caching-realm with ldap-realm cannot be added when LDAP is unreachable ---------------------------------------------------------------------- Key: WFCORE-2559 URL: https://issues.jboss.org/browse/WFCORE-2559 Project: WildFly Core Issue Type: Bug Components: Security Affects Versions: 3.0.0.Beta9 Reporter: Ondrej Lukas Assignee: Darran Lofthouse Priority: Critical In case when caching-realm is used together with ldap-realm and LDAP server (which is used by that ldap-realm) is unreachable, then caching-realm cannot be added. This issue also causes that this realm service is not correctly started when server is started. It means that in case when LDAP server is unreachable during starting application server, then this realm will not work until it will be reloaded again and LDAP will be reachable. Following exception occurs for CLI command: {code} /subsystem=elytron/caching-realm=some-cache-realm:add(realm=some-ldap-realm) { "outcome" => "failed", "failure-description" => { "WFLYCTL0080: Failed services" => {"org.wildfly.security.security-realm.some-cache-realm" => "org.jboss.msc.service.StartException in service org.wildfly.security.security-realm.some-cache-realm: Failed to start service Caused by: java.lang.IllegalStateException: ELY01146: Ldap realm failed to register notification listener Caused by: org.wildfly.security.auth.server.RealmUnavailableException: ELY01125: Ldap-backed realm failed to obtain context Caused by: javax.naming.CommunicationException: 127.0.0.1:10389 [Root exception is java.net.ConnectException: Connection refused] Caused by: java.net.ConnectException: Connection refused"}, "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.security-realm.some-cache-realm"] }, "rolled-back" => true } {code} Following exception occurs in server log when mentioned above CLI command is executed: {code} ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.security.security-realm.some-cache-realm: org.jboss.msc.service.StartException in service org.wildfly.security.security-realm.some-cache-realm: Failed to start service at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1978) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.IllegalStateException: ELY01146: Ldap realm failed to register notification listener at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm.registerIdentityChangeListener(LdapSecurityRealm.java:153) at org.wildfly.security.auth.realm.CachingSecurityRealm.<init>(CachingSecurityRealm.java:60) at org.wildfly.security.auth.realm.CachingModifiableSecurityRealm.<init>(CachingModifiableSecurityRealm.java:53) at org.wildfly.extension.elytron.CachingRealmDefinition$RealmAddHandler.lambda$createService$0(CachingRealmDefinition.java:143) at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955) ... 3 more Caused by: org.wildfly.security.auth.server.RealmUnavailableException: ELY01125: Ldap-backed realm failed to obtain context at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm.obtainContext(LdapSecurityRealm.java:187) at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm.registerIdentityChangeListener(LdapSecurityRealm.java:149) ... 9 more Caused by: javax.naming.CommunicationException: 127.0.0.1:10389 [Root exception is java.net.ConnectException: Connection refused] at com.sun.jndi.ldap.Connection.<init>(Connection.java:216) at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1613) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:116) at org.jboss.as.naming.InitialContext.init(InitialContext.java:101) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:91) at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) at javax.naming.InitialContext.init(InitialContext.java:244) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at org.wildfly.security.auth.realm.ldap.SimpleDirContextFactoryBuilder$SimpleDirContextFactory.createDirContext(SimpleDirContextFactoryBuilder.java:442) at org.wildfly.security.auth.realm.ldap.SimpleDirContextFactoryBuilder$SimpleDirContextFactory.obtainDirContext(SimpleDirContextFactoryBuilder.java:356) at org.wildfly.extension.elytron.DirContextDefinition.lambda$null$0(DirContextDefinition.java:227) at org.wildfly.extension.elytron.LdapRealmDefinition$RealmAddHandler.lambda$configureDirContext$0(LdapRealmDefinition.java:462) at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm.obtainContext(LdapSecurityRealm.java:185) ... 10 more Caused by: java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at com.sun.jndi.ldap.Connection.createSocket(Connection.java:350) at com.sun.jndi.ldap.Connection.<init>(Connection.java:203) ... 32 more 09:26:07,954 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 3) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "elytron"), ("caching-realm" => "some-cache-realm") ]) - failure description: { "WFLYCTL0080: Failed services" => {"org.wildfly.security.security-realm.some-cache-realm" => "org.jboss.msc.service.StartException in service org.wildfly.security.security-realm.some-cache-realm: Failed to start service Caused by: java.lang.IllegalStateException: ELY01146: Ldap realm failed to register notification listener Caused by: org.wildfly.security.auth.server.RealmUnavailableException: ELY01125: Ldap-backed realm failed to obtain context Caused by: javax.naming.CommunicationException: 127.0.0.1:10389 [Root exception is java.net.ConnectException: Connection refused] Caused by: java.net.ConnectException: Connection refused"}, "WFLYCTL0412: Required services that are not installed:" => ["org.wildfly.security.security-realm.some-cache-realm"] } {code}