[
https://issues.jboss.org/browse/WFCORE-3421?page=com.atlassian.jira.plugi...
]
Martin Choma edited comment on WFCORE-3421 at 11/16/17 12:56 PM:
-----------------------------------------------------------------
These are attributes in elytron subsystem which use "requires" and
"default" at once.
{noformat}
"search-recursive" => {
"type" => BOOLEAN,
"description" => "Indicates if attribute LDAP search queries are
recursive.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => true,
"requires" => ["filter"]
},
"role-recursion-name" => {
"type" => STRING,
"description" => "Determine LDAP attribute of role entry which will
be substitute for \"{0}\" in filter-name when searching roles of role.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "cn",
"requires" => ["role-recursion"],
"min-length" => 1L,
"max-length" => 2147483647L
},
"version-comparison" => {
"type" => STRING,
"description" => "When set to 'less-than' a Provider will
match against the filter if the Provider's version is less-than the version specified
here. Setting to 'greater-than' has the opposite effect. Has no effect if a
provider-version has not been specified in the filter.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "less-than",
"requires" => ["provider-version"],
"allowed" => [
"less-than",
"greater-than"
]
}
"required" => {
"type" => BOOLEAN,
"description" => "Is the file required to exist at the time the
KeyStore service starts?",
"attribute-group" => "file",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => false,
"requires" => ["path"],
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "all-services"
},
{noformat}
Examples where setting an attribute to it's default value does mean that it's
required attribute must also be defined:
{noformat}
[standalone@localhost:9990 /]
/subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{search-recursive=false}]})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute
'identity-mapping.attribute-mapping[0].filter' needs to be set or passed before
attribute 'identity-mapping.attribute-mapping[0].search-recursive' can be
correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /]
/subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{role-recursion-name=cn}]})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute
'identity-mapping.attribute-mapping[0].role-recursion' needs to be set or passed
before attribute 'identity-mapping.attribute-mapping[0].role-recursion-name' can
be correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /]
/subsystem=elytron/mechanism-provider-filtering-sasl-server-factory=a:add(sasl-server-factory=elytron,filters=[{provider-name=a,
version-comparison=less-than}]
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute
'filters[0].provider-version' needs to be set or passed before attribute
'filters[0].version-comparison' can be correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /] /subsystem=elytron/key-store=b:add(type=JKS,
credential-reference={clear-text=a}, required=false
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'path'
needs to be set or passed before attribute 'required' can be correctly set",
"rolled-back" => true
}
{noformat}
On the other hand if I omit these attributes in CLI (role-recursion-name,
search-recursive, version-comparison, required), so actually let default value to be
applied, then CLI command is not failing on that error
was (Author: mchoma):
These are attributes in elytron subsystem which use "requires" and
"default" at once.
{noformat}
"search-recursive" => {
"type" => BOOLEAN,
"description" => "Indicates if attribute LDAP search queries are
recursive.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => true,
"requires" => ["filter"]
},
"role-recursion-name" => {
"type" => STRING,
"description" => "Determine LDAP attribute of role entry which will
be substitute for \"{0}\" in filter-name when searching roles of role.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "cn",
"requires" => ["role-recursion"],
"min-length" => 1L,
"max-length" => 2147483647L
},
"version-comparison" => {
"type" => STRING,
"description" => "When set to 'less-than' a Provider will
match against the filter if the Provider's version is less-than the version specified
here. Setting to 'greater-than' has the opposite effect. Has no effect if a
provider-version has not been specified in the filter.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "less-than",
"requires" => ["provider-version"],
"allowed" => [
"less-than",
"greater-than"
]
}
"required" => {
"type" => BOOLEAN,
"description" => "Is the file required to exist at the time the
KeyStore service starts?",
"attribute-group" => "file",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => false,
"requires" => ["path"],
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "all-services"
},
{noformat}
Examples where setting an attribute to it's default value does mean that it's
required attribute must also be defined:
{noformat}
[standalone@localhost:9990 /]
/subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{search-recursive=false}]})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute
'identity-mapping.attribute-mapping[0].filter' needs to be set or passed before
attribute 'identity-mapping.attribute-mapping[0].search-recursive' can be
correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /]
/subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{role-recursion-name=cn}]})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute
'identity-mapping.attribute-mapping[0].role-recursion' needs to be set or passed
before attribute 'identity-mapping.attribute-mapping[0].role-recursion-name' can
be correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /]
/subsystem=elytron/mechanism-provider-filtering-sasl-server-factory=a:add(sasl-server-factory=elytron,filters=[{provider-name=a,
version-comparison=less-than}]
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute
'filters[0].provider-version' needs to be set or passed before attribute
'filters[0].version-comparison' can be correctly set",
"rolled-back" => true
}
[standalone@localhost:9990 /] /subsystem=elytron/key-store=b:add(type=JKS,
credential-reference={clear-text=a}, required=false
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'path'
needs to be set or passed before attribute 'required' can be correctly set",
"rolled-back" => true
}
{noformat}
Incorrect usage of requires for defining the relationship between
outflow-anonymous and outflow-security-domains
----------------------------------------------------------------------------------------------------------------
Key: WFCORE-3421
URL:
https://issues.jboss.org/browse/WFCORE-3421
Project: WildFly Core
Issue Type: Bug
Components: Security
Affects Versions: 4.0.0.Alpha2
Reporter: ehsavoie Hugonnet
If outflow-anonymous is set to false then there is no need for outflow-security-domains
as the default configuration shows clearly.
So
{noformat}
/subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
{noformat}
should work like
{noformat}
/subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
{noformat}
A custom validation code is required instead of relying on the setRequires of
SimpleAttributeDefinition
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)