[jboss-jira] [JBoss JIRA] (WFLY-7623) Multiple CredentialStores with ONE backed credential store file can rewrite values each other.
Hynek Švábek (JIRA)
issues at jboss.org
Fri Nov 18 07:34:01 EST 2016
[ https://issues.jboss.org/browse/WFLY-7623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hynek Švábek updated WFLY-7623:
-------------------------------
Description:
Multiple CredentialStores with ONE backed credential store file can rewrite values each other.
*How to reproduce*
{code}
/subsystem=elytron/credential-store=credStore001:add(uri="cr-store://test/cs001.jceks?store.password=pass123;create.storage=true")
/subsystem=elytron/credential-store=credStore001/alias="alias1":add(secret-value=Elytron)
{code}
{code}
/subsystem=elytron/credential-store=credStore002:add(uri="cr-store://test/cs001.jceks?store.password=pass123")
{code}
check CS file
there is "alias1" entry
{code}
/subsystem=elytron/credential-store=credStore001/alias="alias2":add(secret-value=Elytron)
{code}
check CS file
there are "alias1" and "alias2" entries
{code}
/subsystem=elytron/credential-store=credStore002/alias="alias123":add(secret-value=Elytron)
{code}
check CS file
there are "alias1" and "alias123" entries".
*NOTE*
It is problem, because we have one backed file. In memory we have right values for all Credential Stores, but after restart we can lost new entries.
In my opinion reason for this behaviour is:
We have CS loaded in memory and when we add new alias to CS then we save whole CS from memory to file.
We can set CS as non-modifiable when we use same backed file for CredentialStore but we must find better default behaviour.
*My suggestion for default behaviour*
When we want to add new alias to CredentialStore we can do this:
# refresh CS from file (and this file lock)
# add new alias to CS
# save CS to file
# unlock file
*But there is posible problem with performance....*
was:
Multiple CredentialStores with ONE backed credential store file can rewrite values each other.
*How to reproduce*
{code}
/subsystem=elytron/credential-store=credStore001:add(uri="cr-store://test/cs001.jceks?store.password=pass123;create.storage=true")
/subsystem=elytron/credential-store=credStore001/alias="alias1":add(secret-value=Elytron)
{code}
{code}
/subsystem=elytron/credential-store=credStore002:add(uri="cr-store://test/cs001.jceks?store.password=pass123")
{code}
check CS file
there is "alias1" entry
{code}
/subsystem=elytron/credential-store=credStore001/alias="alias2":add(secret-value=Elytron)
{code}
check CS file
there are "alias1" and "alias2" entries
{code}
/subsystem=elytron/credential-store=credStore002/alias="alias123":add(secret-value=Elytron)
{code}
check CS file
there are "alias1" and "alias123" entries".
*NOTE*
It is problem, because we have one backed file. In memory we have right values for all Credential Stores, but after restart we can lost new entries.
In my opinion reason for this behaviour is:
We have CS loaded in memory and when we add new alias to CS then we save whole CS from memory to file.
We can set CS as non-modifiable when we use same backed file for CredentialStore but we must find better default behaviour.
> Multiple CredentialStores with ONE backed credential store file can rewrite values each other.
> ----------------------------------------------------------------------------------------------
>
> Key: WFLY-7623
> URL: https://issues.jboss.org/browse/WFLY-7623
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Peter Skopek
>
> Multiple CredentialStores with ONE backed credential store file can rewrite values each other.
> *How to reproduce*
> {code}
> /subsystem=elytron/credential-store=credStore001:add(uri="cr-store://test/cs001.jceks?store.password=pass123;create.storage=true")
> /subsystem=elytron/credential-store=credStore001/alias="alias1":add(secret-value=Elytron)
> {code}
> {code}
> /subsystem=elytron/credential-store=credStore002:add(uri="cr-store://test/cs001.jceks?store.password=pass123")
> {code}
> check CS file
> there is "alias1" entry
> {code}
> /subsystem=elytron/credential-store=credStore001/alias="alias2":add(secret-value=Elytron)
> {code}
> check CS file
> there are "alias1" and "alias2" entries
> {code}
> /subsystem=elytron/credential-store=credStore002/alias="alias123":add(secret-value=Elytron)
> {code}
> check CS file
> there are "alias1" and "alias123" entries".
> *NOTE*
> It is problem, because we have one backed file. In memory we have right values for all Credential Stores, but after restart we can lost new entries.
> In my opinion reason for this behaviour is:
> We have CS loaded in memory and when we add new alias to CS then we save whole CS from memory to file.
> We can set CS as non-modifiable when we use same backed file for CredentialStore but we must find better default behaviour.
> *My suggestion for default behaviour*
> When we want to add new alias to CredentialStore we can do this:
> # refresh CS from file (and this file lock)
> # add new alias to CS
> # save CS to file
> # unlock file
> *But there is posible problem with performance....*
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list