3:29 p.m.
[
https://issues.jboss.org/browse/WFCORE-2182?page=com.atlassian.jira.plugi...
]
Brian Stansberry commented on WFCORE-2182:
------------------------------------------
[~stephen.fikes] This is merged now. It has 6 commits, not all of which are applicable to
7.0.x or 6.4.x. Here's a bit of a guide:
1) CustomVaultInModuleTestCase no longer needs to create a fake org.jboss.as.security
module to get a VaultReader in the server
Should not be relevant to 6.4.x as the test isn't in 6.4.x.
2) [WFCORE-2198] Add a testsuite-only feature pack to provide PicketBox for vault testing
Not relevant to 6.4.x.
3) [WFCORE-2182] Use a single Pattern instance for the vaulted data format
4) [WFCORE-2182] Make VaultReaderException a RuntimeException; consolidate usage
5) [WFCORE-2182] Distinguish lookup misses using the vault from 'system' problems
with the vault
Needed on all branches. This is the main fix.
6) [WFCORE-2199] In the absence of a VaultReader treat expressions in the standard vaulted
data format as a lookup miss
Shouldn't be needed in 7.0.x or 6.4.x as this is a fix for an issue with WildFly Core
based distributions that don't include PicketBox. EAP includes picketbox.
RuntimeVaultReader should not throw SecurityException
-----------------------------------------------------
Key: WFCORE-2182
URL: https://issues.jboss.org/browse/WFCORE-2182
Project: WildFly Core
Issue Type: Bug
Components: Domain Management
Reporter: Brian Stansberry
Assignee: Brian Stansberry
Fix For: 3.0.0.Alpha20
RuntimeVaultReader is throwing SecurityException if it catches a SecurityVaultException
from PicketBoxSecurityVault. But the causes of those SecurityVaultException are not really
security breaches, they just reflect failed searches, or, less likely, incorrect vault
setup.
Converting these into SecurityException, which is a RuntimeException, means the vault
lookup will fail the management op that triggered it in a way that overrides
rollback-on-runtime-failure=false. But at least in the case of failed searches, this is no
different than any other failed attempt to resolve an expression and should be treated as
such.
Perhaps the type of the getCause() value from the SecurityVaultException can be used to
discriminate behavior between failed searches and other issues, or perhaps the distinction
can be ignored.
Here is an example of a failed search using EAP 6:
{code}
12:46:34,830 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread
Pool -- 27) JBAS014612: Operation ("enable") failed - address: ([
("subsystem" => "datasources"),
("data-source" => "xyzDS")
]): java.lang.SecurityException: JBAS013311: Security Exception
at
org.jboss.as.security.vault.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:115)
at
org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:45)
at
org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionString(ExpressionResolverImpl.java:319)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.ExpressionResolverImpl.parseAndResolve(ExpressionResolverImpl.java:228)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionStringRecursively(ExpressionResolverImpl.java:130)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:72)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:54)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.ModelControllerImpl.resolveExpressions(ModelControllerImpl.java:782)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.OperationContextImpl.resolveExpressions(OperationContextImpl.java:1002)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.ParallelBootOperationContext.resolveExpressions(ParallelBootOperationContext.java:351)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.AttributeDefinition$1.resolveExpressions(AttributeDefinition.java:338)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.AttributeDefinition.resolveValue(AttributeDefinition.java:402)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:361)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:335)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.connector.util.ModelNodeUtil.getResolvedStringIfSetOrGetDefault(ModelNodeUtil.java:33)
at
org.jboss.as.connector.subsystems.datasources.DataSourceModelNodeUtil.from(DataSourceModelNodeUtil.java:151)
at
org.jboss.as.connector.subsystems.datasources.DataSourceEnable.addServices(DataSourceEnable.java:183)
at
org.jboss.as.connector.subsystems.datasources.DataSourceEnable$1.execute(DataSourceEnable.java:102)
at
org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:708)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:543)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:338)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:314)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:355)
[jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_111]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_111]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_111]
at org.jboss.threads.JBossThread.run(JBossThread.java:122)
[jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
Caused by: org.jboss.security.vault.SecurityVaultException:
java.lang.IllegalArgumentException: Null input buffer
at
org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:297)
at
org.jboss.as.security.vault.RuntimeVaultReader.getValue(RuntimeVaultReader.java:141)
at
org.jboss.as.security.vault.RuntimeVaultReader.getValueAsString(RuntimeVaultReader.java:123)
at
org.jboss.as.security.vault.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:113)
... 26 more
Caused by: java.lang.IllegalArgumentException: Null input buffer
at javax.crypto.Cipher.doFinal(Cipher.java:2161) [jce.jar:1.8.0_111]
at org.picketbox.util.EncryptionUtil.decrypt(EncryptionUtil.java:134)
at
org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:293)
...
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
3404
days inactive
3404
days old
0 comments
1 participants
participants (1)
-
Brian Stansberry (JIRA)