[jboss-jira] [JBoss JIRA] (WFLY-3761) Security realms does not validate JAAS references to security domains

Nicky Mølholm (JIRA) issues at jboss.org
Fri Aug 22 04:03:59 EDT 2014 

     [ https://issues.jboss.org/browse/WFLY-3761?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nicky Mølholm updated WFLY-3761:
--------------------------------
    Description: 
*Problem*
In the server configuration file (standalone.xml) it is possible to define a security realm that points to a security domain that does not exist - and there is no error reporting of this at all. There is no trace information of this at all, either.

*Example*
* Download a stock Wildfly 8.1.0.Final
* Replace standalone.xml with this gist: https://gist.githubusercontent.com/nickymoelholm/4908092afdcd519361df/raw/standalone.xml

Run it and you will see now errors at all. Despite the fact that the _FlawedRealm_ points to a bogus security domain called _ThisDomainDoesntExistAtAll_ . I have captured my logoutput too. Find it here: https://gist.githubusercontent.com/nickymoelholm/4908092afdcd519361df/raw/server.log

*What is wrong with this behavior?*
The bootstrapping process must validate that the configuration is valid indeed. It really doesn't - not semantically that is. Only XSD compliance / XML syntax wise. And if, for some weird reason, that silence is "security" - then at least let us know of the errors on loglevel = TRACE.

*Why is this issue created?*
The silent behavior makes security configuration in Wildfly an _extremely expensive operation_ in terms of time spent by the average Java EE developer / administrator. I have created this issue because I want wildfly to help developers/administrators become better at spotting our errors - because, in the end, that is a tangible productivity booster. 

  was:
*Problem*
In the server configuration file (standalone.xml) it is possible to define a security realm that points to a security domain that does not exist - and there is no error reporting of this at all. There is no trace information of this at all, either.

*Example*
* Download a stock Wildfly 8.1.0.Final
* Replace standalone.xml with this gist: https://gist.githubusercontent.com/nickymoelholm/4908092afdcd519361df/raw/standalone.xml

Run it and you will see now errors at all. Despite the fact that the _FlawedRealm_ points to a bogus security domain called _ThisDomainDoesntExistAtAll_ . I have captured my logoutput too. Find it here: https://gist.githubusercontent.com/nickymoelholm/4908092afdcd519361df/raw/server.log

*What is wrong with this behavior?*
The bootstrapping process must validate that the configuration is valid indeed. It really doesn't - not semantically that is. Only XSD compliance / XML syntax wise. And if, for some weird reason, that silence is "security" - then at least let us know of the errors on loglevel = TRACE.

*Why is this issue created?*
The silent behavior makes security configuration in Wildfly an _extremely expensive operation_ in terms of time spent by the average Java EE developer / administrator. I have created this issue because I want wildfly to help developers/administrators become better at spotting our errors - because, in the end, that is in the end a tangible productivity booster. 



> Security realms does not validate JAAS references to security domains
> ---------------------------------------------------------------------
>
>                 Key: WFLY-3761
>                 URL: https://issues.jboss.org/browse/WFLY-3761
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: 8.1.0.Final
>         Environment: Development Mac
> Test Linux (Debian)
>            Reporter: Nicky Mølholm
>            Assignee: Darran Lofthouse
>              Labels: jaas, logging, security, trace
>             Fix For: 8.2.0.CR1
>
>
> *Problem*
> In the server configuration file (standalone.xml) it is possible to define a security realm that points to a security domain that does not exist - and there is no error reporting of this at all. There is no trace information of this at all, either.
> *Example*
> * Download a stock Wildfly 8.1.0.Final
> * Replace standalone.xml with this gist: https://gist.githubusercontent.com/nickymoelholm/4908092afdcd519361df/raw/standalone.xml
> Run it and you will see now errors at all. Despite the fact that the _FlawedRealm_ points to a bogus security domain called _ThisDomainDoesntExistAtAll_ . I have captured my logoutput too. Find it here: https://gist.githubusercontent.com/nickymoelholm/4908092afdcd519361df/raw/server.log
> *What is wrong with this behavior?*
> The bootstrapping process must validate that the configuration is valid indeed. It really doesn't - not semantically that is. Only XSD compliance / XML syntax wise. And if, for some weird reason, that silence is "security" - then at least let us know of the errors on loglevel = TRACE.
> *Why is this issue created?*
> The silent behavior makes security configuration in Wildfly an _extremely expensive operation_ in terms of time spent by the average Java EE developer / administrator. I have created this issue because I want wildfly to help developers/administrators become better at spotting our errors - because, in the end, that is a tangible productivity booster. 



--
This message was sent by Atlassian JIRA
(v6.3.1#6329)

More information about the jboss-jira mailing list