[jboss-jira] [JBoss JIRA] (WFCORE-2182) RuntimeVaultReader should not throw SecurityException

Brian Stansberry (JIRA) issues at jboss.org
Wed Jan 11 19:53:00 EST 2017 

Brian Stansberry created WFCORE-2182:
----------------------------------------

             Summary: RuntimeVaultReader should not throw SecurityException
                 Key: WFCORE-2182
                 URL: https://issues.jboss.org/browse/WFCORE-2182
             Project: WildFly Core
          Issue Type: Bug
          Components: Domain Management
            Reporter: Brian Stansberry
            Assignee: Brian Stansberry


RuntimeVaultReader is throwing SecurityException if it catches a SecurityVaultException from PicketBoxSecurityVault. But the causes of those SecurityVaultException are not really security breaches, they just reflect failed searches, or, less likely, incorrect vault setup.

Converting these into SecurityException, which is a RuntimeException, means the vault lookup will fail the management op that triggered it in a way that overrides rollback-on-runtime-failure=false. But at least in the case of failed searches, this is no different than any other failed attempt to resolve an expression and should be treated as such.

Perhaps the type of the getCause() value from the SecurityVaultException can be used to discriminate behavior between failed searches and other issues, or perhaps the distinction can be ignored.

Here is an example of a failed search using EAP 6:

{code}
12:46:34,830 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 27) JBAS014612: Operation ("enable") failed - address: ([
    ("subsystem" => "datasources"),
    ("data-source" => "xyzDS")
]): java.lang.SecurityException: JBAS013311: Security Exception
        at org.jboss.as.security.vault.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:115)
        at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:45)
        at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionString(ExpressionResolverImpl.java:319) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.ExpressionResolverImpl.parseAndResolve(ExpressionResolverImpl.java:228) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionStringRecursively(ExpressionResolverImpl.java:130) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:72) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:54) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.ModelControllerImpl.resolveExpressions(ModelControllerImpl.java:782) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.OperationContextImpl.resolveExpressions(OperationContextImpl.java:1002) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.ParallelBootOperationContext.resolveExpressions(ParallelBootOperationContext.java:351) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.AttributeDefinition$1.resolveExpressions(AttributeDefinition.java:338) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.AttributeDefinition.resolveValue(AttributeDefinition.java:402) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:361) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:335) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.connector.util.ModelNodeUtil.getResolvedStringIfSetOrGetDefault(ModelNodeUtil.java:33)
        at org.jboss.as.connector.subsystems.datasources.DataSourceModelNodeUtil.from(DataSourceModelNodeUtil.java:151)
        at org.jboss.as.connector.subsystems.datasources.DataSourceEnable.addServices(DataSourceEnable.java:183)
        at org.jboss.as.connector.subsystems.datasources.DataSourceEnable$1.execute(DataSourceEnable.java:102)
        at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:708) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:543) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:338) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:314) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:355) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_111]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_111]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_111]
        at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]
Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.IllegalArgumentException: Null input buffer
        at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:297)
        at org.jboss.as.security.vault.RuntimeVaultReader.getValue(RuntimeVaultReader.java:141)
        at org.jboss.as.security.vault.RuntimeVaultReader.getValueAsString(RuntimeVaultReader.java:123)
        at org.jboss.as.security.vault.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:113)
        ... 26 more
Caused by: java.lang.IllegalArgumentException: Null input buffer
        at javax.crypto.Cipher.doFinal(Cipher.java:2161) [jce.jar:1.8.0_111]
        at org.picketbox.util.EncryptionUtil.decrypt(EncryptionUtil.java:134)
        at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:293)
        ...
{code}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list