]
Darran Lofthouse commented on WFLY-3761:
----------------------------------------
Just updating the properties of this issue to reflect the current situation, security
integration is currently being reworked to eliminate a whole host of problems that this
realm / domain pairing brings and that effort is already underway - at this point in time
it is not in our interest to divert our efforts away from the new solution to change
something we are planning to transition away from anyway.
One additional point, please include relevant configuration and log messages in the Jira
issue itself rather than links to external repositories, there is nothing worse than
coming to a Jira issue and finding the links out of date, in addition to that when the
issue is indexed by search engines the lack of content in the issue can mean similar
problems are not discovered when appropriate search terms are used.
Security realms does not validate JAAS references to security
domains
---------------------------------------------------------------------
Key: WFLY-3761
URL:
https://issues.jboss.org/browse/WFLY-3761
Project: WildFly
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Domain Management, Security
Affects Versions: 8.1.0.Final
Environment: Development Mac
Test Linux (Debian)
Reporter: Nicky Mølholm
Labels: jaas, logging, security, trace
Fix For: Awaiting Volunteers
*Problem*
In the server configuration file (standalone.xml) it is possible to define a security
realm that points to a security domain that does not exist - and there is no error
reporting of this at all. There is no trace information of this at all, either.
*Example*
* Download a stock Wildfly 8.1.0.Final
* Replace standalone.xml with this gist:
https://gist.githubusercontent.com/nickymoelholm/4908092afdcd519361df/raw...
Run it and you will see now errors at all. Despite the fact that the _FlawedRealm_ points
to a bogus security domain called _ThisDomainDoesntExistAtAll_ . I have captured my
logoutput too. Find it here:
https://gist.githubusercontent.com/nickymoelholm/4908092afdcd519361df/raw...
*What is wrong with this behavior?*
The bootstrapping process must validate that the configuration is valid indeed. It really
doesn't - not semantically that is. Only XSD compliance / XML syntax wise. And if, for
some weird reason, that silence is "security" - then at least let us know of the
errors on loglevel = TRACE.
*Why is this issue created?*
The silent behavior makes security configuration in Wildfly an _extremely expensive
operation_ in terms of time spent by the average Java EE developer / administrator. I have
created this issue because I want wildfly to help developers/administrators become better
at spotting our errors - because, in the end, that is a tangible productivity booster.