]
Ilia Vassilev reassigned WFLY-7224:
-----------------------------------
Assignee: Ilia Vassilev (was: Darran Lofthouse)
Missing validation check for simple-regex-realm-mapper and
mapped-regex-realm-mapper in Elytron subsystem
---------------------------------------------------------------------------------------------------------
Key: WFLY-7224
URL:
https://issues.jboss.org/browse/WFLY-7224
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 11.0.0.Alpha1
Reporter: Ondrej Lukas
Assignee: Ilia Vassilev
Elytron subsystem allows to add realm mapper (e.g. simple-regex-realm-mapper) with
pattern which does not include a capture group. In case when this realm mapper is used in
add operation for security domain through CLI then operation fails with incomprehensible
log:
{code}
{
"outcome" => "failed",
"failure-description" => {"WFLYCTL0180: Services with
missing/unavailable dependencies" => undefined},
"rolled-back" => true
}
{code}
Exception in server log:
{code}
ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start
service org.wildfly.security.realm-mapper.SomeRealmMapper:
org.jboss.msc.service.StartException in service
org.wildfly.security.realm-mapper.SomeRealmMapper: Failed to start service
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: ELY01065: Pattern requires a capture
group
at
org.wildfly.security.auth.util.SimpleRegexRealmMapper.<init>(SimpleRegexRealmMapper.java:64)
at
org.wildfly.security.auth.util.SimpleRegexRealmMapper.<init>(SimpleRegexRealmMapper.java:49)
at
org.wildfly.extension.elytron.RealmMapperDefinitions$SimpleRegexRealmMapperAddHandler.lambda$performRuntime$0(RealmMapperDefinitions.java:157)
at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
... 3 more
{code}
The same happens for mapped-regex-realm-mapper.
Point here is that we allow to successfully add wrong realm mapper (without capture
group) but we check whether it is wrong later in security domain. This check should be
done during adding wrong realm mapper to avoid following incomprehensible CLI log and
exception in server log.