[JBoss JIRA] (WFLY-11808) Unable to do jndi lookup when starting batch job from web console
by Cheng Fang (Jira)
[ https://issues.redhat.com/browse/WFLY-11808?page=com.atlassian.jira.plugi... ]
Cheng Fang edited comment on WFLY-11808 at 8/10/20 12:20 AM:
-------------------------------------------------------------
We could pass {{EEModuleDescription}} to {{BatchEnvironmentService}} instead of {{JobOperatorService}}. In {{BatchEnvironmentService}} when we create {{NamespaceContextHandle}}, we can just use the selector from {{EEModuleDescription}}, by changing {{NamespaceContextHandle}} constructor to take the deployment's namespace selector, without using the one from the thread. This should work for job executions started from either application, or from management.
This will allow us to keep the naming context switch logic inside {{NamespaceContextHandle}}. This class sets the correct contextual objects on the thread that will be running batch job tasks, and reset it from the thread when it's done processing batch tasks.
was (Author: cfang):
We could pass {{EEModuleDescription}} to {{BatchEnvironmentService}} instead of {{JobOperatorService}}. In {{BatchEnvironmentService}} when we create {{NamespaceContextHandle}}, we can just use the selector from {{EEModuleDescription}}, by changing {{NamespaceContextHandle}} constructor to take the deployment's namespace selector, without using the one from the thread. This should work for job executions started from either application, or from management.
> Unable to do jndi lookup when starting batch job from web console
> -----------------------------------------------------------------
>
> Key: WFLY-11808
> URL: https://issues.redhat.com/browse/WFLY-11808
> Project: WildFly
> Issue Type: Bug
> Components: Batch
> Affects Versions: 16.0.0.Final
> Reporter: Cheng Fang
> Assignee: Michal Petrov
> Priority: Major
> Attachments: Default Task Thread.png, External Management Request Thread.png, Screen Shot 2019-03-04 at 10.38.47 PM.png
>
>
> when starting a batch job from web console, jndi lookup inside the application's batch artifacts failed with NameNotFoundException. When the same job is started by the application, the lookups all go well. Need to check if the naming context is properly propagated when starting job from the web console.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 9 months
[JBoss JIRA] (WFLY-11808) Unable to do jndi lookup when starting batch job from web console
by Cheng Fang (Jira)
[ https://issues.redhat.com/browse/WFLY-11808?page=com.atlassian.jira.plugi... ]
Cheng Fang commented on WFLY-11808:
-----------------------------------
We could pass {{EEModuleDescription}} to {{BatchEnvironmentService}} instead of {{JobOperatorService}}. In {{BatchEnvironmentService}} when we create {{NamespaceContextHandle}}, we can just use the selector from {{EEModuleDescription}}, by changing {{NamespaceContextHandle}} constructor to take the deployment's namespace selector, without using the one from the thread. This should work for job executions started from either application, or from management.
> Unable to do jndi lookup when starting batch job from web console
> -----------------------------------------------------------------
>
> Key: WFLY-11808
> URL: https://issues.redhat.com/browse/WFLY-11808
> Project: WildFly
> Issue Type: Bug
> Components: Batch
> Affects Versions: 16.0.0.Final
> Reporter: Cheng Fang
> Assignee: Michal Petrov
> Priority: Major
> Attachments: Default Task Thread.png, External Management Request Thread.png, Screen Shot 2019-03-04 at 10.38.47 PM.png
>
>
> when starting a batch job from web console, jndi lookup inside the application's batch artifacts failed with NameNotFoundException. When the same job is started by the application, the lookups all go well. Need to check if the naming context is properly propagated when starting job from the web console.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 9 months
[JBoss JIRA] (WFLY-13756) User is able to specify credential-reference with only store name
by Jan Stourac (Jira)
[ https://issues.redhat.com/browse/WFLY-13756?page=com.atlassian.jira.plugi... ]
Jan Stourac updated WFLY-13756:
-------------------------------
Description:
It is possible to create a {{credential-reference}} to the credential store just with the name of credential store in question - without specifying {{alias}} (or {{clear-text}} in case of automatic addition of new record into the credential store, see doc [16.4.2. Automatic Updates of Credential Stores|https://docs.wildfly.org/20/WildFly_Elytron_Security.html#referenc...]). Actual configuration error is revealed when server is reloaded with following error message in server log (note that I can see this error in case of 'key-store' example but not in case of 'imap' example - see Reproduction steps for this issue):
{code}
22:03:26,791 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "elytron"),
("key-store" => "exampleKS")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}
{code}
This misconfiguration is not possible to do in {{Wildfly 19.1.0.Final}} as you are requested to specify {{alias}} attribute too.
I suspect that change in behavior has been introduced thanks to this new feature https://issues.redhat.com/browse/WFLY-12218 (see the doc referenced above).
Correct behavior is to require credential store name and:
# 'alias'
# or 'alias' and 'clear-text'
# or 'clear-text' (alias will be generated automatically in this case)
as described in the referenced documentation.
was:
It is possible to create a {{credential-reference}} to the credential store just with the name of credential store in question - without specifying {{alias}} (or {{clear-text}} in case of automatic addition of new record into the credential store, see doc [16.4.2. Automatic Updates of Credential Stores|https://docs.wildfly.org/20/WildFly_Elytron_Security.html#referenc...]). Actual configuration error is revealed when server is reloaded with following error message in server log:
{code}
22:03:26,791 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "elytron"),
("key-store" => "exampleKS")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}
{code}
This misconfiguration is not possible to do in {{Wildfly 19.1.0.Final}} as you are requested to specify {{alias}} attribute too.
I suspect that change in behavior has been introduced thanks to this new feature https://issues.redhat.com/browse/WFLY-12218 (see the doc referenced above).
Correct behavior is to require credential store name and:
# 'alias'
# or 'alias' and 'clear-text'
# or 'clear-text' (alias will be generated automatically in this case)
as described in the referenced documentation.
> User is able to specify credential-reference with only store name
> -----------------------------------------------------------------
>
> Key: WFLY-13756
> URL: https://issues.redhat.com/browse/WFLY-13756
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 20.0.0.Final, 20.0.1.Final
> Reporter: Jan Stourac
> Assignee: Darran Lofthouse
> Priority: Major
>
> It is possible to create a {{credential-reference}} to the credential store just with the name of credential store in question - without specifying {{alias}} (or {{clear-text}} in case of automatic addition of new record into the credential store, see doc [16.4.2. Automatic Updates of Credential Stores|https://docs.wildfly.org/20/WildFly_Elytron_Security.html#referenc...]). Actual configuration error is revealed when server is reloaded with following error message in server log (note that I can see this error in case of 'key-store' example but not in case of 'imap' example - see Reproduction steps for this issue):
> {code}
> 22:03:26,791 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("key-store" => "exampleKS")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
> Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}
> {code}
> This misconfiguration is not possible to do in {{Wildfly 19.1.0.Final}} as you are requested to specify {{alias}} attribute too.
> I suspect that change in behavior has been introduced thanks to this new feature https://issues.redhat.com/browse/WFLY-12218 (see the doc referenced above).
> Correct behavior is to require credential store name and:
> # 'alias'
> # or 'alias' and 'clear-text'
> # or 'clear-text' (alias will be generated automatically in this case)
> as described in the referenced documentation.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 9 months
[JBoss JIRA] (WFLY-13756) User is able to specify credential-reference with only store name
by Jan Stourac (Jira)
[ https://issues.redhat.com/browse/WFLY-13756?page=com.atlassian.jira.plugi... ]
Jan Stourac updated WFLY-13756:
-------------------------------
Steps to Reproduce:
# unzip server and start it: {{./bin/standalone.sh &}}
# connect to servers CLI: {{./bin/jboss-cli.sh -c}}
# create an empty credential store
{code}
/subsystem=elytron/credential-store=mycredstore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create=true)
{code}
# now try to create imap server element referencing credential store - with no alias neither the 'clear-text' attribute specified
{code}
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mycredstore})
{code}
# same thing as before but in separate steps
{code}
/subsystem=mail/mail-session=default/server=imap:remove()
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp)
/subsystem=mail/mail-session=default/server=imap:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# all those operations have been successful even though that we have not specified neither 'alias' nor the 'clear-text' attribute
# let's now try 'key-store' resource
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore})
{code}
# this command fails which is correct
# now let's try in separate steps
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore, alias=myNewAlias, clear-text=myNewPassword})
/subsystem=elytron/key-store=exampleKS:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# first command passes successfully (that is correct), second command passes successfully too even though it should fail
# now after the 'reload' operation we can see following error in server.log:
{code}
23:28:35,534 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "elytron"),
("key-store" => "exampleKS")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}
{code}
was:
# unzip server and start it: {{./bin/standalone.sh &}}
# connect to servers CLI: {{./bin/jboss-cli.sh -c}}
# create an empty credential store
{code}
/subsystem=elytron/credential-store=mycredstore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create=true)
{code}
# now try to create imap server element referencing credential store - with no alias neither the 'clear-text' attribute specified
{code}
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mycredstore})
{code}
# same thing as before but in separate steps
{code}
/subsystem=mail/mail-session=default/server=imap:remove()
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp)
/subsystem=mail/mail-session=default/server=imap:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# all those operations have been successful even though that we have not specified neither 'alias' nor the 'clear-text' attribute
# let's now try 'key-store' resource
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore})
{code}
# this command fails which is correct
# now let's try in separate steps
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore, alias=myNewAlias, clear-text=myNewPassword})
/subsystem=elytron/key-store=exampleKS:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# first command passes successfully (that is correct), second command passes successfully too even though it should fail
> User is able to specify credential-reference with only store name
> -----------------------------------------------------------------
>
> Key: WFLY-13756
> URL: https://issues.redhat.com/browse/WFLY-13756
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 20.0.0.Final, 20.0.1.Final
> Reporter: Jan Stourac
> Assignee: Darran Lofthouse
> Priority: Major
>
> It is possible to create a {{credential-reference}} to the credential store just with the name of credential store in question - without specifying {{alias}} (or {{clear-text}} in case of automatic addition of new record into the credential store, see doc [16.4.2. Automatic Updates of Credential Stores|https://docs.wildfly.org/20/WildFly_Elytron_Security.html#referenc...]). Actual configuration error is revealed when server is reloaded with following error message in server log:
> {code}
> 22:03:26,791 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("key-store" => "exampleKS")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
> Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}
> {code}
> This misconfiguration is not possible to do in {{Wildfly 19.1.0.Final}} as you are requested to specify {{alias}} attribute too.
> I suspect that change in behavior has been introduced thanks to this new feature https://issues.redhat.com/browse/WFLY-12218 (see the doc referenced above).
> Correct behavior is to require credential store name and:
> # 'alias'
> # or 'alias' and 'clear-text'
> # or 'clear-text' (alias will be generated automatically in this case)
> as described in the referenced documentation.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 9 months
[JBoss JIRA] (WFLY-13756) User is able to specify credential-reference with only store name
by Jan Stourac (Jira)
[ https://issues.redhat.com/browse/WFLY-13756?page=com.atlassian.jira.plugi... ]
Jan Stourac updated WFLY-13756:
-------------------------------
Steps to Reproduce:
# unzip server and start it: {{./bin/standalone.sh &}}
# connect to servers CLI: {{./bin/jboss-cli.sh -c}}
# create an empty credential store
{code}
/subsystem=elytron/credential-store=mycredstore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create=true)
{code}
# now try to create imap server element referencing credential store - with no alias neither the 'clear-text' attribute specified
{code}
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mycredstore})
{code}
# same thing as before but in separate steps
{code}
/subsystem=mail/mail-session=default/server=imap:remove()
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp)
/subsystem=mail/mail-session=default/server=imap:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# all those operations have been successful even though that we have not specified neither 'alias' nor the 'clear-text' attribute
# let's now try 'key-store' resource
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore})
{code}
# this command fails which is correct
# now let's try in separate steps
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore, alias=myNewAlias, clear-text=myNewPassword})
/subsystem=elytron/key-store=exampleKS:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# first command passes successfully (that is correct), second command passes successfully too even though it should fail
was:
# unzip server and start it: {{./bin/standalone.sh &}}
# connect to servers CLI: {{./bin/jboss-cli.sh -c}}
# create an empty credential store
{code}
/subsystem=elytron/credential-store=mycredstore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create=true)
{code}
# now try to create imap server element referencing credential store - with no alias neither the 'clear-text' attribute specified
{code}
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mycredstore})
{code}
# same thing as before but in separate steps
{code}
/subsystem=mail/mail-session=default/server=imap:remove()
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp)
/subsystem=mail/mail-session=default/server=imap:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# all those operations have been successful even though that we have not specified neither 'alias' nor the 'clear-text' attribute
# let's now try 'key-store' resource
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore})
{code}
# this command fails which is correct
# now let's try in separate steps
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference=\{store=mycredstore, alias=myNewAlias, clear-text=myNewPassword})
/subsystem=elytron/key-store=exampleKS:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# first command passes successfully (that is correct), second command passes successfully too even though it should fail
> User is able to specify credential-reference with only store name
> -----------------------------------------------------------------
>
> Key: WFLY-13756
> URL: https://issues.redhat.com/browse/WFLY-13756
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 20.0.0.Final, 20.0.1.Final
> Reporter: Jan Stourac
> Assignee: Darran Lofthouse
> Priority: Major
>
> It is possible to create a {{credential-reference}} to the credential store just with the name of credential store in question - without specifying {{alias}} (or {{clear-text}} in case of automatic addition of new record into the credential store, see doc [16.4.2. Automatic Updates of Credential Stores|https://docs.wildfly.org/20/WildFly_Elytron_Security.html#referenc...]). Actual configuration error is revealed when server is reloaded with following error message in server log:
> {code}
> 22:03:26,791 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("key-store" => "exampleKS")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
> Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}
> {code}
> This misconfiguration is not possible to do in {{Wildfly 19.1.0.Final}} as you are requested to specify {{alias}} attribute too.
> I suspect that change in behavior has been introduced thanks to this new feature https://issues.redhat.com/browse/WFLY-12218 (see the doc referenced above).
> Correct behavior is to require credential store name and:
> # 'alias'
> # or 'alias' and 'clear-text'
> # or 'clear-text' (alias will be generated automatically in this case)
> as described in the referenced documentation.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 9 months
[JBoss JIRA] (WFLY-13756) User is able to specify credential-reference with only store name
by Jan Stourac (Jira)
[ https://issues.redhat.com/browse/WFLY-13756?page=com.atlassian.jira.plugi... ]
Jan Stourac updated WFLY-13756:
-------------------------------
Steps to Reproduce:
# unzip server and start it: {{./bin/standalone.sh &}}
# connect to servers CLI: {{./bin/jboss-cli.sh -c}}
# create an empty credential store
{code}
/subsystem=elytron/credential-store=mycredstore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create=true)
{code}
# now try to create imap server element referencing credential store - with no alias neither the 'clear-text' attribute specified
{code}
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mycredstore})
{code}
# same thing as before but in separate steps
{code}
/subsystem=mail/mail-session=default/server=imap:remove()
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp)
/subsystem=mail/mail-session=default/server=imap:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# all those operations have been successful even though that we have not specified neither 'alias' nor the 'clear-text' attribute
# let's now try 'key-store' resource
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore})
{code}
# this command fails which is correct
# now let's try in separate steps
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference=\{store=mycredstore, alias=myNewAlias, clear-text=myNewPassword})
/subsystem=elytron/key-store=exampleKS:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# first command passes successfully (that is correct), second command passes successfully too even though it should fail
was:
# unzip server and start it: {{./bin/standalone.sh &}}
# connect to servers CLI: {{./bin/jboss-cli.sh -c}}
# create an empty credential store
{code}
/subsystem=elytron/credential-store=mycredstore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create=true)
{code}
# now try to create imap server element referencing credential store - with no alias neither the 'clear-text' attribute specified
{code}
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mycredstore})
{code}
# same thing as before but in separate steps
{code}
/subsystem=mail/mail-session=default/server=imap:remove()
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp)
/subsystem=mail/mail-session=default/server=imap:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# all those operations has been successful even though that we have not specified neither 'alias' nor the 'clear-text' attribute
# let's now try 'key-store' resource
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore})
{code}
# this command fails which is correct
# now let's try in separate steps
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference=\{store=mycredstore, alias=myNewAlias, clear-text=myNewPassword})
/subsystem=elytron/key-store=exampleKS:write-attribute(name=credential-reference,value=\{store=mycredstore})
{code}
# first command passes successfully (that is correct), second command passes successfully too even though it should fail
> User is able to specify credential-reference with only store name
> -----------------------------------------------------------------
>
> Key: WFLY-13756
> URL: https://issues.redhat.com/browse/WFLY-13756
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 20.0.0.Final, 20.0.1.Final
> Reporter: Jan Stourac
> Assignee: Darran Lofthouse
> Priority: Major
>
> It is possible to create a {{credential-reference}} to the credential store just with the name of credential store in question - without specifying {{alias}} (or {{clear-text}} in case of automatic addition of new record into the credential store, see doc [16.4.2. Automatic Updates of Credential Stores|https://docs.wildfly.org/20/WildFly_Elytron_Security.html#referenc...]). Actual configuration error is revealed when server is reloaded with following error message in server log:
> {code}
> 22:03:26,791 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("key-store" => "exampleKS")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
> Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}
> {code}
> This misconfiguration is not possible to do in {{Wildfly 19.1.0.Final}} as you are requested to specify {{alias}} attribute too.
> I suspect that change in behavior has been introduced thanks to this new feature https://issues.redhat.com/browse/WFLY-12218 (see the doc referenced above).
> Correct behavior is to require credential store name and:
> # 'alias'
> # or 'alias' and 'clear-text'
> # or 'clear-text' (alias will be generated automatically in this case)
> as described in the referenced documentation.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 9 months
[JBoss JIRA] (WFLY-13756) User is able to specify credential-reference with only store name
by Jan Stourac (Jira)
[ https://issues.redhat.com/browse/WFLY-13756?page=com.atlassian.jira.plugi... ]
Jan Stourac updated WFLY-13756:
-------------------------------
Steps to Reproduce:
# unzip server and start it: {{./bin/standalone.sh &}}
# connect to servers CLI: {{./bin/jboss-cli.sh -c}}
# create an empty credential store
{code}
/subsystem=elytron/credential-store=mycredstore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create=true)
{code}
# now try to create imap server element referencing credential store - with no alias neither the 'clear-text' attribute specified
{code}
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mycredstore})
{code}
# same thing as before but in separate steps
{code}
/subsystem=mail/mail-session=default/server=imap:remove()
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp)
/subsystem=mail/mail-session=default/server=imap:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# all those operations has been successful even though that we have not specified neither 'alias' nor the 'clear-text' attribute
# let's now try 'key-store' resource
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore})
{code}
# this command fails which is correct
# now let's try in separate steps
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference=\{store=mycredstore, alias=myNewAlias, clear-text=myNewPassword})
/subsystem=elytron/key-store=exampleKS:write-attribute(name=credential-reference,value=\{store=mycredstore})
{code}
# first command passes successfully (that is correct), second command passes successfully too even though it should fail
was:
I'll provided in a manner of minutes...
> User is able to specify credential-reference with only store name
> -----------------------------------------------------------------
>
> Key: WFLY-13756
> URL: https://issues.redhat.com/browse/WFLY-13756
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 20.0.0.Final, 20.0.1.Final
> Reporter: Jan Stourac
> Assignee: Darran Lofthouse
> Priority: Major
>
> It is possible to create a {{credential-reference}} to the credential store just with the name of credential store in question - without specifying {{alias}} (or {{password}} in case of automatic addition of new record into the credential store, see doc [16.4.2. Automatic Updates of Credential Stores|https://docs.wildfly.org/20/WildFly_Elytron_Security.html#referenc...]). Actual configuration error is revealed when server is reloaded with following error message in server log:
> {code}
> 22:03:26,791 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("key-store" => "exampleKS")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
> Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}
> {code}
> This misconfiguration is not possible to do in {{Wildfly 19.1.0.Final}} as you are requested to specify {{alias}} attribute too.
> I suspect that change in behavior has been introduced thanks to this new feature https://issues.redhat.com/browse/WFLY-12218 (see the doc referenced above).
> Correct behavior is to require credential store name and:
> # 'alias'
> # or 'alias' and 'password'
> # or 'password' (alias will be generated automatically in this case)
> as described in the referenced documentation.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 9 months
[JBoss JIRA] (WFLY-13756) User is able to specify credential-reference with only store name
by Jan Stourac (Jira)
[ https://issues.redhat.com/browse/WFLY-13756?page=com.atlassian.jira.plugi... ]
Jan Stourac updated WFLY-13756:
-------------------------------
Description:
It is possible to create a {{credential-reference}} to the credential store just with the name of credential store in question - without specifying {{alias}} (or {{clear-text}} in case of automatic addition of new record into the credential store, see doc [16.4.2. Automatic Updates of Credential Stores|https://docs.wildfly.org/20/WildFly_Elytron_Security.html#referenc...]). Actual configuration error is revealed when server is reloaded with following error message in server log:
{code}
22:03:26,791 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "elytron"),
("key-store" => "exampleKS")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}
{code}
This misconfiguration is not possible to do in {{Wildfly 19.1.0.Final}} as you are requested to specify {{alias}} attribute too.
I suspect that change in behavior has been introduced thanks to this new feature https://issues.redhat.com/browse/WFLY-12218 (see the doc referenced above).
Correct behavior is to require credential store name and:
# 'alias'
# or 'alias' and 'clear-text'
# or 'clear-text' (alias will be generated automatically in this case)
as described in the referenced documentation.
was:
It is possible to create a {{credential-reference}} to the credential store just with the name of credential store in question - without specifying {{alias}} (or {{password}} in case of automatic addition of new record into the credential store, see doc [16.4.2. Automatic Updates of Credential Stores|https://docs.wildfly.org/20/WildFly_Elytron_Security.html#referenc...]). Actual configuration error is revealed when server is reloaded with following error message in server log:
{code}
22:03:26,791 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "elytron"),
("key-store" => "exampleKS")
]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}
{code}
This misconfiguration is not possible to do in {{Wildfly 19.1.0.Final}} as you are requested to specify {{alias}} attribute too.
I suspect that change in behavior has been introduced thanks to this new feature https://issues.redhat.com/browse/WFLY-12218 (see the doc referenced above).
Correct behavior is to require credential store name and:
# 'alias'
# or 'alias' and 'password'
# or 'password' (alias will be generated automatically in this case)
as described in the referenced documentation.
> User is able to specify credential-reference with only store name
> -----------------------------------------------------------------
>
> Key: WFLY-13756
> URL: https://issues.redhat.com/browse/WFLY-13756
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 20.0.0.Final, 20.0.1.Final
> Reporter: Jan Stourac
> Assignee: Darran Lofthouse
> Priority: Major
>
> It is possible to create a {{credential-reference}} to the credential store just with the name of credential store in question - without specifying {{alias}} (or {{clear-text}} in case of automatic addition of new record into the credential store, see doc [16.4.2. Automatic Updates of Credential Stores|https://docs.wildfly.org/20/WildFly_Elytron_Security.html#referenc...]). Actual configuration error is revealed when server is reloaded with following error message in server log:
> {code}
> 22:03:26,791 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("key-store" => "exampleKS")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
> Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}
> {code}
> This misconfiguration is not possible to do in {{Wildfly 19.1.0.Final}} as you are requested to specify {{alias}} attribute too.
> I suspect that change in behavior has been introduced thanks to this new feature https://issues.redhat.com/browse/WFLY-12218 (see the doc referenced above).
> Correct behavior is to require credential store name and:
> # 'alias'
> # or 'alias' and 'clear-text'
> # or 'clear-text' (alias will be generated automatically in this case)
> as described in the referenced documentation.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
5 years, 9 months