September 2020 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-13838) plain text j_password appears in the legacy audit log

by Hisanobu Okuda (Jira)

[ https://issues.redhat.com/browse/WFLY-13838?page=com.atlassian.jira.plugi... ] Hisanobu Okuda updated WFLY-13838: ---------------------------------- Workaround Description: Using elytron security-domain, elyrton audit log does not show password. Workaround: Workaround Exists Security Sensitive Issue: This issue is security relevant > plain text j_password appears in the legacy audit log > ----------------------------------------------------- > > Key: WFLY-13838 > URL: https://issues.redhat.com/browse/WFLY-13838 > Project: WildFly > Issue Type: Bug > Components: Web (Undertow) > Affects Versions: 20.0.1.Final > Reporter: Hisanobu Okuda > Assignee: Flavia Rainone > Priority: Major > Attachments: web-form-auth.tar.gz > > > The unmasked value of j_password is written in the audit log as `[parameters=guest::,guest::,]`. > {code} > 12:48:45,385 TRACE [org.jboss.security.audit] (default task-1) [Success]principal=guest;request=[/test:cookies=[javax.servlet.http.Cookie@46b3f22]:headers=Origin=http://localhost:8080,Cookie=JSESSIONID=dbDjUA6QeA2UXCyyPaqdSSgE4Kjd0_JvxUG7-pBx.localhost,Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8,User-Agent=Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0,Connection=keep-alive,Referer=http://localhost:8080/test/secure/index.jsp,Host=localhost:8080,Accept-Encoding=gzip, deflate,DNT=1,Upgrade-Insecure-Requests=1,Accept-Language=en-US,en;q=0.5,Content-Length=33,Content-Type=application/x-www-form-urlencoded,][parameters=guest::,guest::,][attributes=];message=UT000030: User guest successfully authenticated.;Source=org.wildfly.extension.undertow.security.AuditNotificationReceiver; > {code} -- This message was sent by Atlassian Jira (v7.13.8#713008)

4 years, 3 months

1
0
0 / 0

[JBoss JIRA] (SSLNTV-7) Release WildFly OpenSSL Natives 2.1.0.SP01

by Farah Juma (Jira)

Farah Juma created SSLNTV-7: ------------------------------- Summary: Release WildFly OpenSSL Natives 2.1.0.SP01 Key: SSLNTV-7 URL: https://issues.redhat.com/browse/SSLNTV-7 Project: WildFly OpenSSL Natives Issue Type: Release Reporter: Farah Juma Assignee: Farah Juma Fix For: 2.1.0.SP01 -- This message was sent by Atlassian Jira (v7.13.8#713008)

4 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-5128) Add org.wildfly.security:wildfly-elytron-http-external dependency

by Farah Juma (Jira)

Farah Juma created WFCORE-5128: ---------------------------------- Summary: Add org.wildfly.security:wildfly-elytron-http-external dependency Key: WFCORE-5128 URL: https://issues.redhat.com/browse/WFCORE-5128 Project: WildFly Core Issue Type: Task Components: Security Reporter: Farah Juma Assignee: Farah Juma The {{org.wildfly.security:wildfly-elytron-http-external}} dependency is required for the Elytron component upgrade containing the HTTP EXTERNAL mechanism. Without this added, the following error will occur when building Core: {{code}} [WARNING] Rule 0: org.apache.maven.plugins.enforcer.BanTransitiveDependencies failed with message: org.wildfly.core:wildfly-core-feature-pack-common:pom:13.0.0.Beta6-SNAPSHOT org.wildfly.security:wildfly-elytron-http-deprecated:jar:1.13.0.Final:compile has transitive dependencies: org.wildfly.security:wildfly-elytron-http-external:jar:1.13.0.Final:compile {{code}} -- This message was sent by Atlassian Jira (v7.13.8#713008)

4 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-5127) Upgrade Elytron Web to 1.8.0.Final

by Farah Juma (Jira)

Farah Juma created WFCORE-5127: ---------------------------------- Summary: Upgrade Elytron Web to 1.8.0.Final Key: WFCORE-5127 URL: https://issues.redhat.com/browse/WFCORE-5127 Project: WildFly Core Issue Type: Component Upgrade Components: Security Reporter: Farah Juma Assignee: Farah Juma -- This message was sent by Atlassian Jira (v7.13.8#713008)

4 years, 3 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-5091) Upgrade WildFly Elytron to 1.13.0.Final

by Farah Juma (Jira)

[ https://issues.redhat.com/browse/WFCORE-5091?page=com.atlassian.jira.plug... ] Farah Juma updated WFCORE-5091: ------------------------------- Summary: Upgrade WildFly Elytron to 1.13.0.Final (was: Upgrade WildFly Elytron 1.13.0.CR5) > Upgrade WildFly Elytron to 1.13.0.Final > --------------------------------------- > > Key: WFCORE-5091 > URL: https://issues.redhat.com/browse/WFCORE-5091 > Project: WildFly Core > Issue Type: Component Upgrade > Components: Security > Reporter: Bartosz Spyrko-Smietanko > Assignee: Farah Juma > Priority: Major > Labels: downstream_dependency > -- This message was sent by Atlassian Jira (v7.13.8#713008)

4 years, 3 months

1
0
0 / 0

[JBoss JIRA] (ELYWEB-99) [GSS][7.2.2] HTTP External Security Not Supported by Elytron

by Farah Juma (Jira)

[ https://issues.redhat.com/browse/ELYWEB-99?page=com.atlassian.jira.plugin... ] Farah Juma updated ELYWEB-99: ----------------------------- Fix Version/s: 1.8.0.Final > [GSS][7.2.2] HTTP External Security Not Supported by Elytron > ------------------------------------------------------------ > > Key: ELYWEB-99 > URL: https://issues.redhat.com/browse/ELYWEB-99 > Project: Elytron Web > Issue Type: Feature Request > Reporter: Ashley Abdel-Sayed > Assignee: Ashley Abdel-Sayed > Priority: Major > Fix For: 1.8.0.Final > > > For legacy security, there's an EXTERNAL HTTP authentication mechanism (io.undertow.security.impl.ExternalAuthenticationMechanism) which performs no verification and simply uses the principal that was passed from the REMOTE_USER attribute by the AJP protocol. There is a "ClientLoginModule" in legacy security used as such: https://access.redhat.com/solutions/3465231. It is a requirement to add an equivalent of this EXTERNAL mechanism available in legacy and Elytron-SASL for Elytron-HTTP in order to migrate away from legacy security. -- This message was sent by Atlassian Jira (v7.13.8#713008)

4 years, 3 months

1
0
0 / 0

[JBoss JIRA] (ELYWEB-99) HTTP External Security Not Supported by Elytron

by Farah Juma (Jira)

[ https://issues.redhat.com/browse/ELYWEB-99?page=com.atlassian.jira.plugin... ] Farah Juma updated ELYWEB-99: ----------------------------- Summary: HTTP External Security Not Supported by Elytron (was: [GSS][7.2.2] HTTP External Security Not Supported by Elytron) > HTTP External Security Not Supported by Elytron > ----------------------------------------------- > > Key: ELYWEB-99 > URL: https://issues.redhat.com/browse/ELYWEB-99 > Project: Elytron Web > Issue Type: Feature Request > Reporter: Ashley Abdel-Sayed > Assignee: Ashley Abdel-Sayed > Priority: Major > Fix For: 1.8.0.Final > > > For legacy security, there's an EXTERNAL HTTP authentication mechanism (io.undertow.security.impl.ExternalAuthenticationMechanism) which performs no verification and simply uses the principal that was passed from the REMOTE_USER attribute by the AJP protocol. There is a "ClientLoginModule" in legacy security used as such: https://access.redhat.com/solutions/3465231. It is a requirement to add an equivalent of this EXTERNAL mechanism available in legacy and Elytron-SASL for Elytron-HTTP in order to migrate away from legacy security. -- This message was sent by Atlassian Jira (v7.13.8#713008)

4 years, 3 months

1
0
0 / 0

[JBoss JIRA] (ELY-1921) HTTP External Security Not Supported by Elytron

by Farah Juma (Jira)

[ https://issues.redhat.com/browse/ELY-1921?page=com.atlassian.jira.plugin.... ] Farah Juma updated ELY-1921: ---------------------------- Summary: HTTP External Security Not Supported by Elytron (was: [GSS][7.2.2] HTTP External Security Not Supported by Elytron) > HTTP External Security Not Supported by Elytron > ----------------------------------------------- > > Key: ELY-1921 > URL: https://issues.redhat.com/browse/ELY-1921 > Project: WildFly Elytron > Issue Type: Feature Request > Affects Versions: 1.11.0.Final > Reporter: Ashley Abdel-Sayed > Assignee: Ashley Abdel-Sayed > Priority: Major > Fix For: 1.13.0.Final > > > For legacy security, there's an EXTERNAL HTTP authentication mechanism (io.undertow.security.impl.ExternalAuthenticationMechanism) which performs no verification and simply uses the principal that was passed from the REMOTE_USER attribute by the AJP protocol. There is a "ClientLoginModule" in legacy security used as such: https://access.redhat.com/solutions/3465231. It is a requirement to add an equivalent of this EXTERNAL mechanism available in legacy and Elytron-SASL for Elytron-HTTP in order to migrate away from legacy security. -- This message was sent by Atlassian Jira (v7.13.8#713008)

4 years, 3 months

1
0
0 / 0

[JBoss JIRA] (ELY-1921) [GSS][7.2.2] HTTP External Security Not Supported by Elytron

by Farah Juma (Jira)

[ https://issues.redhat.com/browse/ELY-1921?page=com.atlassian.jira.plugin.... ] Farah Juma updated ELY-1921: ---------------------------- Fix Version/s: 1.13.0.Final > [GSS][7.2.2] HTTP External Security Not Supported by Elytron > ------------------------------------------------------------ > > Key: ELY-1921 > URL: https://issues.redhat.com/browse/ELY-1921 > Project: WildFly Elytron > Issue Type: Feature Request > Affects Versions: 1.11.0.Final > Reporter: Ashley Abdel-Sayed > Assignee: Ashley Abdel-Sayed > Priority: Major > Fix For: 1.13.0.Final > > > For legacy security, there's an EXTERNAL HTTP authentication mechanism (io.undertow.security.impl.ExternalAuthenticationMechanism) which performs no verification and simply uses the principal that was passed from the REMOTE_USER attribute by the AJP protocol. There is a "ClientLoginModule" in legacy security used as such: https://access.redhat.com/solutions/3465231. It is a requirement to add an equivalent of this EXTERNAL mechanism available in legacy and Elytron-SASL for Elytron-HTTP in order to migrate away from legacy security. -- This message was sent by Atlassian Jira (v7.13.8#713008)

4 years, 3 months

1
0
0 / 0

[JBoss JIRA] (ELYWEB-115) Upgrade Undertow to 2.1.4.Final

by Farah Juma (Jira)

Farah Juma created ELYWEB-115: --------------------------------- Summary: Upgrade Undertow to 2.1.4.Final Key: ELYWEB-115 URL: https://issues.redhat.com/browse/ELYWEB-115 Project: Elytron Web Issue Type: Component Upgrade Reporter: Farah Juma Assignee: Farah Juma Fix For: 1.8.0.Final -- This message was sent by Atlassian Jira (v7.13.8#713008)

4 years, 3 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira September 2020