------------------------------
Resolution: Won't Fix
Resolving as "Won't Fix" as this is within the legacy PicketBox integration.
> EESecurityAuthMechanismTestCase fails with security manager
> -----------------------------------------------------------
>
> Key: WFLY-11348
> URL: https://issues.jboss.org/browse/WFLY-11348
> Project: WildFly
> Issue Type: Bug
> Components: Security, Test Suite
> Affects Versions: 14.0.0.Final
> Reporter: Martin Choma
> Assignee: Justin Cook
> Priority: Major
> Labels: security-manager
>
> {noformat}
> org.jboss.as.test.integration.security.jaspi (2)
> EESecurityAuthMechanismTestCase.testAuthNotRequired
> EESecurityAuthMechanismTestCase.testSuccessfulAuthentication
> {noformat}
> Seems to me doPrivileged block is missing in server code somewhere.
> {noformat}
> &#27;[0m&#27;[31m00:29:39,192 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /EESecurityAuthMechanismTestCase/unsecured/index.jsp: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "org.jboss.security.plugins.JBossSecurityContext.getSubjectInfo")" in code source "(vfs:/content/EESecurityAuthMechanismTestCase.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.EESecurityAuthMechanismTestCase.war" from Service Module Loader")
> at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294)
> at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191)
> at org.jboss.security.plugins.JBossSecurityContext.getSubjectInfo(JBossSecurityContext.java:182)
> at org.jboss.security.auth.callback.JASPICallbackHandler.handleCallBack(JASPICallbackHandler.java:128)
> at org.jboss.security.auth.callback.JBossCallbackHandler.handle(JBossCallbackHandler.java:87)
> at org.glassfish.soteria.mechanisms.jaspic.Jaspic.handleCallbacks(Jaspic.java:196)
> at org.glassfish.soteria.mechanisms.jaspic.Jaspic.notifyContainerAboutLogin(Jaspic.java:182)
> at org.glassfish.soteria.mechanisms.HttpMessageContextImpl.doNothing(HttpMessageContextImpl.java:303)
> at org.jboss.as.test.integration.security.jaspi.SimpleHttpAuthenticationMechanism.validateRequest(SimpleHttpAuthenticationMechanism.java:43)
> at org.jboss.as.test.integration.security.jaspi.SimpleHttpAuthenticationMechanism$Proxy$_$$_WeldClientProxy.validateRequest(Unknown Source)
> at org.glassfish.soteria.mechanisms.jaspic.HttpBridgeServerAuthModule.validateRequest(HttpBridgeServerAuthModule.java:114)
> at org.glassfish.soteria.mechanisms.jaspic.DefaultServerAuthContext.validateRequest(DefaultServerAuthContext.java:76)
> at org.jboss.security.plugins.auth.JASPIServerAuthenticationManager.isValid(JASPIServerAuthenticationManager.java:115)
> at org.wildfly.extension.undertow.security.jaspi.JASPICAuthenticationMechanism.authenticate(JASPICAuthenticationMechanism.java:125)
> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
> at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
> at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
> at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55){noformat}
> {noformat}
> [1] https://ci.wildfly.org/viewLog.html?buildId=128138&buildTypeId=WF_MasterS...
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFCORE-4106) Add the ability to configure security providers using Elytron subsystem security properties
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFCORE-4106?page=com.atlassian.jira.plugi... ]
Darran Lofthouse resolved WFCORE-4106.
--------------------------------------
Resolution: Rejected
> Add the ability to configure security providers using Elytron subsystem security properties
> -------------------------------------------------------------------------------------------
>
> Key: WFCORE-4106
> URL: https://issues.jboss.org/browse/WFCORE-4106
> Project: WildFly Core
> Issue Type: Feature Request
> Components: Security
> Reporter: Farah Juma
> Assignee: Farah Juma
> Priority: Major
>
> It should be possible to configure security providers using the {{security-properties}} attribute in the Elytron subsystem. For example, it should be possible to use the following command to register custom security providers instead of needing to manually update the {{java.security}} file:
> {code}
> /subsystem=elytron:write-attribute(name=security-properties,value={\
> security.provider.1=PROVIDER_1,\
> security.provider.2=PROVIDER_2\
> ...\
> }
> {code}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-11073) Support hex encoding in jdbc-realm for elytron
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-11073?page=com.atlassian.jira.plugin... ]
Darran Lofthouse reassigned WFLY-11073:
---------------------------------------
Assignee: Darran Lofthouse
> Support hex encoding in jdbc-realm for elytron
> ----------------------------------------------
>
> Key: WFLY-11073
> URL: https://issues.jboss.org/browse/WFLY-11073
> Project: WildFly
> Issue Type: Feature Request
> Components: Documentation, Security
> Reporter: Jan Kalina
> Assignee: Darran Lofthouse
> Priority: Major
> Labels: elytron
> Fix For: 16.0.0.Beta1
>
>
> Old database login-module can be configured passing the attribute {{hashEncoding}}, for example:
> {code:xml}
> <login-module code="Database" flag="required">
> <module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS"/>
> <module-option name="principalsQuery" value="SELECT password FROM User WHERE username = ?"/>
> <module-option name="rolesQuery" value="SELECT role, 'Roles' FROM User WHERE username = ?"/>
> <module-option name="hashAlgorithm" value="SHA-1"/>
> <module-option name="hashEncoding" value="hex"/>
> <module-option name="hashCharset" value="UTF-8"/>
> </login-module>
> {code}
> Currently jdbc-realm in elytron only uses base64 encoding if hash is stored in a text column. This way the migration is more complicated cos the password hash is not valid changing from old security system to elytron.
> Think also about the charset attribute.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFCORE-3310) mechanism-configuration in http/sasl authentication factory in server configuration should fail when includes some attribute
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFCORE-3310?page=com.atlassian.jira.plugi... ]
Darran Lofthouse commented on WFCORE-3310:
------------------------------------------
I have changed the component to 'management' as this has now become a general issue rather than security specific.
> mechanism-configuration in http/sasl authentication factory in server configuration should fail when includes some attribute
> ----------------------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-3310
> URL: https://issues.jboss.org/browse/WFCORE-3310
> Project: WildFly Core
> Issue Type: Bug
> Components: Management
> Affects Versions: 3.0.3.Final
> Reporter: Ondrej Lukas
> Assignee: Jiri Ondrusek
> Priority: Major
>
> Based on wildfly-elytron XSD mechanism-configuration element of http-authentication-factory or sasl-authentication-factory should not contain any attribute. However when some attribute is added for this element in standalone.xml then it does not fail during server start. In correct behavior Validation error should be thrown during starting server.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-11510) EarOpenTracingWithWeldProbeTestCase fails with node0/1 set
by Matej Novotny (Jira)
[ https://issues.jboss.org/browse/WFLY-11510?page=com.atlassian.jira.plugin... ]
Matej Novotny commented on WFLY-11510:
--------------------------------------
Changing the config for whole TS might be overkill.
Simply altering the Arq. deployment of this given test by adding {{weld.properties}} file should do the trick as well.
> EarOpenTracingWithWeldProbeTestCase fails with node0/1 set
> ----------------------------------------------------------
>
> Key: WFLY-11510
> URL: https://issues.jboss.org/browse/WFLY-11510
> Project: WildFly
> Issue Type: Bug
> Components: MP OpenTracing, Test Suite
> Affects Versions: 16.0.0.Beta1
> Reporter: Ondrej Kotek
> Assignee: Nikoleta Žiaková
> Priority: Major
>
> {{org.jboss.as.test.integration.microprofile.opentracing.EarOpenTracingWithWeldProbeTestCase}} fails with {{node0}} and {{node1}} set:
> {noformat}
> WARN [org.jboss.weld.probe.Probe] (default task-1) PROBE-000017: Access to /ServiceOne/service-endpoint/app denied for <my IP>
> WARN [org.jboss.weld.probe.Probe] (default task-1) PROBE-000017: Access to /ServiceOne/service-endpoint/app denied for <my IP>
> ...
> java.lang.AssertionError: expected:<200> but was:<403>
> at org.junit.Assert.fail(Assert.java:88)
> at org.junit.Assert.failNotEquals(Assert.java:834)
> at org.junit.Assert.assertEquals(Assert.java:645)
> at org.junit.Assert.assertEquals(Assert.java:631)
> at org.jboss.as.test.integration.microprofile.opentracing.AbstractEarOpenTracingTestCase.testHttpInvokation(AbstractEarOpenTracingTestCase.java:67)
> at org.jboss.as.test.integration.microprofile.opentracing.AbstractEarOpenTracingTestCase.testEarServicesUseDifferentTracersAfterReload(AbstractEarOpenTracingTestCase.java:59)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ...
> {noformat}
> Maybe access from remote IP addresses is blocked in development mode.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months
[JBoss JIRA] (WFLY-11501) DynamicJaspiTestCase fails with security manager
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/WFLY-11501?page=com.atlassian.jira.plugin... ]
Darran Lofthouse updated WFLY-11501:
------------------------------------
Fix Version/s: 16.0.0.Beta1
(was: 9.x.x TBD)
> DynamicJaspiTestCase fails with security manager
> ------------------------------------------------
>
> Key: WFLY-11501
> URL: https://issues.jboss.org/browse/WFLY-11501
> Project: WildFly
> Issue Type: Bug
> Components: Security, Test Suite
> Affects Versions: 16.0.0.Beta1
> Reporter: Ondrej Kotek
> Assignee: Darran Lofthouse
> Priority: Major
> Fix For: 16.0.0.Beta1
>
>
> {{org.wildfly.test.integration.elytron.jaspi.DynamicJaspiTestCase#testCalls}} fails with security manager due to missing permissions:
> {noformat}
> ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /ConfiguredJaspiTestCase/: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.security.SecurityPermission" "getFactory")" in code source "(vfs:/content/ConfiguredJaspiTestCase.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.ConfiguredJaspiTestCase.war" from Service Module Loader")
> at org.wildfly.security.elytron-private@1.7.0.Final//org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294)
> at org.wildfly.security.elytron-private@1.7.0.Final//org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191)
> at javax.security.auth.message.api@1.0.2.Final//javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:210)
> at org.wildfly.security.elytron-private@1.7.0.Final//org.wildfly.security.auth.jaspi.JaspiConfigurationBuilder.register(JaspiConfigurationBuilder.java:106)
> at deployment.ConfiguredJaspiTestCase.war//org.wildfly.test.integration.elytron.jaspi.JaspiTestServlet.doGet(JaspiTestServlet.java:62)
> at javax.servlet.api@1.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:686)
> at javax.servlet.api@1.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at io.opentracing.contrib.opentracing-jaxrs2//io.opentracing.contrib.jaxrs2.server.SpanFinishingFilter.doFilter(SpanFinishingFilter.java:55)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at org.wildfly.security.elytron-web.undertow-server@1.3.0.Final//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.lambda$handleRequest$1(ElytronRunAsHandler.java:68)
> at org.wildfly.security.elytron-private@1.7.0.Final//org.wildfly.security.auth.server.FlexibleIdentityAssociation.runAsFunctionEx(FlexibleIdentityAssociation.java:103)
> at org.wildfly.security.elytron-private@1.7.0.Final//org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161)
> at org.wildfly.security.elytron-private@1.7.0.Final//org.wildfly.security.auth.server.Scoped.runAs(Scoped.java:73)
> at org.wildfly.security.elytron-web.undertow-server@1.3.0.Final//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.handleRequest(ElytronRunAsHandler.java:67)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at io.undertow.core@2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.core@2.0.15.Final//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
> at io.undertow.core@2.0.15.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
> at io.undertow.core@2.0.15.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at org.wildfly.security.elytron-web.undertow-server-servlet@1.3.0.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
> at io.undertow.core@2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.core@2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at io.undertow.core@2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at org.wildfly.extension.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at org.wildfly.extension.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at org.wildfly.extension.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at org.wildfly.extension.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:110)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:107)
> at io.undertow.core@2.0.15.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> at io.undertow.core@2.0.15.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> at org.jboss.threads@2.3.2.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at org.jboss.threads@2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> at org.jboss.threads@2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> at org.jboss.threads@2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> at java.base/java.lang.Thread.run(Thread.java:834)
> {noformat}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 6 months