February 2018 - jboss-jira - Jboss List Archives

[JBoss JIRA] (ELY-1332) NSS tools based PKCS11 provider defined in Elytron doesn't survive server reload

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1332?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated ELY-1332: ---------------------------------- Fix Version/s: 1.3.0.CR1 > NSS tools based PKCS11 provider defined in Elytron doesn't survive server reload > -------------------------------------------------------------------------------- > > Key: ELY-1332 > URL: https://issues.jboss.org/browse/ELY-1332 > Project: WildFly Elytron > Issue Type: Bug > Reporter: Josef Cacek > Priority: Blocker > Fix For: 1.3.0.CR1 > > > When a SunPKCS11 provider is defined in Elytron subsystem on the top of NSS keystore (e.g. a FIPS one), then the server reload fails with "ProviderException: Secmod module already configured". > The server.log contains: > {noformat} > 08:12:56,073 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service org.wildfly.security.providers.nss: org.jboss.msc.service.StartException in service org.wildfly.security.providers.nss: java.lang.reflect.InvocationTargetException > at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:224) > at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:160) > at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:748) > Caused by: java.lang.reflect.InvocationTargetException > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at org.wildfly.extension.elytron.ProviderDefinitions$1$1.get(ProviderDefinitions.java:190) > ... 7 more > Caused by: java.security.ProviderException: Secmod module already configured > at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:276) > at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:107) > ... 12 more > .. > 08:12:56,140 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([ > ("subsystem" => "elytron"), > ("provider-loader" => "nss") > ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.providers.nss" => "java.lang.reflect.InvocationTargetException > Caused by: java.lang.reflect.InvocationTargetException > Caused by: java.security.ProviderException: Secmod module already configured"}} > {noformat} -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (ELY-1239) Elytron client, elytron-1_0.xsd, protection-parameter-credentials is incorrectly defined as client-credentials-type.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1239?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated ELY-1239: ---------------------------------- Fix Version/s: 1.3.0.CR1 > Elytron client, elytron-1_0.xsd, protection-parameter-credentials is incorrectly defined as client-credentials-type. > -------------------------------------------------------------------------------------------------------------------- > > Key: ELY-1239 > URL: https://issues.jboss.org/browse/ELY-1239 > Project: WildFly Elytron > Issue Type: Bug > Components: Authentication Client, Credential Store > Reporter: Hynek Švábek > Assignee: Peter Skopek > Priority: Blocker > Fix For: 1.3.0.CR1 > > > Elytron client, elytron-1_0.xsd, *protection-parameter-credentials* is incorrectly defined as client-credentials-type [1]. > For *protection-parameter-credentials* is valid only credential-store-reference element: > {code} > <xsd:element name="credential-store-reference" type="credential-store-reference-type"/> > {code} > But now is *protection-parameter-credentials* defined as type *client-credentials-type* [1] which can have these values: > {code} > <xsd:complexType name="client-credentials-type"> > <xsd:choice minOccurs="0" maxOccurs="unbounded"> > <xsd:element name="key-store-reference" type="key-store-ref-type"/> > <xsd:element name="credential-store-reference" type="credential-store-reference-type"/> > <xsd:element name="clear-password" type="clear-password-type"/> > <xsd:element name="hashed-password" type="hashed-password-type"/> > <xsd:element name="crypt-password" type="crypt-password-type"/> > <xsd:element name="key-pair" type="key-pair-type"/> > <xsd:element name="certificate" type="certificate-type"/> > <xsd:element name="public-key-pem" type="xsd:string"/> > <xsd:element name="bearer-token" type="bearer-token-type"/> > <xsd:element name="oauth2-bearer-token" type="oauth2-bearer-token-type"/> > </xsd:choice> > </xsd:complexType> > {code} > Please keep on mind that changes must be done accordingly in ElytronXMLParser too. > [1] https://github.com/wildfly-security/wildfly-elytron/blob/1.1.0.Beta47/src... -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (ELY-1427) Credential store type PKCS12 works fine when using OracleJDK and OpenJDK but doesn't work using IBM JDK.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1427?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated ELY-1427: ---------------------------------- Fix Version/s: 1.3.0.CR1 > Credential store type PKCS12 works fine when using OracleJDK and OpenJDK but doesn't work using IBM JDK. > -------------------------------------------------------------------------------------------------------- > > Key: ELY-1427 > URL: https://issues.jboss.org/browse/ELY-1427 > Project: WildFly Elytron > Issue Type: Bug > Components: Credential Store > Reporter: Hynek Švábek > Priority: Critical > Fix For: 1.3.0.CR1 > > > Credential store type PKCS12 works fine when using OracleJDK and OpenJDK. > Problem occurs when we use IBM JDK, add-alias works fine for first time, but for add-alias for second time with same alias name we expect message about duplicity rather than current error message about SecretKeyFactory not availability. > {code} > "WFLYCTL0158: Operation handler failed: java.lang.RuntimeException: WFLYELY00009: Unable to complete operation. 'ELY09504: Cannot acquire a credential from the credential store->Get Key failed: 1.2.840.113549.1.7.1 SecretKeyFactory not available->1.2.840.113549.1.7.1 SecretKeyFactory not available'", > {code} > *NOTE* > I met same problem with Oracle JDK 1.8 u66, with u144 is everythink ok. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (ELY-286) HTTP Digest Authentication

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-286?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-286: --------------------------------- Fix Version/s: (was: 1.3.0.CR1) > HTTP Digest Authentication > -------------------------- > > Key: ELY-286 > URL: https://issues.jboss.org/browse/ELY-286 > Project: WildFly Elytron > Issue Type: Feature Request > Components: HTTP > Reporter: Darran Lofthouse > > Original Digest RFC [https://tools.ietf.org/html/rfc2069] > Current Digest RFC [https://tools.ietf.org/html/rfc2617] > HTTP 1.1 Authentication (Updates RFC2617) [https://tools.ietf.org/html/rfc7235] > Draft currently under discussion - [https://datatracker.ietf.org/doc/draft-ietf-httpauth-digest/] > RFC7616 Now Proposed Standard > "HTTP Digest Access Authentication", September 2015 > [https://www.rfc-editor.org/info/rfc7616] -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (ELY-214) Add support for OpenSSL-style key and certificate files

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-214?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse reassigned ELY-214: ------------------------------------ Fix Version/s: (was: 1.3.0.CR1) Assignee: (was: Pedro Igor) > Add support for OpenSSL-style key and certificate files > ------------------------------------------------------- > > Key: ELY-214 > URL: https://issues.jboss.org/browse/ELY-214 > Project: WildFly Elytron > Issue Type: Enhancement > Components: KeyStores > Reporter: David Lloyd > > Do the following: > * Research the various supported key and cert file formats supported by OpenSSL > * Determine what the JSSE equivalent is of each, if any > * Add {{KeyStore}} support for keys of any type or format which is not supported by JSSE -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (ELY-23) authPassword LDAP attribute - add support for RFC5803

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-23?page=com.atlassian.jira.plugin.sys... ] Darran Lofthouse updated ELY-23: -------------------------------- Fix Version/s: (was: 1.3.0.CR1) > authPassword LDAP attribute - add support for RFC5803 > ----------------------------------------------------- > > Key: ELY-23 > URL: https://issues.jboss.org/browse/ELY-23 > Project: WildFly Elytron > Issue Type: Sub-task > Reporter: Darran Lofthouse > > RFC5803 adds support for storing SCRAM secrets in the 'authPassword' attribute introduced by RFC3112 -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (ELY-251) More certain credential based mechanism selection.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-251?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-251: --------------------------------- Fix Version/s: (was: 1.3.0.CR1) > More certain credential based mechanism selection. > -------------------------------------------------- > > Key: ELY-251 > URL: https://issues.jboss.org/browse/ELY-251 > Project: WildFly Elytron > Issue Type: Task > Components: SASL > Reporter: Darran Lofthouse > > When filtering authentication mechanisms we need to really be able to offer two modes: - > 1 - Only offer a mech if we are sure it is supported. > Risks only offering a weaker mechanism in a mixed domain but also eliminates mechanisms that could fail for a valid user that just happens to have a different credential type. > 2- More general support. > i.e. offer the mechs that may be supported. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (ELY-436) Dynamic mechanism selection properties.

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-436?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-436: --------------------------------- Fix Version/s: (was: 1.3.0.CR1) > Dynamic mechanism selection properties. > --------------------------------------- > > Key: ELY-436 > URL: https://issues.jboss.org/browse/ELY-436 > Project: WildFly Elytron > Issue Type: Feature Request > Components: HTTP, SASL > Reporter: Darran Lofthouse > > The title may be a bit too close to implementation than requirement! > However we may want to filter mechanisms based on other criteria e.g. if the transport is confidential. So depending on confidentiality we may want to be able to configure a policy that restricts when plain text mechanisms are used. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (ELY-154) Session based DigestCredential support

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-154?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-154: --------------------------------- Fix Version/s: (was: 1.3.0.CR1) > Session based DigestCredential support > -------------------------------------- > > Key: ELY-154 > URL: https://issues.jboss.org/browse/ELY-154 > Project: WildFly Elytron > Issue Type: Sub-task > Components: Passwords > Reporter: Darran Lofthouse > > DigestCredential but where additional information is included such as nonce and cnonce to create a credential applicable to a session. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

[JBoss JIRA] (ELY-722) Move callback handler interactions to a common base class for HTTP mechanisms, .

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-722?page=com.atlassian.jira.plugin.sy... ] Darran Lofthouse updated ELY-722: --------------------------------- Fix Version/s: (was: 1.3.0.CR1) > Move callback handler interactions to a common base class for HTTP mechanisms,. > ------------------------------------------------------------------------------- > > Key: ELY-722 > URL: https://issues.jboss.org/browse/ELY-722 > Project: WildFly Elytron > Issue Type: Enhancement > Components: HTTP > Reporter: Darran Lofthouse > > This is to follow a similar pattern as is used for the SASL mechanisms. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

8 years, 2 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira February 2018