[JBoss JIRA] (ELY-1597) Identity Restoration where the Principal is not quite enough.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-1597?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated ELY-1597:
----------------------------------
Fix Version/s: 1.5.5.CR1
(was: 1.5.4.Final)
> Identity Restoration where the Principal is not quite enough.
> -------------------------------------------------------------
>
> Key: ELY-1597
> URL: https://issues.jboss.org/browse/ELY-1597
> Project: WildFly Elytron
> Issue Type: Enhancement
> Components: Realms
> Reporter: Darran Lofthouse
> Priority: Critical
> Fix For: 1.5.5.CR1
>
>
> Presently our authentication process is build around a SecurityRealm being able to create a RealmIdentity which we then convert to an AuthorizationIdentity which is then converted to a SecurityIdentity after applying appropriate SecurityDomain configured mappings.
> Generally in a SecurityRealm one of two different methods tend to be used to create the RealmIdentity.
> {code:java}
> RealmIdentity getRealmIdentity(Principal principal) throws RealmUnavailableException
> {code}
> or
> {code:java}
> RealmIdentity getRealmIdentity(Evidence evidence) throws RealmUnavailableException
> {code}
> Generally from the realms we know about, where the Principal form of the method is used the realm will likely load the attributes that go into the AuthorizationIdentity from another source, however for the form that takes Evidence often the attributes can be derived from the evidence.
> Where we persist identities to be restored later such as identity propagation, batch, clustering etc we persist the name of the identity and use it to restore the identity using the Principal form of the above methods. For cases where an identity was originally created using evidence we no longer have sufficient information to recreate the identity.
> This Enhancement is to review how we can address this.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (ELY-1504) Support Elytron specific callbacks with JASPIC ServerAuthenticationModules
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-1504?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated ELY-1504:
----------------------------------
Fix Version/s: 1.5.5.CR1
(was: 1.5.4.Final)
> Support Elytron specific callbacks with JASPIC ServerAuthenticationModules
> --------------------------------------------------------------------------
>
> Key: ELY-1504
> URL: https://issues.jboss.org/browse/ELY-1504
> Project: WildFly Elytron
> Issue Type: Feature Request
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 1.5.5.CR1
>
>
> JASPIC already supports the use of a CallbackHandler for communication between the ServerAuthenticationModule and the container the first stage of implementation is to support the callbacks mandated by the spec - this task is to follow up and add support for Elytron specific callbacks.
> The reason to split this out is we may still want to handle our core lifecycle related callbacks so of the remaining callbacks we will need to decide which ones we want to support.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (ELY-1475) Empty username for FormAuthenticationMechanism causes IllegalArgumentException
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-1475?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated ELY-1475:
----------------------------------
Fix Version/s: 1.5.5.CR1
(was: 1.5.4.Final)
> Empty username for FormAuthenticationMechanism causes IllegalArgumentException
> ------------------------------------------------------------------------------
>
> Key: ELY-1475
> URL: https://issues.jboss.org/browse/ELY-1475
> Project: WildFly Elytron
> Issue Type: Bug
> Affects Versions: 1.2.0.Beta11
> Reporter: Ondrej Lukas
> Assignee: Ilia Vassilev
> Fix For: 1.5.5.CR1
>
>
> In case when empty username is passed to FormAuthenticationMechanism.attemptAuthentication then IllegalArgumentException is thrown from constructor of NameCallback. This happens in cases when form is sent with empty value for j_username.
> See exception:
> {code}
> ERROR [io.undertow.request] (default task-18) UT005023: Exception handling request to /depForm/j_security_check: java.lang.IllegalArgumentException
> at javax.security.auth.callback.NameCallback.<init>(NameCallback.java:90)
> at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:60)
> at org.wildfly.security.http.impl.FormAuthenticationMechanism.attemptAuthentication(FormAuthenticationMechanism.java:172)
> at org.wildfly.security.http.impl.FormAuthenticationMechanism.evaluateRequest(FormAuthenticationMechanism.java:106)
> at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
> at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
> at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
> at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> {code}
> It seems that [1] should also check {{username.length() == 0}}.
> [1] https://github.com/wildfly-security/wildfly-elytron/blob/32ff7c17965b3eca...
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (WFLY-6168) Huge burst of java.lang.IllegalArgumentException: Segments [18] are not owned by <slave-node>:<server-name>
by Bui Van Nghiem (JIRA)
[ https://issues.jboss.org/browse/WFLY-6168?page=com.atlassian.jira.plugin.... ]
Bui Van Nghiem commented on WFLY-6168:
--------------------------------------
I am obverving the same issue on WildFly 10.1.0.Final. Is this issue related to: ISPN-8587?
> Huge burst of java.lang.IllegalArgumentException: Segments [18] are not owned by <slave-node>:<server-name>
> -----------------------------------------------------------------------------------------------------------
>
> Key: WFLY-6168
> URL: https://issues.jboss.org/browse/WFLY-6168
> Project: WildFly
> Issue Type: Bug
> Components: Clustering
> Affects Versions: 10.0.0.CR4
> Reporter: Thiago Presa
> Assignee: Paul Ferraro
>
> We have a Wildfly 10 CR4 cluster in domain mode with 2 slaves, and we're getting a huge burst of the following log entry:
> 10:57:31,065 WARN [org.infinispan.statetransfer.StateConsumerImpl] (transport-thread--p13-t16) ISPN000209: Failed to retrieve transactions for segments [18] of cache dist from node <slave-host>:<server-name>: org.infinispan.remoting.RemoteException: ISPN000217: Received exception from <slave-host>:<server-name>, see cause for remote stack trace
> at org.infinispan.remoting.transport.AbstractTransport.checkResponse(AbstractTransport.java:44)
> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:750)
> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$80(JGroupsTransport.java:589)
> at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602)
> at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577)
> at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474)
> at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962)
> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.futureDone(SingleResponseFuture.java:30)
> at org.jgroups.blocks.Request.checkCompletion(Request.java:169)
> at org.jgroups.blocks.UnicastRequest.receiveResponse(UnicastRequest.java:83)
> at org.jgroups.blocks.RequestCorrelator.receiveMessage(RequestCorrelator.java:398)
> at org.jgroups.blocks.RequestCorrelator.receive(RequestCorrelator.java:250)
> at org.jgroups.blocks.MessageDispatcher$ProtocolAdapter.up(MessageDispatcher.java:684)
> at org.jgroups.JChannel.up(JChannel.java:738)
> at org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:119)
> at org.jgroups.stack.Protocol.up(Protocol.java:374)
> at org.jgroups.protocols.FORK.up(FORK.java:114)
> at org.jgroups.protocols.FRAG2.up(FRAG2.java:165)
> at org.jgroups.protocols.FlowControl.up(FlowControl.java:394)
> at org.jgroups.protocols.pbcast.GMS.up(GMS.java:1045)
> at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:234)
> at org.jgroups.protocols.UNICAST3.deliverMessage(UNICAST3.java:1064)
> at org.jgroups.protocols.UNICAST3.handleDataReceived(UNICAST3.java:779)
> at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:426)
> at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:652)
> at org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:155)
> at org.jgroups.protocols.FD.up(FD.java:260)
> at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:310)
> at org.jgroups.protocols.MERGE3.up(MERGE3.java:285)
> at org.jgroups.protocols.Discovery.up(Discovery.java:295)
> at org.jgroups.protocols.TP.passMessageUp(TP.java:1577)
> at org.jgroups.protocols.TP$MyHandler.run(TP.java:1796)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.IllegalArgumentException: Segments [18] are not owned by <slave-host>:<server-name>
> at org.infinispan.statetransfer.StateProviderImpl.getTransactionsForSegments(StateProviderImpl.java:166)
> at org.infinispan.statetransfer.StateRequestCommand.perform(StateRequestCommand.java:67)
> at org.infinispan.remoting.inboundhandler.BasePerCacheInboundInvocationHandler.invokePerform(BasePerCacheInboundInvocationHandler.java:92)
> at org.infinispan.remoting.inboundhandler.BaseBlockingRunnable.run(BaseBlockingRunnable.java:34)
> ... 3 more
> It's funny because server-name is not the name of the server where this log entry is found. What may be causing this?
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (WFWIP-12) [Artemis upgrade] Output of CLI operations in messaging subsystem's server changed from 7.1
by Jeff Mesnil (JIRA)
[ https://issues.jboss.org/browse/WFWIP-12?page=com.atlassian.jira.plugin.s... ]
Jeff Mesnil updated WFWIP-12:
-----------------------------
Component/s: JMS
> [Artemis upgrade] Output of CLI operations in messaging subsystem's server changed from 7.1
> -------------------------------------------------------------------------------------------
>
> Key: WFWIP-12
> URL: https://issues.jboss.org/browse/WFWIP-12
> Project: WildFly WIP
> Issue Type: Bug
> Components: Artemis, JMS
> Reporter: Martin Styk
> Assignee: Jeff Mesnil
> Priority: Blocker
> Labels: activemq, feature-branch-blocker
> Original Estimate: 2 hours
> Time Spent: 2 hours
> Remaining Estimate: 0 minutes
>
> Output of CLI operations in messaging subsystem's server element changed and it is is missing some attributes it used to display in EAP 7.1.
> _Affected operations_
> *list-all-consumers-as-json* and *list-consumers-as-json*
> Missing attributes
> * destinationName
> * destinationType
> * durable
> {noformat:title="7.1.0.GA"}
> Result list-all-consumers-as-json{"outcome" => "success","result" => "[{\"consumerID\":0,\"connectionID\":\"-733935378\",\"sessionID\":\"fede1b60-04e9-11e8-9641-cc3d825a3be2\",\"queueName\":\"testSubscriberClientId-hornetqCliOperations.testSubscriber-hqServerCliOperations\",\"browseOnly\":false,\"creationTime\":1517226368495,\"destinationName\":\"testTopic\",\"destinationType\":\"topic\",\"durable\":true}]"}
> {noformat}
> {noformat:title="Wildfly latest with artemis 2.x"}
> Result list-all-consumers-as-json{"outcome" => "success","result" => "[{\"consumerID\":0,\"connectionID\":\"784f1287\",\"sessionID\":\"f146b48e-04e3-11e8-bb50-cc3d825a3be2\",\"queueName\":\"jms.queue.testQueue\",\"browseOnly\":false,\"creationTime\":1517223768695,\"deliveringCount\":8}]"}
> {noformat}
> *list-connections-as-json*
> Missing attributes
> * clientID
> {noformat:title="7.1.0.GA"}
> "result" => "[{\"connectionID\":\"1343044951\",\"clientAddress\":\"/127.0.0.1:57038\",\"creationTime\":1517303830995,\"clientID\":\"testSubscriberClientId-hornetqCliOperations\"},{\"connectionID\":\"2052915500\",\"clientAddress\":\"/127.0.0.1:57040\",\"creationTime\":1517303831216},{\"connectionID\":\"668896556\",\"clientAddress\":\"/127.0.0.1:57042\",\"creationTime\":1517303831210},{\"connectionID\":\"2096792561\",\"clientAddress\":\"/127.0.0.1:57044\",\"creationTime\":1517303831223,\"clientID\":\"testPublisherClientId\"}]"
> {noformat}
> {noformat:title="Wildfly latest with artemis 2.x"}
> "result" => "[{\"connectionID\":\"a8842f44\",\"clientAddress\":\"/127.0.0.1:55938\",\"creationTime\":1517298838294,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2},{\"connectionID\":\"c515bc06\",\"clientAddress\":\"/127.0.0.1:55936\",\"creationTime\":1517298837454,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":0},{\"connectionID\":\"b9a9153f-0592-11e8-80ff-54ee7547c83e\",\"clientAddress\":\"invm:0\",\"creationTime\":1517298837312,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":0},{\"connectionID\":\"fe42578a\",\"clientAddress\":\"/127.0.0.1:55944\",\"creationTime\":1517298838495,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2},{\"connectionID\":\"cde89186\",\"clientAddress\":\"/127.0.0.1:55940\",\"creationTime\":1517298838493,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2},{\"connectionID\":\"480099e7\",\"clientAddress\":\"/127.0.0.1:55942\",\"creationTime\":1517298838495,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2}]"
> {noformat}
> This is compatibility issue, as some scripts may depend on missing attributes. Customer's tooling which used to work with 7.1 may not work now.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months
[JBoss JIRA] (WFWIP-12) [Artemis upgrade] Output of CLI operations in messaging subsystem's server changed from 7.1
by Jeff Mesnil (JIRA)
[ https://issues.jboss.org/browse/WFWIP-12?page=com.atlassian.jira.plugin.s... ]
Jeff Mesnil reopened WFWIP-12:
------------------------------
I'm reopening this issue as it requires changes on the messaging-activemq subsystem once there is an Artemis upstream with the fix that is released.
> [Artemis upgrade] Output of CLI operations in messaging subsystem's server changed from 7.1
> -------------------------------------------------------------------------------------------
>
> Key: WFWIP-12
> URL: https://issues.jboss.org/browse/WFWIP-12
> Project: WildFly WIP
> Issue Type: Bug
> Components: Artemis
> Reporter: Martin Styk
> Assignee: Jeff Mesnil
> Priority: Blocker
> Labels: activemq, feature-branch-blocker
> Original Estimate: 2 hours
> Time Spent: 2 hours
> Remaining Estimate: 0 minutes
>
> Output of CLI operations in messaging subsystem's server element changed and it is is missing some attributes it used to display in EAP 7.1.
> _Affected operations_
> *list-all-consumers-as-json* and *list-consumers-as-json*
> Missing attributes
> * destinationName
> * destinationType
> * durable
> {noformat:title="7.1.0.GA"}
> Result list-all-consumers-as-json{"outcome" => "success","result" => "[{\"consumerID\":0,\"connectionID\":\"-733935378\",\"sessionID\":\"fede1b60-04e9-11e8-9641-cc3d825a3be2\",\"queueName\":\"testSubscriberClientId-hornetqCliOperations.testSubscriber-hqServerCliOperations\",\"browseOnly\":false,\"creationTime\":1517226368495,\"destinationName\":\"testTopic\",\"destinationType\":\"topic\",\"durable\":true}]"}
> {noformat}
> {noformat:title="Wildfly latest with artemis 2.x"}
> Result list-all-consumers-as-json{"outcome" => "success","result" => "[{\"consumerID\":0,\"connectionID\":\"784f1287\",\"sessionID\":\"f146b48e-04e3-11e8-bb50-cc3d825a3be2\",\"queueName\":\"jms.queue.testQueue\",\"browseOnly\":false,\"creationTime\":1517223768695,\"deliveringCount\":8}]"}
> {noformat}
> *list-connections-as-json*
> Missing attributes
> * clientID
> {noformat:title="7.1.0.GA"}
> "result" => "[{\"connectionID\":\"1343044951\",\"clientAddress\":\"/127.0.0.1:57038\",\"creationTime\":1517303830995,\"clientID\":\"testSubscriberClientId-hornetqCliOperations\"},{\"connectionID\":\"2052915500\",\"clientAddress\":\"/127.0.0.1:57040\",\"creationTime\":1517303831216},{\"connectionID\":\"668896556\",\"clientAddress\":\"/127.0.0.1:57042\",\"creationTime\":1517303831210},{\"connectionID\":\"2096792561\",\"clientAddress\":\"/127.0.0.1:57044\",\"creationTime\":1517303831223,\"clientID\":\"testPublisherClientId\"}]"
> {noformat}
> {noformat:title="Wildfly latest with artemis 2.x"}
> "result" => "[{\"connectionID\":\"a8842f44\",\"clientAddress\":\"/127.0.0.1:55938\",\"creationTime\":1517298838294,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2},{\"connectionID\":\"c515bc06\",\"clientAddress\":\"/127.0.0.1:55936\",\"creationTime\":1517298837454,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":0},{\"connectionID\":\"b9a9153f-0592-11e8-80ff-54ee7547c83e\",\"clientAddress\":\"invm:0\",\"creationTime\":1517298837312,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":0},{\"connectionID\":\"fe42578a\",\"clientAddress\":\"/127.0.0.1:55944\",\"creationTime\":1517298838495,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2},{\"connectionID\":\"cde89186\",\"clientAddress\":\"/127.0.0.1:55940\",\"creationTime\":1517298838493,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2},{\"connectionID\":\"480099e7\",\"clientAddress\":\"/127.0.0.1:55942\",\"creationTime\":1517298838495,\"implementation\":\"RemotingConnectionImpl\",\"sessionCount\":2}]"
> {noformat}
> This is compatibility issue, as some scripts may depend on missing attributes. Customer's tooling which used to work with 7.1 may not work now.
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
7 years, 11 months