[jboss-jira] [JBoss JIRA] (WFLY-8062) Some OSH's in the Elytron subsystem don't validate the server type before registering steps

James Perkins (JIRA) issues at jboss.org
Wed Feb 8 13:55:00 EST 2017 

James Perkins created WFLY-8062:
-----------------------------------

             Summary: Some OSH's in the Elytron subsystem don't validate the server type before registering steps
                 Key: WFLY-8062
                 URL: https://issues.jboss.org/browse/WFLY-8062
             Project: WildFly
          Issue Type: Bug
          Components: Security
            Reporter: James Perkins
            Assignee: James Perkins
            Priority: Blocker
             Fix For: 11.0.0.Alpha1


In the Elytron subsystem there are implementations of {{org.jboss.as.controller.OperationStepHandler}} that do not check the state of the {{OperationContext}} before registering runtime steps. This is an issue for domain servers as the steps will be registered on the host-controller even if the operations is being executed on a profile.

For example:
{code:java}
@Override
public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
    context.addStep(operation, (parentContext, parentOperation) -> {
        ModifiableRealmIdentity realmIdentity = getRealmIdentity(parentContext);
        List<ModelNode> modelNodes = parentOperation.asList();
        Property passwordProperty = modelNodes.get(2).asProperty();
        PathAddress currentAddress = parentContext.getCurrentAddress();
        String principalName = currentAddress.getLastElement().getValue();

        try {
            realmIdentity.setCredentials(Collections.singleton(new PasswordCredential(createPassword(parentContext, principalName, passwordProperty))));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException | RealmUnavailableException e) {
            throw ROOT_LOGGER.couldNotCreatePassword(e);
        }
        parentContext.completeStep(NOOP_RESULT_HANDLER);
    }, OperationContext.Stage.RUNTIME);
}
{code}

Should check the {{context.isDefaultRequiresRuntime()}}:
{code:java}
@Override
public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
    if (context.isDefaultRequiresRuntime()) {
        context.addStep(operation, (parentContext, parentOperation) -> {
            ModifiableRealmIdentity realmIdentity = getRealmIdentity(parentContext);
            List<ModelNode> modelNodes = parentOperation.asList();
            Property passwordProperty = modelNodes.get(2).asProperty();
            PathAddress currentAddress = parentContext.getCurrentAddress();
            String principalName = currentAddress.getLastElement().getValue();

            try {
                realmIdentity.setCredentials(Collections.singleton(new PasswordCredential(createPassword(parentContext, principalName, passwordProperty))));
            } catch (NoSuchAlgorithmException | InvalidKeySpecException | RealmUnavailableException e) {
                throw ROOT_LOGGER.couldNotCreatePassword(e);
            }
            parentContext.completeStep(NOOP_RESULT_HANDLER);
        }, OperationContext.Stage.RUNTIME);
    }
}
{code}

The handlers should be analyzed to ensure they check the state before registering runtime steps.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list