[JBoss JIRA] (WFCORE-5049) Ensure any java.security.Policy is registered before PolicyConfigurationFactory
by Jeff Mesnil (Jira)
[ https://issues.redhat.com/browse/WFCORE-5049?page=com.atlassian.jira.plug... ]
Jeff Mesnil updated WFCORE-5049:
--------------------------------
Fix Version/s: 13.0.0.Beta3
(was: 13.0.0.Beta2)
> Ensure any java.security.Policy is registered before PolicyConfigurationFactory
> -------------------------------------------------------------------------------
>
> Key: WFCORE-5049
> URL: https://issues.redhat.com/browse/WFCORE-5049
> Project: WildFly Core
> Issue Type: Task
> Components: Security
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Priority: Major
> Fix For: 13.0.0.Beta3
>
>
> A PolicyConfigurationFactory may want to consult the Policy so ensure it is installed first.
> This comes up within the Jakarta EE TCK where the test PolicyConfigurationFactory consults the underlying registered Policy.
> https://github.com/eclipse-ee4j/jakartaee-tck/blob/master/src/com/sun/ts/...
> {code}
> 12:11:00,728 ERROR [stderr] (MSC service thread 1-3) java.lang.ClassCastException: org.jboss.modules.ModulesPolicy cannot be cast to com.sun.ts.tests.jacc.provider.TSPolicy
> 12:11:00,728 ERROR [stderr] (MSC service thread 1-3) at com.sun.ts.tests.jacc.provider.TSPolicyConfigurationFactoryImpl.getTSLogger(TSPolicyConfigurationFactoryImpl.java:229)
> 12:11:00,729 ERROR [stderr] (MSC service thread 1-3) at com.sun.ts.tests.jacc.provider.TSPolicyConfigurationFactoryImpl.getPolicyConfigurationFactory(TSPolicyConfigurationFactoryImpl.java:159)
> 12:11:00,729 ERROR [stderr] (MSC service thread 1-3) at com.sun.ts.tests.jacc.provider.TSPolicyConfigurationFactoryImpl.<init>(TSPolicyConfigurationFactoryImpl.java:53)
> 12:11:00,729 ERROR [stderr] (MSC service thread 1-3) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
4 years, 2 months
[JBoss JIRA] (WFCORE-5040) Elytron JASPI fallback causes dependency on PicketBox
by Jeff Mesnil (Jira)
[ https://issues.redhat.com/browse/WFCORE-5040?page=com.atlassian.jira.plug... ]
Jeff Mesnil updated WFCORE-5040:
--------------------------------
Fix Version/s: 13.0.0.Beta3
(was: 13.0.0.Beta2)
> Elytron JASPI fallback causes dependency on PicketBox
> -----------------------------------------------------
>
> Key: WFCORE-5040
> URL: https://issues.redhat.com/browse/WFCORE-5040
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Priority: Major
> Fix For: 13.0.0.Beta3
>
>
> The following is logged when PicketBox is not present.
>
> {code:java}
> 2020-07-08 17:35:19,080 TRACE [org.wildfly.extension.elytron] (ServerService Thread Pool -- 16) Unable to load default AuthConfigFactory.: java.lang.IllegalStateException: Failed to find AuthConfigFactory : org.jboss.security.auth.message.config.JBossAuthConfigFactory2020-07-08 17:35:19,080 TRACE [org.wildfly.extension.elytron] (ServerService Thread Pool -- 16) Unable to load default AuthConfigFactory.: java.lang.IllegalStateException: Failed to find AuthConfigFactory : org.jboss.security.auth.message.config.JBossAuthConfigFactory at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:227) at org.wildfly.extension.elytron.ElytronDefinition.getAuthConfigFactory(ElytronDefinition.java:405) at org.wildfly.extension.elytron.ElytronDefinition.access$700(ElytronDefinition.java:112) at org.wildfly.extension.elytron.ElytronDefinition$ElytronAdd.lambda$performBoottime$0(ElytronDefinition.java:499) at org.wildfly.extension.elytron.SecurityActions.doPrivileged(SecurityActions.java:35) at org.wildfly.extension.elytron.ElytronDefinition$ElytronAdd.performBoottime(ElytronDefinition.java:499) at org.jboss.as.controller.AbstractBoottimeAddStepHandler.performRuntime(AbstractBoottimeAddStepHandler.java:119) at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:164) at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999) at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743) at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467) at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:384) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1348) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:485)Caused by: java.lang.ClassNotFoundException: org.jboss.security.auth.message.config.JBossAuthConfigFactory from [Module "org.wildfly.extension.elytron" version 13.0.0.Beta2-SNAPSHOT from local module loader @5f2108b5 (finder: local module finder @31a5c39e (roots: /home/darranl/tmp/jacc/minimal/modules,/home/darranl/tmp/jacc/minimal/modules/system/layers/base))] at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116) at javax.security.auth.message.config.AuthConfigFactory$LoadAction.run(AuthConfigFactory.java:571) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.message.config.AuthConfigFactory.getFactory(AuthConfigFactory.java:211) ... 17 more {code}
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
4 years, 2 months
[JBoss JIRA] (WFCORE-5033) Move org.wildfly.security:wildfly-elytron-jacc into it's own module
by Jeff Mesnil (Jira)
[ https://issues.redhat.com/browse/WFCORE-5033?page=com.atlassian.jira.plug... ]
Jeff Mesnil updated WFCORE-5033:
--------------------------------
Fix Version/s: 13.0.0.Beta3
(was: 13.0.0.Beta2)
> Move org.wildfly.security:wildfly-elytron-jacc into it's own module
> -------------------------------------------------------------------
>
> Key: WFCORE-5033
> URL: https://issues.redhat.com/browse/WFCORE-5033
> Project: WildFly Core
> Issue Type: Task
> Components: Security
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Priority: Major
> Fix For: 13.0.0.Beta3
>
>
> Long term it will be desirable for JACC to be within it's own subsystem so it's inclusion can be controlled using layers, however there may be an intermediate step where we split JACC out from the Elytron project so will want to bring it in ideally in it's own module.
> The classes within this module have never been public API so we are free to refactor as needed.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
4 years, 2 months
[JBoss JIRA] (WFCORE-5022) The /subsystem=elytron/policy=* can be simplified a lot further
by Jeff Mesnil (Jira)
[ https://issues.redhat.com/browse/WFCORE-5022?page=com.atlassian.jira.plug... ]
Jeff Mesnil updated WFCORE-5022:
--------------------------------
Fix Version/s: 13.0.0.Beta3
(was: 13.0.0.Beta2)
> The /subsystem=elytron/policy=* can be simplified a lot further
> ---------------------------------------------------------------
>
> Key: WFCORE-5022
> URL: https://issues.redhat.com/browse/WFCORE-5022
> Project: WildFly Core
> Issue Type: Enhancement
> Components: Security
> Affects Versions: 12.0.1.Final
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Priority: Major
> Fix For: 13.0.0.Beta3
>
>
> At the moment this resource is quite verbose but the tasks it performs are very simple.
> {code:java}
> [standalone@localhost:9990 /] /subsystem=elytron/policy=*:read-resource-description
> {
> "outcome" => "success",
> "result" => [{
> "address" => [
> ("subsystem" => "elytron"),
> ("policy" => "*")
> ],
> "outcome" => "success",
> "result" => {
> "description" => "A definition that sets up a policy provider.",
> "max-occurs" => 1,
> "capabilities" => [{
> "name" => "org.wildfly.security.policy",
> "dynamic" => false
> }],
> "access-constraints" => {
> "sensitive" => {"elytron-security" => {"type" => "elytron"}},
> "application" => {"elytron-security" => {"type" => "elytron"}}
> },
> "attributes" => {
> "custom-policy" => {
> "type" => OBJECT,
> "description" => "A custom policy provider definition.",
> "expressions-allowed" => false,
> "required" => true,
> "nillable" => true,
> "alternatives" => ["jacc-policy"],
> "value-type" => {
> "class-name" => {
> "type" => STRING,
> "description" => "The name of a java.security.Policy implementation referencing a policy provider.",
> "expressions-allowed" => false,
> "required" => true,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "module" => {
> "type" => STRING,
> "description" => "The name of the module to load the provider from.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L
> }
> },
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> "default-policy" => {
> "type" => STRING,
> "description" => "Not used.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "deprecated" => {
> "since" => "1.2.0",
> "reason" => "The 'default-policy' attribute is ignored, as a policy resource should be configured with only one policy."
> },
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> "jacc-policy" => {
> "type" => OBJECT,
> "description" => "A policy provider definition that sets up JACC and related services.",
> "expressions-allowed" => false,
> "required" => true,
> "nillable" => true,
> "alternatives" => ["custom-policy"],
> "value-type" => {
> "policy" => {
> "type" => STRING,
> "description" => "The name of a java.security.Policy implementation referencing a policy provider.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "default" => "org.wildfly.security.authz.jacc.JaccDelegatingPolicy",
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "configuration-factory" => {
> "type" => STRING,
> "description" => "The name of a javax.security.jacc.PolicyConfigurationFactory implementation referencing a policy configuration factory provider.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "default" => "org.wildfly.security.authz.jacc.ElytronPolicyConfigurationFactory",
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "module" => {
> "type" => STRING,
> "description" => "The name of the module to load the provider from.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "min-length" => 1L,
> "max-length" => 2147483647L
> }
> },
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> }
> },
> "operations" => undefined,
> "notifications" => undefined,
> "children" => {}
> }
> }]
> }
> {code}
> Firstly it only makes sense to have a single policy defined, the outcome of this resource is JVM wide registration so multiple definitions would lead to undefined behaviour.
> Secondly this provides two primary functions.
> 1. Instantation of [https://docs.oracle.com/javase/8/docs/api/java/security/Policy.html] and registration via a call to [https://docs.oracle.com/javase/8/docs/api/java/security/Policy.html#setPo...]
> This first point needs a class name for the policy as well as a module.
> 2. Registration of the JVM wide [https://jakarta.ee/specifications/platform/8/apidocs/javax/security/jacc/...] again needing a classname and module.
> This is also not working correctly but the immediate bug is being addressed under WFCORE-5020
> The JACC APIs don't actually provide a nice way to register this so maybe this is something we should also propose via the spec, but this piece is effectively a class name and module name.
> We have ended up with custom and jacc variants as alternatives. Really both variants are optional but if the resource is defined at least one must be set.
> It may make sense for JACC to move to it's own subsystem for a couple of reasons.
> The JVM wide policy will likely need to be possible in both subsystems but use a capability to ensure it is defined in only one. We probably should move it's registration into the boot operations so registration is complete before DUPs begin.
> The PolicyConfigurationFactory would then be in a JACC subsystem only. Again handling during a boot operation may be preferable otherwise we see issues like WFLY-13615 but failing that ensuring the deployment depend upon the registration happening may be sufficient.
> Additionally the resource has some hard coded class names for the Policy and PolicyConfigurationFactory, we probably should not have these as class names and instead default to them if not defined - this means we still need a way to optionally activate their registration if JACC is required on the server.
> It probably should also be possible to independently set the module for Policy and PolicyContextHandler as these will presently be shared.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
4 years, 2 months
[JBoss JIRA] (DROOLS-5521) OutOfBound Exception for last DecisionTable cell
by Jozef Marko (Jira)
[ https://issues.redhat.com/browse/DROOLS-5521?page=com.atlassian.jira.plug... ]
Jozef Marko updated DROOLS-5521:
--------------------------------
Labels: drools-tools regression (was: )
> OutOfBound Exception for last DecisionTable cell
> ------------------------------------------------
>
> Key: DROOLS-5521
> URL: https://issues.redhat.com/browse/DROOLS-5521
> Project: Drools
> Issue Type: Bug
> Components: DMN Editor
> Affects Versions: 7.41.0.Final
> Reporter: Jozef Marko
> Assignee: Jozef Marko
> Priority: Major
> Labels: drools-tools, regression
> Attachments: edit-last-cell-of-row-and-press-tab.webm
>
>
> This issue is caused by DROOLS-5442.
> It can be spotted when user start to edit last cell of DMN Decision table row and finish the edit mode by pressing TAB key. It causes an attempt to select next cell of the row and an exception is thrown. See the attached video.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
4 years, 2 months
[JBoss JIRA] (DROOLS-5521) OutOfBound Exception for last DecisionTable cell
by Jozef Marko (Jira)
Jozef Marko created DROOLS-5521:
-----------------------------------
Summary: OutOfBound Exception for last DecisionTable cell
Key: DROOLS-5521
URL: https://issues.redhat.com/browse/DROOLS-5521
Project: Drools
Issue Type: Bug
Components: DMN Editor
Affects Versions: 7.41.0.Final
Reporter: Jozef Marko
Assignee: Jozef Marko
Attachments: edit-last-cell-of-row-and-press-tab.webm
This issue is caused by DROOLS-5442.
It can be spotted when user start to edit last cell of DMN Decision table row and finish the edit mode by pressing TAB key. It causes an attempt to select next cell of the row and an exception is thrown. See the attached video.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
4 years, 2 months
[JBoss JIRA] (WFLY-12815) Wildfly 13 - Thread local state corrupted by deployed application explosion during session timeout leading to WELD-001304 - More than one context active for scope type javax.enterprise.context.SessionScoped
by NUNO GODINHO DE MATOS (Jira)
[ https://issues.redhat.com/browse/WFLY-12815?page=com.atlassian.jira.plugi... ]
NUNO GODINHO DE MATOS commented on WFLY-12815:
----------------------------------------------
Hi,
That sounds great.
I am only not sure about the idea that we should normally be catching exceptions to prevent undersired behaivor like this one. In general, we always allow the application server to be "hammered" by our application exceptions, since the application server layers often do "desired" actions in the face of unexpected errors, such as logging the captured errors, rolling back transactions etc...
I might take some time to test our your fix, but your proposal sounds like a big improvement.
Many thanks.
> Wildfly 13 - Thread local state corrupted by deployed application explosion during session timeout leading to WELD-001304 - More than one context active for scope type javax.enterprise.context.SessionScoped
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: WFLY-12815
> URL: https://issues.redhat.com/browse/WFLY-12815
> Project: WildFly
> Issue Type: Bug
> Components: CDI / Weld
> Affects Versions: 13.0.0.Final
> Environment: Environment independent the issue, it is purely a logical problem
> Reporter: NUNO GODINHO DE MATOS
> Assignee: Matěj Novotný
> Priority: Major
> Attachments: sourceCodeToSendToWildfly.7z
>
>
> The full description of the problem can be seen in stack overflow.
> Please consulder the issue:
> https://stackoverflow.com/questions/58930939/wildflt-13-weld-001304-more-...
> SUMMARY:
> (1) Setup you wildfly to have a session timeout of 1 minute - so that you can esaily make your http sessions timeout
> (2) Program in your WAR application a sessionDestroyed listener that will be broken.
> In our case whenever the session is timing out, we have some code that explodes in wildfly and not in weblogic because it expected for the RequestScope context to be active, but apparently in wildfly when Undertow to start killing of a session the request scope context is not made active so that caused our session destroyed handling to break
> (3) Do this sufficient amount of times to corrupted as may threads in the thread pool as possible
> (4) Now try to interact with your application making use of some session scoped beans .
> If you travel to ay sort of view that makes use of a session scoped bean that thread will be broken with the exception that multiple session scope context implementation are active.
> But this exception will only come out and aply if the thread handling the HTTP request is one of the threads that in the past were used by undertow to handle the session timeout.
> The only threads that have been corrupted forever are those that had a broken sessin timeout
> Explanation for the issue:
> - When the session timeout is being orchestrated by underdow, wildfly is activating a special HttpSessionDescrutionContext and making it active.
> This ACTIVE TRUE/FALSE flag is a ThreadLocal variable.
> So the activation of the scope context is marked on the thread itself.
> - When the thread blows up the thread context will remain for as long at the thread lives
> - in a future request the flag had that thread local variable active already.
> So when the BeanManagaerImpl is hunting to the one and only active http session context it finds the traditional happy path http session context active plust the DestructionSession context that was activated in a previous call.
> All of the illustrative stack traces that facilitate the comprehention of the issue are shown in the stack overflow thread.
> I am of the oppinion that errors like this can happen in the deployed applications.
> It would not hurt if wildfly would somehow be able to ensure that the thread that hand an explosion in a previous request is not corrupted when it is used to handle new requests.
> Many thanks for having a look.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
4 years, 2 months