[JBoss JIRA] (ELY-1239) Elytron client, elytron-1_0.xsd, protection-parameter-credentials is incorrectly defined as client-credentials-type.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-1239?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated ELY-1239:
----------------------------------
Fix Version/s: 1.4.1.CR1
(was: 1.4.0.Final)
> Elytron client, elytron-1_0.xsd, protection-parameter-credentials is incorrectly defined as client-credentials-type.
> --------------------------------------------------------------------------------------------------------------------
>
> Key: ELY-1239
> URL: https://issues.jboss.org/browse/ELY-1239
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Authentication Client, Credential Store
> Reporter: Hynek Švábek
> Assignee: Peter Skopek
> Priority: Blocker
> Fix For: 1.4.1.CR1
>
>
> Elytron client, elytron-1_0.xsd, *protection-parameter-credentials* is incorrectly defined as client-credentials-type [1].
> For *protection-parameter-credentials* is valid only credential-store-reference element:
> {code}
> <xsd:element name="credential-store-reference" type="credential-store-reference-type"/>
> {code}
> But now is *protection-parameter-credentials* defined as type *client-credentials-type* [1] which can have these values:
> {code}
> <xsd:complexType name="client-credentials-type">
> <xsd:choice minOccurs="0" maxOccurs="unbounded">
> <xsd:element name="key-store-reference" type="key-store-ref-type"/>
> <xsd:element name="credential-store-reference" type="credential-store-reference-type"/>
> <xsd:element name="clear-password" type="clear-password-type"/>
> <xsd:element name="hashed-password" type="hashed-password-type"/>
> <xsd:element name="crypt-password" type="crypt-password-type"/>
> <xsd:element name="key-pair" type="key-pair-type"/>
> <xsd:element name="certificate" type="certificate-type"/>
> <xsd:element name="public-key-pem" type="xsd:string"/>
> <xsd:element name="bearer-token" type="bearer-token-type"/>
> <xsd:element name="oauth2-bearer-token" type="oauth2-bearer-token-type"/>
> </xsd:choice>
> </xsd:complexType>
> {code}
> Please keep on mind that changes must be done accordingly in ElytronXMLParser too.
> [1] https://github.com/wildfly-security/wildfly-elytron/blob/1.1.0.Beta47/src...
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years
[JBoss JIRA] (ELY-1455) DB query seen for each request using programatic authentication
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-1455?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated ELY-1455:
----------------------------------
Fix Version/s: 1.4.1.CR1
(was: 1.4.0.Final)
> DB query seen for each request using programatic authentication
> ----------------------------------------------------------------
>
> Key: ELY-1455
> URL: https://issues.jboss.org/browse/ELY-1455
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Authentication Mechanisms
> Affects Versions: 1.2.0.Beta10
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Critical
> Fix For: 1.4.1.CR1
>
> Attachments: elytron-bug.zip, server.log, standalone-full-ha.xml
>
>
> User is complaining, that DB is accessed on each request.
> Jdbc-realm + FORM authentication
> {noformat}
> <jdbc-realm name="myappRealm">
> <principal-query sql="SELECT r.role, u.password FROM user u join user_role_auth r on r.email = u.email where u.email=?" data-source="myds">
> <attribute-mapping>
> <attribute to="Roles" index="1"/>
> </attribute-mapping>
> <simple-digest-mapper password-index="2"/>
> </principal-query>
> </jdbc-realm>
> {noformat}
> {noformat}
> 2017-11-30 09:31:04,049 TRACE [org.wildfly.security] (default task-124) Principal assigning: [alberto(a)myapp.com], pre-realm rewritten: [alberto(a)myapp.com], realm name: [wmtRealm], post-realm rewritten: [alberto(a)myapp.com], realm rewritten: [alberto(a)myapp.com]
> 2017-11-30 09:31:04,049 TRACE [org.wildfly.security] (default task-124) Executing principalQuery select password from user where email = ? with value alberto(a)myapp.com
> 2017-11-30 09:31:04,051 TRACE [org.wildfly.security] (default task-124) Executing principalQuery select role, 'Roles' from user_role_auth where email = ? with value alberto(a)myapp.com
> 2017-11-30 09:31:04,052 TRACE [org.wildfly.security] (default task-124) Executing principalQuery select password from user where email = ? with value alberto(a)myapp.com
> 2017-11-30 09:31:04,053 TRACE [org.wildfly.security] (default task-124) Role mapping: principal [alberto(a)myapp.com] -> decoded roles [Administrator] -> realm mapped roles [Administrator] -> domain mapped roles [Administrator]
> 2017-11-30 09:31:04,053 TRACE [org.wildfly.security] (default task-124) Authorizing principal alberto(a)myapp.com.
> 2017-11-30 09:31:04,053 TRACE [org.wildfly.security] (default task-124) Authorizing against the following attributes: [roles] => [Administrator]
> 2017-11-30 09:31:04,053 TRACE [org.wildfly.security] (default task-124) Permission mapping: identity [alberto(a)myapp.com] with roles [Administrator] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
> 2017-11-30 09:31:04,053 TRACE [org.wildfly.security] (default task-124) Authorization succeed
> 2017-11-30 09:31:04,053 TRACE [org.wildfly.security] (default task-124) Role mapping: principal [alberto(a)myapp.com] -> decoded roles [Administrator] -> realm mapped roles [Administrator] -> domain mapped roles [Administrator]
> 2017-11-30 09:31:07,017 TRACE [org.wildfly.security] (default task-125) Principal assigning: [alberto(a)myapp.com], pre-realm rewritten: [alberto(a)myapp.com], realm name: [wmtRealm], post-realm rewritten: [alberto(a)myapp.com], realm rewritten: [alberto(a)myapp.com]
> 2017-11-30 09:31:07,018 TRACE [org.wildfly.security] (default task-125) Executing principalQuery select password from user where email = ? with value alberto(a)myapp.com
> 2017-11-30 09:31:07,019 TRACE [org.wildfly.security] (default task-125) Executing principalQuery select role, 'Roles' from user_role_auth where email = ? with value alberto(a)myapp.com
> 2017-11-30 09:31:07,021 TRACE [org.wildfly.security] (default task-125) Executing principalQuery select password from user where email = ? with value alberto(a)myapp.com
> 2017-11-30 09:31:07,022 TRACE [org.wildfly.security] (default task-125) Role mapping: principal [alberto(a)myapp.com] -> decoded roles [Administrator] -> realm mapped roles [Administrator] -> domain mapped roles [Administrator]
> 2017-11-30 09:31:07,022 TRACE [org.wildfly.security] (default task-125) Authorizing principal alberto(a)myapp.com.
> 2017-11-30 09:31:07,023 TRACE [org.wildfly.security] (default task-125) Authorizing against the following attributes: [roles] => [Administrator]
> 2017-11-30 09:31:07,023 TRACE [org.wildfly.security] (default task-125) Permission mapping: identity [alberto(a)myapp.com] with roles [Administrator] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
> 2017-11-30 09:31:07,023 TRACE [org.wildfly.security] (default task-125) Authorization succeed
> 2017-11-30 09:31:07,023 TRACE [org.wildfly.security] (default task-125) Role mapping: principal [alberto(a)myapp.com] -> decoded roles [Administrator] -> realm mapped roles [Administrator] -> domain mapped roles [Administrator]
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years
[JBoss JIRA] (ELY-1440) FlexibleIdentityAssociation should runAs the known SecurityIdentity before associating itself.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-1440?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated ELY-1440:
----------------------------------
Fix Version/s: 1.4.1.CR1
(was: 1.4.0.Final)
> FlexibleIdentityAssociation should runAs the known SecurityIdentity before associating itself.
> ----------------------------------------------------------------------------------------------
>
> Key: ELY-1440
> URL: https://issues.jboss.org/browse/ELY-1440
> Project: WildFly Elytron
> Issue Type: Enhancement
> Components: API / SPI
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 1.4.1.CR1
>
>
> This API was introduced to cover the case where authentication happens late in a request, generally that is quite a rare event.
> Even though the API may be popular it would likely happen once for a session and all future requests for that session the identity would be known in advance.
> At the moment by not running as the existing identity we are loosing all automatic identity outflow opportunities as calls pass from the servlet container to the EJB container.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years
[JBoss JIRA] (ELY-1427) Credential store type PKCS12 works fine when using OracleJDK and OpenJDK but doesn't work using IBM JDK.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-1427?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated ELY-1427:
----------------------------------
Fix Version/s: 1.4.1.CR1
(was: 1.4.0.Final)
> Credential store type PKCS12 works fine when using OracleJDK and OpenJDK but doesn't work using IBM JDK.
> --------------------------------------------------------------------------------------------------------
>
> Key: ELY-1427
> URL: https://issues.jboss.org/browse/ELY-1427
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Credential Store
> Reporter: Hynek Švábek
> Priority: Critical
> Fix For: 1.4.1.CR1
>
>
> Credential store type PKCS12 works fine when using OracleJDK and OpenJDK.
> Problem occurs when we use IBM JDK, add-alias works fine for first time, but for add-alias for second time with same alias name we expect message about duplicity rather than current error message about SecretKeyFactory not availability.
> {code}
> "WFLYCTL0158: Operation handler failed: java.lang.RuntimeException: WFLYELY00009: Unable to complete operation. 'ELY09504: Cannot acquire a credential from the credential store->Get Key failed: 1.2.840.113549.1.7.1 SecretKeyFactory not available->1.2.840.113549.1.7.1 SecretKeyFactory not available'",
> {code}
> *NOTE*
> I met same problem with Oracle JDK 1.8 u66, with u144 is everythink ok.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years