[JBoss JIRA] (WFLY-11500) Some web clustering tests fail with security manager
by Radoslav Husar (Jira)
[ https://issues.jboss.org/browse/WFLY-11500?page=com.atlassian.jira.plugin... ]
Radoslav Husar commented on WFLY-11500:
---------------------------------------
[~jamezp] Yeah, see https://issues.jboss.org/browse/WFLY-11511?focusedCommentId=13676659&page.... Resolved with 9.4.6.Final.
> Some web clustering tests fail with security manager
> ----------------------------------------------------
>
> Key: WFLY-11500
> URL: https://issues.jboss.org/browse/WFLY-11500
> Project: WildFly
> Issue Type: Task
> Components: Clustering, Test Suite
> Affects Versions: No Release
> Reporter: Ondrej Kotek
> Assignee: Radoslav Husar
> Priority: Major
> Labels: security-manager
> Fix For: 16.0.0.Beta1
>
>
> Five web clustering tests fail with security manager due to missing permissions:
> {noformat}
> ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /ConcurrentFineWebFailoverTestCase/simple: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "accessDeclaredMembers")" in code source "(vfs:/content/ConcurrentFineWebFailoverTestCase.war/WEB-INF/classes <no signer certificates>)" of "ModuleClassLoader for Module "deployment.ConcurrentFineWebFailoverTestCase.war" from Service Module Loader")
> at org.wildfly.security.elytron-private@1.7.0.Final//org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:294)
> at org.wildfly.security.elytron-private@1.7.0.Final//org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:191)
> at java.base/java.lang.Class.checkMemberAccess(Class.java:2848)
> at java.base/java.lang.Class.getDeclaredMethod(Class.java:2472)
> at org.infinispan.commons@9.4.4.Final//org.infinispan.commons.util.ReflectionUtil.findMethod(ReflectionUtil.java:102)
> at org.infinispan@9.4.4.Final//org.infinispan.factories.components.ComponentMetadataRepo.initInjectionMethods(ComponentMetadataRepo.java:219)
> at org.infinispan@9.4.4.Final//org.infinispan.factories.components.ComponentMetadataRepo.initMetadata(ComponentMetadataRepo.java:129)
> at org.infinispan@9.4.4.Final//org.infinispan.factories.components.ComponentMetadataRepo.getComponentMetadata(ComponentMetadataRepo.java:119)
> at org.infinispan@9.4.4.Final//org.infinispan.factories.impl.BasicComponentRegistryImpl.wireDependencies(BasicComponentRegistryImpl.java:189)
> at org.infinispan@9.4.4.Final//org.infinispan.factories.AbstractComponentRegistry.wireDependencies(AbstractComponentRegistry.java:102)
> at org.infinispan(a)9.4.4.Final//org.infinispan.commands.write.ComputeCommand.<init>(ComputeCommand.java:51)
> at org.infinispan@9.4.4.Final//org.infinispan.commands.CommandsFactoryImpl.buildComputeCommand(CommandsFactoryImpl.java:283)
> at org.infinispan@9.4.4.Final//org.infinispan.cache.impl.CacheImpl.computeInternal(CacheImpl.java:337)
> at org.infinispan@9.4.4.Final//org.infinispan.cache.impl.DecoratedCache.compute(DecoratedCache.java:710)
> at org.infinispan@9.4.4.Final//org.infinispan.cache.impl.DecoratedCache.compute(DecoratedCache.java:630)
> at org.infinispan@9.4.4.Final//org.infinispan.cache.impl.AbstractDelegatingCache.compute(AbstractDelegatingCache.java:393)
> at org.infinispan@9.4.4.Final//org.infinispan.cache.impl.EncoderCache.compute(EncoderCache.java:642)
> at org.infinispan@9.4.4.Final//org.infinispan.cache.impl.AbstractDelegatingCache.compute(AbstractDelegatingCache.java:393)
> at org.wildfly.clustering.web.infinispan@16.0.0.Beta1-SNAPSHOT//org.wildfly.clustering.web.infinispan.session.fine.FineSessionAttributes.setAttribute(FineSessionAttributes.java:94)
> at org.wildfly.clustering.web.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.clustering.web.undertow.session.DistributableSession.setAttribute(DistributableSession.java:173)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.spec.HttpSessionImpl.setAttribute(HttpSessionImpl.java:169)
> at deployment.ConcurrentFineWebFailoverTestCase.war//org.jboss.as.test.clustering.single.web.SimpleServlet.doGet(SimpleServlet.java:73)
> at javax.servlet.api@1.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:686)
> at javax.servlet.api@1.0.0.Final//javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at io.opentracing.contrib.opentracing-jaxrs2//io.opentracing.contrib.jaxrs2.server.SpanFinishingFilter.doFilter(SpanFinishingFilter.java:55)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at org.wildfly.extension.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at io.undertow.core@2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at io.undertow.core@2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.core@2.0.15.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.core@2.0.15.Final//io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at io.undertow.core@2.0.15.Final//io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.core@2.0.15.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at io.undertow.core@2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.core@2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at io.undertow.core@2.0.15.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at org.wildfly.extension.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> at org.wildfly.extension.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at org.wildfly.extension.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at org.wildfly.extension.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at org.wildfly.extension.undertow@16.0.0.Beta1-SNAPSHOT//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:110)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at io.undertow.servlet@2.0.15.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:107)
> at io.undertow.core@2.0.15.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> at io.undertow.core@2.0.15.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> at org.jboss.threads@2.3.2.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at org.jboss.threads@2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> at org.jboss.threads@2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> at org.jboss.threads@2.3.2.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> at java.base/java.lang.Thread.run(Thread.java:834)
> {noformat}
> Affected test cases:
> * {{org.jboss.as.test.clustering.cluster.web.ConcurrentFineWebFailoverTestCase#test}}
> * {{org.jboss.as.test.clustering.cluster.web.FineWebFailoverTestCase#test}}
> * {{org.jboss.as.test.clustering.cluster.web.async.AsyncServletTestCase#test}}
> * {{org.jboss.as.test.clustering.cluster.web.expiration.FineSessionExpirationTestCase#test}}
> * {{org.jboss.as.test.clustering.cluster.web.passivation.FineSessionPassivationTestCase#test}}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 7 months
[JBoss JIRA] (ELY-1677) Elytron Bearer Token Authentication - Return a 401 on Invalid Token
by Martin Mazanek (Jira)
[ https://issues.jboss.org/browse/ELY-1677?page=com.atlassian.jira.plugin.s... ]
Martin Mazanek reassigned ELY-1677:
-----------------------------------
Assignee: Martin Mazanek (was: Darran Lofthouse)
> Elytron Bearer Token Authentication - Return a 401 on Invalid Token
> -------------------------------------------------------------------
>
> Key: ELY-1677
> URL: https://issues.jboss.org/browse/ELY-1677
> Project: WildFly Elytron
> Issue Type: Feature Request
> Components: Authentication Mechanisms
> Affects Versions: 1.7.0.CR1
> Reporter: Edward Stathopoulos
> Assignee: Martin Mazanek
> Priority: Major
> Fix For: 1.8.0.CR3
>
>
> *Issue*
> Currently, Elytron will send back a 403 Response when an invalid bearer token is sent. For the built-in JWT validator (the token validation we are using), this [includes a few checks like signature, expiration time, audience and issuer|https://github.com/wildfly-security/wildfly-elytron/blob/1.7.0.CR1...].
> It seems that the current [BearerTokenAuthenticationMechanism|https://github.com/wildfly-security/wi...] does not differentiate between failed authentication and failed authorization, returning a 403 in both cases. This produces conflicting and erroneous results. Did I fail to authenticate (say, expired JWT) or did I authenticate but do not have access to the resource in question?
> This would also be closer in line with [RFC 6750 (The OAuth 2.0 Authorization Framework: Bearer Token Usage)|https://tools.ietf.org/html/rfc6750#section-3] which includes an example of an expired (invalid) token.
> {quote}
> And in response to a protected resource request with an
> authentication attempt using an expired access token:
> HTTP/1.1 401 Unauthorized
> WWW-Authenticate: Bearer realm="example",
> error="invalid_token",
> error_description="The access token expired"
> {quote}
> *Potential Solution*
> Perhaps this could be ameliorated by something akin to the following change in BearerTokenAuthenticationMechanism::evaluateRequest by differentiating between failure to authorize and failure to authenticate the token. Merely a quick, unvetted example as I haven't had enough time to dig in to the source.
> {code}
> if (verifyCallback.isVerified()) {
> AuthorizeCallback authorizeCallback = new AuthorizeCallback(null, null);
> handleCallback(authorizeCallback);
> if (authorizeCallback.isAuthorized()) {
> httpBearer.debugf("Token authentication successful.");
> handleCallback(new IdentityCredentialCallback(new BearerTokenCredential(tokenEvidence.getToken()), true));
> handleCallback(AuthenticationCompleteCallback.SUCCEEDED);
> request.authenticationComplete();
> return;
> }
> else{
> httpBearer.debugf("Token authorization failed message.");
> request.authenticationFailed("Some token unauthorized message", response -> response.setStatusCode(FORBIDDEN));
> return;
> }
> }
> httpBearer.debugf("Token authentication failed.");
> request.authenticationFailed("Invalid bearer token", response -> response.setStatusCode(UNAUTHORIZED));
> return;
> {code}
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 7 months
[JBoss JIRA] (DROOLS-3642) Add indicator during project dependency resolution after first scenario creation
by Daniele Zonca (Jira)
Daniele Zonca created DROOLS-3642:
-------------------------------------
Summary: Add indicator during project dependency resolution after first scenario creation
Key: DROOLS-3642
URL: https://issues.jboss.org/browse/DROOLS-3642
Project: Drools
Issue Type: Bug
Components: Scenario Simulation and Testing
Reporter: Daniele Zonca
Assignee: Gabriele Cardosi
When user creates the first scenario in the project, there is a BC dependency resolution routine that takes 5 to 10 seconds and in the meanwhile the editor seems broken (empty).
Add an indicator during the whole loading process to warn the user about the additional time to wait
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 7 months
[JBoss JIRA] (ELY-1627) Clustered SSO does not work in simple test case
by Darran Lofthouse (Jira)
[ https://issues.jboss.org/browse/ELY-1627?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse commented on ELY-1627:
---------------------------------------
Unassigned for now - ELY-1464 should be improving what we cache we still need to revisit how programatic auth fits into SSO but I have some other areas I would like to revisit first such as identity propagation.
> Clustered SSO does not work in simple test case
> -----------------------------------------------
>
> Key: ELY-1627
> URL: https://issues.jboss.org/browse/ELY-1627
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Ilia Vassilev
> Priority: Major
>
> Clustered sso does not work in the following use case:
> 1. start node1 and node2
> 2. hit webapp1 on node1 and login (FORM auth)
> 3. stop node1
> 4. start node1
> 5. hit webapp1 on node1 ... user is asked to login again (clustered sso failed)
> I have noticed that if I hit another web application (webapp2 on node1) between steps 2 and 3, then clustered sso works fine.
> I use this test case to verify that customers cluster environment is working correctly and to remove load balancer issues (sticky sessions, etc) from the equation.
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
5 years, 7 months