[jboss-jira] [JBoss JIRA] (WFLY-3761) Security realms does not validate JAAS references to security domains

Darran Lofthouse (JIRA) issues at jboss.org
Fri Aug 22 06:06:00 EDT 2014 

    [ https://issues.jboss.org/browse/WFLY-3761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12994996#comment-12994996 ] 

Darran Lofthouse commented on WFLY-3761:
----------------------------------------

Just updating the properties of this issue to reflect the current situation, security integration is currently being reworked to eliminate a whole host of problems that this realm / domain pairing brings and that effort is already underway - at this point in time it is not in our interest to divert our efforts away from the new solution to change something we are planning to transition away from anyway.

One additional point, please include relevant configuration and log messages in the Jira issue itself rather than links to external repositories, there is nothing worse than coming to a Jira issue and finding the links out of date, in addition to that when the issue is indexed by search engines the lack of content in the issue can mean similar problems are not discovered when appropriate search terms are used.

> Security realms does not validate JAAS references to security domains
> ---------------------------------------------------------------------
>
>                 Key: WFLY-3761
>                 URL: https://issues.jboss.org/browse/WFLY-3761
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Domain Management, Security
>    Affects Versions: 8.1.0.Final
>         Environment: Development Mac
> Test Linux (Debian)
>            Reporter: Nicky Mølholm
>              Labels: jaas, logging, security, trace
>             Fix For: Awaiting Volunteers
>
>
> *Problem*
> In the server configuration file (standalone.xml) it is possible to define a security realm that points to a security domain that does not exist - and there is no error reporting of this at all. There is no trace information of this at all, either.
> *Example*
> * Download a stock Wildfly 8.1.0.Final
> * Replace standalone.xml with this gist: https://gist.githubusercontent.com/nickymoelholm/4908092afdcd519361df/raw/standalone.xml
> Run it and you will see now errors at all. Despite the fact that the _FlawedRealm_ points to a bogus security domain called _ThisDomainDoesntExistAtAll_ . I have captured my logoutput too. Find it here: https://gist.githubusercontent.com/nickymoelholm/4908092afdcd519361df/raw/server.log
> *What is wrong with this behavior?*
> The bootstrapping process must validate that the configuration is valid indeed. It really doesn't - not semantically that is. Only XSD compliance / XML syntax wise. And if, for some weird reason, that silence is "security" - then at least let us know of the errors on loglevel = TRACE.
> *Why is this issue created?*
> The silent behavior makes security configuration in Wildfly an _extremely expensive operation_ in terms of time spent by the average Java EE developer / administrator. I have created this issue because I want wildfly to help developers/administrators become better at spotting our errors - because, in the end, that is a tangible productivity booster. 



--
This message was sent by Atlassian JIRA
(v6.3.1#6329)

More information about the jboss-jira mailing list