July 2018 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFCORE-3839) Cannot read-identity of filesystem-realm if change level attribute later

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-3839?page=com.atlassian.jira.plugi... ] Darran Lofthouse reassigned WFCORE-3839: ---------------------------------------- Assignee: (was: Darran Lofthouse) > Cannot read-identity of filesystem-realm if change level attribute later > ------------------------------------------------------------------------ > > Key: WFCORE-3839 > URL: https://issues.jboss.org/browse/WFCORE-3839 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Claudio Miranda > > Add filesystem-realm, add a identity, then change the levels to 3, the previously added identity cannot be recovered anymore. This is due to the directory structure previously created. Perhaps, the levels attribute should be set at creation time only ? > {code} > [standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=file_realm1:add(path=file_realm) > {"outcome" => "success"} > [standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=file_realm1:add-identity(identity=user1) > {"outcome" => "success"} > [standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=file_realm1:read-identity(identity=user1) > { > "outcome" => "success", > "result" => { > "name" => "user1", > "attributes" => undefined > } > } > [standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=file_realm1:write-attribute(name=levels,value=3) > { > "outcome" => "success", > "response-headers" => { > "operation-requires-reload" => true, > "process-state" => "reload-required" > } > } > [standalone@localhost:9990 /] reload > [standalone@localhost:9990 /] /subsystem=elytron/filesystem-realm=file_realm1:read-identity(identity=user1) > { > "outcome" => "failed", > "failure-description" => "WFLYELY01002: Identity with name [user1] not found.", > "rolled-back" => true > } > {code} -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9607) Remove DigestAuthenticationMechanism code duplication between Wildfly, Undertow and Elytron

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-9607?page=com.atlassian.jira.plugin.... ] Darran Lofthouse reassigned WFLY-9607: -------------------------------------- Assignee: (was: Darran Lofthouse) > Remove DigestAuthenticationMechanism code duplication between Wildfly, Undertow and Elytron > ------------------------------------------------------------------------------------------- > > Key: WFLY-9607 > URL: https://issues.jboss.org/browse/WFLY-9607 > Project: WildFly > Issue Type: Enhancement > Components: Security > Affects Versions: 11.0.0.Final > Reporter: Bartosz Spyrko-Śmietanko > > Digest authentication mechanism is currently implemented in 3 places - in Wildfly undertow subsystem (legacy web authentication), Undertow itself (web console authentication) and Elytron (web authentication). > Any issue found in one of those scenarios is likely to affect others requiring fixing multiple codebases - ideally there should be a single implementation. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFLY-6085) Wrong AdvancedADLdap mapping in ModulesMap

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-6085?page=com.atlassian.jira.plugin.... ] Darran Lofthouse reassigned WFLY-6085: -------------------------------------- Assignee: (was: Darran Lofthouse) > Wrong AdvancedADLdap mapping in ModulesMap > ------------------------------------------ > > Key: WFLY-6085 > URL: https://issues.jboss.org/browse/WFLY-6085 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Hynek Švábek > > There is wrong AdvancedADLdap mapping in ModulesMap. > In ModulesMap is "AdvancedAdLdap", but in documentation is "AdvancedADLdap". > https://github.com/jbossas/jboss-eap7/blob/7.x/security/subsystem/src/mai... > https://access.stage.redhat.com/documentation/en/red-hat-jboss-enterprise... > We suggest some like this for backward compatibility: > Add one extra mapping to ModulesMap with right mapping and leave there old mapping too. Some old app can use this old wrong mapping. > {code} > put("AdvancedAdLdap", AdvancedADLoginModule.class.getName()); > put("AdvancedADLdap", AdvancedADLoginModule.class.getName()); > {code} -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFLY-5593) VaultTool does not support KeySize != 128

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-5593?page=com.atlassian.jira.plugin.... ] Darran Lofthouse reassigned WFLY-5593: -------------------------------------- Assignee: (was: Darran Lofthouse) > VaultTool does not support KeySize != 128 > ----------------------------------------- > > Key: WFLY-5593 > URL: https://issues.jboss.org/browse/WFLY-5593 > Project: WildFly > Issue Type: Bug > Components: Security > Affects Versions: 10.0.0.CR4 > Reporter: Andreas Weise > Priority: Minor > > Vault tool (vault.sh) returns exception PBOX00137: Security Vault does not contain SecretKey entry under alias (vault) when using a JCEKS with AES 256. > It seems only 128 Bit Key Length is supported by the Vault Tool, which is default in [org/picketbox/plugins/vault/PicketBoxSecurityVault.java|https://github.co...] > Key length could be parametrized in PicketBoxSecurityVault, but vault tool does not support this, more specifically [org/jboss/as/security/vault/VaultSession.getVaultOptionsMap()|https://git...] -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3496) Upgrade WildFly Elytron to 1.2.0.Beta13

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-3496?page=com.atlassian.jira.plugi... ] Darran Lofthouse reassigned WFCORE-3496: ---------------------------------------- Assignee: (was: Darran Lofthouse) > Upgrade WildFly Elytron to 1.2.0.Beta13 > --------------------------------------- > > Key: WFCORE-3496 > URL: https://issues.jboss.org/browse/WFCORE-3496 > Project: WildFly Core > Issue Type: Component Upgrade > Components: Security > Reporter: Ivo Studensky > Labels: downstream_dependency > -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9855) [JDK9+] org.jboss.security.negotiation.spnego package is exported by two jars

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-9855?page=com.atlassian.jira.plugin.... ] Darran Lofthouse reassigned WFLY-9855: -------------------------------------- Assignee: (was: Darran Lofthouse) > [JDK9+] org.jboss.security.negotiation.spnego package is exported by two jars > ----------------------------------------------------------------------------- > > Key: WFLY-9855 > URL: https://issues.jboss.org/browse/WFLY-9855 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Tomaz Cerar > Priority: Critical > > Currently if you have > jboss-negotiation-spnego-3.0.4.Final and jboss-negotiation-extras-3.0.4.Final.jar > on your module path, jvm complains as both jars export package org.jboss.security.negotiation.spnego > which violates the modules contract where only one module (jar) can provide single package. > example error that jvm prints > {noformat} > Error: Modules jboss.negotiation.extras and jboss.negotiation.spnego export package org.jboss.security.negotiation.spnego to module wildfly.clustering.common > {noformat} -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3913) HTTPSchemeServiceAuthModule contructor is not defined

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-3913?page=com.atlassian.jira.plugi... ] Darran Lofthouse reassigned WFCORE-3913: ---------------------------------------- Assignee: (was: Darran Lofthouse) > HTTPSchemeServiceAuthModule contructor is not defined > ----------------------------------------------------- > > Key: WFCORE-3913 > URL: https://issues.jboss.org/browse/WFCORE-3913 > Project: WildFly Core > Issue Type: Bug > Components: Security > Affects Versions: 3.0.10.Final > Environment: - EAP7.1.0 > Reporter: Hisanobu Okuda > Attachments: test.war > > > JASPI does not work, since HTTPSchemeServiceAuthModule contructor is not defined. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9737) JASPIC LoginModule Profile with WildFly Elytron

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-9737?page=com.atlassian.jira.plugin.... ] Darran Lofthouse reassigned WFLY-9737: -------------------------------------- Assignee: (was: Darran Lofthouse) > JASPIC LoginModule Profile with WildFly Elytron > ----------------------------------------------- > > Key: WFLY-9737 > URL: https://issues.jboss.org/browse/WFLY-9737 > Project: WildFly > Issue Type: Feature Request > Components: Security > Reporter: Darran Lofthouse > > The JASPIC specification covers the use of LoginModules under a separate profile, once WFLY-9067 is integrated this is a follow up task to add support for this profile. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-3876) Composite operation on filesystem-realm blocks management operations

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFCORE-3876?page=com.atlassian.jira.plugi... ] Darran Lofthouse reassigned WFCORE-3876: ---------------------------------------- Assignee: (was: Darran Lofthouse) > Composite operation on filesystem-realm blocks management operations > -------------------------------------------------------------------- > > Key: WFCORE-3876 > URL: https://issues.jboss.org/browse/WFCORE-3876 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Claudio Miranda > > There is a problem when adding an identity and an attribute on filesystem-realm as composite operation, it blocks the operation, but also blocks some other operations, for example, while the composite operation run, the other following operations just blocks. This problem only occurs in domain mode. > The filesystem-realm=file1 was created with no errors. > Add an identity and a identity attribute as composite operation > {code} > batch > /host=master/server=server-three/subsystem=elytron/filesystem-realm=file1:add-identity(identity=user3) > /host=master/server=server-three/subsystem=elytron/filesystem-realm=file1:add-identity-attribute(identity=user3,name=key1,value=[val1,val11]) > run-batch > {code} > The following composite, also blocks the same way (for an existing identity named user3) > {code} > batch > /host=master/server=server-three/subsystem=elytron/filesystem-realm=file1:add-identity-attribute(identity=user3,name=key3,value=[val3,val33]) > /host=master/server=server-three/subsystem=elytron/filesystem-realm=file1:add-identity-attribute(identity=user3,name=key4,value=[val4,val44]) > run-batch > {code} > The following operation just blocks waiting the above operation to finish. > {code} > /host=master/server=server-three/subsystem=elytron/filesystem-realm=file1:read-identity(identity=other) > {code} > {code} > /profile=full-ha/subsystem=elytron/filesystem-realm=file3:add(path=file3) > {code} > {code} > /profile=full-ha/subsystem=elytron/properties-realm=props1:add(users-properties={path=application-users.properties,relative-to=jboss.domain.config.dir,digest-realm-name=ApplicationRealm}) > {code} > It also blocks write-attribute operation on other subsystems > {code} > /profile=full-ha/subsystem=io/worker=default:write-attribute(name=task-max-threads,value=100) > /profile=full-ha/subsystem=datasources/data-source=ExampleDS:write-attribute(name=max-pool-size,value=12) > {code} > The last operation reports as a non-progressing operation > {code} > /host=master/core-service=management/service=management-operations:find-non-progressing-operation > { > "outcome" => "success", > "result" => "500616352" > } > [domain@localhost:9990 /] /host=master/core-service=management/service=management-operations/active-operation=*:read-resource > { > "outcome" => "success", > "result" => [ > { > "address" => [ > ("host" => "master"), > ("core-service" => "management"), > ("service" => "management-operations"), > ("active-operation" => "-886331830") > ], > "outcome" => "success", > "result" => { > "access-mechanism" => "NATIVE", > "address" => [ > ("host" => "master"), > ("core-service" => "management"), > ("service" => "management-operations"), > ("active-operation" => "*") > ], > "caller-thread" => "management-handler-thread - 15", > "cancelled" => false, > "domain-rollout" => false, > "domain-uuid" => undefined, > "exclusive-running-time" => -1L, > "execution-status" => "executing", > "operation" => "read-resource", > "running-time" => 2341554L > } > }, > { > "address" => [ > ("host" => "master"), > ("core-service" => "management"), > ("service" => "management-operations"), > ("active-operation" => "-199839257") > ], > "outcome" => "success", > "result" => { > "access-mechanism" => "NATIVE", > "address" => [], > "caller-thread" => "management-handler-thread - 13", > "cancelled" => false, > "domain-rollout" => false, > "domain-uuid" => undefined, > "exclusive-running-time" => -1L, > "execution-status" => "executing", > "operation" => "composite", > "running-time" => 37961295588L > } > }, > { > "address" => [ > ("host" => "master"), > ("core-service" => "management"), > ("service" => "management-operations"), > ("active-operation" => "500616352") > ], > "outcome" => "success", > "result" => { > "access-mechanism" => "NATIVE", > "address" => [ > ("profile" => "full-ha"), > ("subsystem" => "io"), > ("worker" => "default") > ], > "caller-thread" => "management-handler-thread - 14", > "cancelled" => false, > "domain-rollout" => false, > "domain-uuid" => "87a864ef-e287-4436-acd5-4842459dfc2e", > "exclusive-running-time" => 33671893306L, > "execution-status" => "executing", > "operation" => "write-attribute", > "running-time" => 33671782128L > } > } > ] > } > {code} > After the operation timeout, the second step of the composite operation as error. > {code} > The batch failed with the following error (you are remaining in the batch editing mode to have a chance to correct the error): > WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed: > Step: step-2 > Operation: /host=master/server=server-three/subsystem=elytron/filesystem-realm=file1:add-identity-attribute(identity=user3,name=key1,value=[val1,val11]) > Failure: WFLYCTL0409: Execution of operation 'add-identity-attribute' on remote process at address '[ > ("host" => "master"), > ("server" => "server-three") > ]' timed out after 305000 ms while awaiting initial response; remote process has been notified to terminate operation > {code} > I understand that to add the identity attribute, it should run as non composite, and it works, but the problem is the blocking it does on the other operations. -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9702) SSO Integration for Programmatic Authentication

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/WFLY-9702?page=com.atlassian.jira.plugin.... ] Darran Lofthouse reassigned WFLY-9702: -------------------------------------- Assignee: (was: Darran Lofthouse) > SSO Integration for Programmatic Authentication > ----------------------------------------------- > > Key: WFLY-9702 > URL: https://issues.jboss.org/browse/WFLY-9702 > Project: WildFly > Issue Type: Feature Request > Components: Clustering, Security, Web (Undertow) > Reporter: Darran Lofthouse > Priority: Critical > > At the moment the SSO integration only fully covers authentication mechanisms as they can be wrapped, we need to revisit for programmatic authentication. > In this scenario we don't have either a wrapped mechanism or a CallbackHandler. > Couple of options: - > * Can we get away with pushing in some form of IdentityCache factory the mechs can obtain from the request? This may miss the additional notifications the SSO impl depends on. > * Can we also better support listening for the notifications without the need for wrappers? This could cover both mechs and programmatic authentication? > * Instead do we make the programmatic authenticator pluggable, i.e. push in an SSO aware impl, it can choose how to handle it's own caching and also doesn't need the notifications as it is in control of that stage of the process. > * -- This message was sent by Atlassian JIRA (v7.5.0#75005)

7 years, 5 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira July 2018