Automatic credential store update not triggered when enabling single-sign-on using a credential-reference --------------------------------------------------------------------------------------------------------- Key: WFLY-14420 URL: https://issues.redhat.com/browse/WFLY-14420 Project: WildFly Issue Type: Bug Components: Security, Web (Undertow) Reporter: Farah Juma Priority: Major When enabling {{single-sign-on}} with a {{credential-reference}} in the Undertow subsystem using the {{store}} and {{clear-text}} attributes, the automatic credential store update that should happen is never triggered. Looking closer, it appears that the appropriate model update takes place (e.g., the {{clear-text}} attribute is saved and removed from the model) but the actual runtime update to the credential store itself is never triggered. This issue can be reproduced using the following steps:   {code:xml} ### Pre-requisite steps /subsystem=elytron/credential-store=myCredStore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create=true) /subsystem=undertow/application-security-domain=other:add(security-domain=ApplicationDomain) /subsystem=elytron/key-store=myKS:add(path=keystore.jks, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=JKS) ### Enable single-sign-on /subsystem=undertow/application-security-domain=other/setting=single-sign-on:add(key-store=myKS, key-alias=localhost, domain=localhost, credential-reference={store=myCredStore,alias=myNewAlias,clear-text=myNewPassword}) # At this point, the output of the above operation is supposed to indicate that a credential-store update took place and executing the read-aliases() operation on the credential-store is supposed to show 'myNewAlias'. However, this doesn't happen.{code}   This issue only affects credential store updates that take place when enabling {{single-sign-on}}. If the {{credential-reference.clear-text}} value is updated for an existing {{single-sign-on}} element using the {{write-attribute}} operation, the corresponding credential store update is successfully triggered.  As a quick sanity check, I tried testing credential store updates with some other resources from the clustering subsystems (e.g., I tried adding the jgroups AUTH protocol resource with {{key-credential-reference}} and {{shared-secret-reference}}) but the credential store update was successfully triggered for these when adding the resource. The main difference appears to be that {{CredentialReference.getCredentialSourceSupplier(...)}} is successfully triggered during the runtime phase in this case but it does not get triggered for the {{single-sign-on}} case. This method triggers the credential store update.