[jboss-jira] [JBoss JIRA] (WFCORE-2549) Elytron, unable to configure Kerberos authentication
Martin Choma (JIRA)
issues at jboss.org
Thu Mar 16 13:40:02 EDT 2017
[ https://issues.jboss.org/browse/WFCORE-2549?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Choma updated WFCORE-2549:
---------------------------------
Description:
*User impact:* User can't configure kerberos authentication
*Workaround:* There is no workaround
*Description:*
If I try command which worked previously I get error
{code}
[standalone at localhost:9990 /] /subsystem=elytron/kerberos-security-factory=a:add(principal=HTTP/localhost at JBOSS.ORG, path=/somewhere, mechanism-oids=["1.2.840.113554.1.2.2","1.3.6.1.5.5.2"])
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException",
"rolled-back" => true
}
{code}
In server.log there is this stacktrace
{code}
15:00:53,476 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "elytron"),
("kerberos-security-factory" => "a")
]): java.lang.IllegalArgumentException
at org.jboss.dmr.ModelValue.asPropertyList(ModelValue.java:103)
at org.jboss.dmr.ModelNode.asPropertyList(ModelNode.java:503)
at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.getValueSupplier(KerberosSecurityFactoryDefinition.java:168)
at org.wildfly.extension.elytron.TrivialAddHandler.performRuntime(TrivialAddHandler.java:77)
at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:151)
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:979)
at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:722)
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:441)
at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1388)
at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:421)
at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:243)
at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:263)
at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:229)
at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:243)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:217)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:137)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:161)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157)
at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:287)
at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:244)
at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254)
at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:157)
at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70)
at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
{code}
Adding optional {{options}} attribute makes command work again
{code}
[standalone at localhost:9990 /] /subsystem=elytron/kerberos-security-factory=a:add(principal=HTTP/localhost at JBOSS.ORG, path=/somewhere, mechanism-oids=["1.2.840.113554.1.2.2","1.3.6.1.5.5.2"],options={a=b})
{"outcome" => "success"}
{code}
But after reload, there is error in server log
{code}
18:30:37,430 ERROR [org.jboss.as.controller] (Controller Boot Thread)
OPVDX001: Validation error in standalone.xml -----------------------------------
|
| 365: </kerberos-security-factory>
| 366: </credential-security-factories>
| 367: <mappers>
| ^^^^ 'mappers' isn't an allowed element here
|
| Elements allowed here are:
| audit-logging policy
| authentication-client providers
| credential-security-factories sasl
| credential-stores security-domains
| dir-contexts security-properties
| http security-realms
| mappers tls
|
| 368: <constant-permission-mapper name="default-permission-mapper">
| 369: <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
| 370: <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
|
| 'mappers' is allowed in elements:
| - server > profile > {urn:wildfly:elytron:1.0}subsystem
| "
|
| The primary underlying error message was:
| > ParseError at [row,col]:[367,13]
| > Message: WFLYCTL0198: Unexpected element
| > '{urn:wildfly:elytron:1.0}mappers' encountered
|
|-------------------------------------------------------------------------------
18:30:37,430 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration
at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143)
at org.jboss.as.server.ServerService.boot(ServerService.java:376)
at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:337)
at java.lang.Thread.run(Thread.java:745)
18:30:37,432 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
{code}
Attribute {{options}} is marked correctly optional in model.
{code}
"options" => {
"type" => OBJECT,
"description" => "The Krb5LoginModule additional options.",
"expressions-allowed" => false,
"required" => false,
"nillable" => true,
"value-type" => STRING,
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "no-services"
},
{code}
was:
*User impact:* User can't configure kerberos authentication in DR14
*Workaround:* There is no workaround
*Description:*
If I try command which worked previously I get error
{code}
[standalone at localhost:9990 /] /subsystem=elytron/kerberos-security-factory=a:add(principal=HTTP/localhost at JBOSS.ORG, path=/somewhere, mechanism-oids=["1.2.840.113554.1.2.2","1.3.6.1.5.5.2"])
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException",
"rolled-back" => true
}
{code}
In server.log there is this stacktrace
{code}
15:00:53,476 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "elytron"),
("kerberos-security-factory" => "a")
]): java.lang.IllegalArgumentException
at org.jboss.dmr.ModelValue.asPropertyList(ModelValue.java:103)
at org.jboss.dmr.ModelNode.asPropertyList(ModelNode.java:503)
at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.getValueSupplier(KerberosSecurityFactoryDefinition.java:168)
at org.wildfly.extension.elytron.TrivialAddHandler.performRuntime(TrivialAddHandler.java:77)
at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:151)
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:979)
at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:722)
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:441)
at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1388)
at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:421)
at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:243)
at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:263)
at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:229)
at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:243)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:217)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:137)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:161)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157)
at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:287)
at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:244)
at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254)
at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:157)
at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70)
at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
{code}
Adding optional {{options}} attribute makes command work again
{code}
[standalone at localhost:9990 /] /subsystem=elytron/kerberos-security-factory=a:add(principal=HTTP/localhost at JBOSS.ORG, path=/somewhere, mechanism-oids=["1.2.840.113554.1.2.2","1.3.6.1.5.5.2"],options={a=b})
{"outcome" => "success"}
{code}
But after reload, there is error in server log
{code}
18:30:37,430 ERROR [org.jboss.as.controller] (Controller Boot Thread)
OPVDX001: Validation error in standalone.xml -----------------------------------
|
| 365: </kerberos-security-factory>
| 366: </credential-security-factories>
| 367: <mappers>
| ^^^^ 'mappers' isn't an allowed element here
|
| Elements allowed here are:
| audit-logging policy
| authentication-client providers
| credential-security-factories sasl
| credential-stores security-domains
| dir-contexts security-properties
| http security-realms
| mappers tls
|
| 368: <constant-permission-mapper name="default-permission-mapper">
| 369: <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
| 370: <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
|
| 'mappers' is allowed in elements:
| - server > profile > {urn:wildfly:elytron:1.0}subsystem
| "
|
| The primary underlying error message was:
| > ParseError at [row,col]:[367,13]
| > Message: WFLYCTL0198: Unexpected element
| > '{urn:wildfly:elytron:1.0}mappers' encountered
|
|-------------------------------------------------------------------------------
18:30:37,430 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration
at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143)
at org.jboss.as.server.ServerService.boot(ServerService.java:376)
at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:337)
at java.lang.Thread.run(Thread.java:745)
18:30:37,432 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
{code}
Attribute {{options}} is marked correctly optional in model.
{code}
"options" => {
"type" => OBJECT,
"description" => "The Krb5LoginModule additional options.",
"expressions-allowed" => false,
"required" => false,
"nillable" => true,
"value-type" => STRING,
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "no-services"
},
{code}
> Elytron, unable to configure Kerberos authentication
> ----------------------------------------------------
>
> Key: WFCORE-2549
> URL: https://issues.jboss.org/browse/WFCORE-2549
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Blocker
>
> *User impact:* User can't configure kerberos authentication
> *Workaround:* There is no workaround
> *Description:*
> If I try command which worked previously I get error
> {code}
> [standalone at localhost:9990 /] /subsystem=elytron/kerberos-security-factory=a:add(principal=HTTP/localhost at JBOSS.ORG, path=/somewhere, mechanism-oids=["1.2.840.113554.1.2.2","1.3.6.1.5.5.2"])
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException",
> "rolled-back" => true
> }
> {code}
> In server.log there is this stacktrace
> {code}
> 15:00:53,476 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("kerberos-security-factory" => "a")
> ]): java.lang.IllegalArgumentException
> at org.jboss.dmr.ModelValue.asPropertyList(ModelValue.java:103)
> at org.jboss.dmr.ModelNode.asPropertyList(ModelNode.java:503)
> at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.getValueSupplier(KerberosSecurityFactoryDefinition.java:168)
> at org.wildfly.extension.elytron.TrivialAddHandler.performRuntime(TrivialAddHandler.java:77)
> at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:151)
> at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:979)
> at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:722)
> at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:441)
> at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1388)
> at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:421)
> at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:243)
> at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:263)
> at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:229)
> at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:243)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:217)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:137)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:161)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157)
> at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:287)
> at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:244)
> at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254)
> at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225)
> at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:157)
> at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70)
> at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> at org.jboss.threads.JBossThread.run(JBossThread.java:320)
> {code}
> Adding optional {{options}} attribute makes command work again
> {code}
> [standalone at localhost:9990 /] /subsystem=elytron/kerberos-security-factory=a:add(principal=HTTP/localhost at JBOSS.ORG, path=/somewhere, mechanism-oids=["1.2.840.113554.1.2.2","1.3.6.1.5.5.2"],options={a=b})
> {"outcome" => "success"}
> {code}
> But after reload, there is error in server log
> {code}
> 18:30:37,430 ERROR [org.jboss.as.controller] (Controller Boot Thread)
> OPVDX001: Validation error in standalone.xml -----------------------------------
> |
> | 365: </kerberos-security-factory>
> | 366: </credential-security-factories>
> | 367: <mappers>
> | ^^^^ 'mappers' isn't an allowed element here
> |
> | Elements allowed here are:
> | audit-logging policy
> | authentication-client providers
> | credential-security-factories sasl
> | credential-stores security-domains
> | dir-contexts security-properties
> | http security-realms
> | mappers tls
> |
> | 368: <constant-permission-mapper name="default-permission-mapper">
> | 369: <permission class-name="org.wildfly.security.auth.permission.LoginPermission"/>
> | 370: <permission class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission" module="org.wildfly.extension.batch.jberet" target-name="*"/>
> |
> | 'mappers' is allowed in elements:
> | - server > profile > {urn:wildfly:elytron:1.0}subsystem
> | "
> |
> | The primary underlying error message was:
> | > ParseError at [row,col]:[367,13]
> | > Message: WFLYCTL0198: Unexpected element
> | > '{urn:wildfly:elytron:1.0}mappers' encountered
> |
> |-------------------------------------------------------------------------------
> 18:30:37,430 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration
> at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143)
> at org.jboss.as.server.ServerService.boot(ServerService.java:376)
> at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:337)
> at java.lang.Thread.run(Thread.java:745)
> 18:30:37,432 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
> {code}
> Attribute {{options}} is marked correctly optional in model.
> {code}
> "options" => {
> "type" => OBJECT,
> "description" => "The Krb5LoginModule additional options.",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "value-type" => STRING,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> },
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list