[jboss-jira] [JBoss JIRA] (WFCORE-3421) Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains

Martin Choma (JIRA) issues at jboss.org
Thu Nov 16 08:03:00 EST 2017 

    [ https://issues.jboss.org/browse/WFCORE-3421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13490801#comment-13490801 ] 

Martin Choma edited comment on WFCORE-3421 at 11/16/17 8:02 AM:
----------------------------------------------------------------

These are attributes in elytron subsystem which use "requires" and "default" at once.
{noformat}
"search-recursive" => {
    "type" => BOOLEAN,
    "description" => "Indicates if attribute LDAP search queries are recursive.",
    "expressions-allowed" => true,
    "required" => false,
    "nillable" => true,
    "default" => true,
    "requires" => ["filter"]
},

"role-recursion-name" => {
    "type" => STRING,
    "description" => "Determine LDAP attribute of role entry which will be substitute for \"{0}\" in filter-name when searching roles of role.",
    "expressions-allowed" => true,
    "required" => false,
    "nillable" => true,
    "default" => "cn",
    "requires" => ["role-recursion"],
    "min-length" => 1L,
    "max-length" => 2147483647L
},

"version-comparison" => {
    "type" => STRING,
    "description" => "When set to 'less-than' a Provider will match against the filter if the Provider's version is less-than the version specified here. Setting to 'greater-than' has the opposite effect. Has no effect if a provider-version has not been specified in the filter.",
    "expressions-allowed" => true,
    "required" => false,
    "nillable" => true,
    "default" => "less-than",
    "requires" => ["provider-version"],
    "allowed" => [
        "less-than",
        "greater-than"
    ]
}

"required" => {
    "type" => BOOLEAN,
    "description" => "Is the file required to exist at the time the KeyStore service starts?",
    "attribute-group" => "file",
    "expressions-allowed" => true,
    "required" => false,
    "nillable" => true,
    "default" => false,
    "requires" => ["path"],
    "access-type" => "read-write",
    "storage" => "configuration",
    "restart-required" => "all-services"
},
{noformat}

Examples where setting an attribute to it's default value does mean that it's required attribute must also be defined:

{noformat}
[standalone at localhost:9990 /] /subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{search-recursive=false}]})
{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0380: Attribute 'identity-mapping.attribute-mapping[0].filter' needs to be set or passed before attribute 'identity-mapping.attribute-mapping[0].search-recursive' can be correctly set",
    "rolled-back" => true
}

[standalone at localhost:9990 /] /subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{role-recursion-name=cn}]})
{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0380: Attribute 'identity-mapping.attribute-mapping[0].role-recursion' needs to be set or passed before attribute 'identity-mapping.attribute-mapping[0].role-recursion-name' can be correctly set",
    "rolled-back" => true
}

[standalone at localhost:9990 /] /subsystem=elytron/mechanism-provider-filtering-sasl-server-factory=a:add(sasl-server-factory=elytron,filters=[{provider-name=a, version-comparison=less-than}]
{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0380: Attribute 'filters[0].provider-version' needs to be set or passed before attribute 'filters[0].version-comparison' can be correctly set",
    "rolled-back" => true
}

[standalone at localhost:9990 /] /subsystem=elytron/key-store=b:add(type=JKS, credential-reference={clear-text=a}, required=false
{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0380: Attribute 'path' needs to be set or passed before attribute 'required' can be correctly set",
    "rolled-back" => true
}
{noformat}


was (Author: mchoma):
These are attributes in elytron subsystem which use "requires" and "default" at once.
{noformat}
"search-recursive" => {
    "type" => BOOLEAN,
    "description" => "Indicates if attribute LDAP search queries are recursive.",
    "expressions-allowed" => true,
    "required" => false,
    "nillable" => true,
    "default" => true,
    "requires" => ["filter"]
},

"role-recursion-name" => {
    "type" => STRING,
    "description" => "Determine LDAP attribute of role entry which will be substitute for \"{0}\" in filter-name when searching roles of role.",
    "expressions-allowed" => true,
    "required" => false,
    "nillable" => true,
    "default" => "cn",
    "requires" => ["role-recursion"],
    "min-length" => 1L,
    "max-length" => 2147483647L
},

"version-comparison" => {
    "type" => STRING,
    "description" => "When set to 'less-than' a Provider will match against the filter if the Provider's version is less-than the version specified here. Setting to 'greater-than' has the opposite effect. Has no effect if a provider-version has not been specified in the filter.",
    "expressions-allowed" => true,
    "required" => false,
    "nillable" => true,
    "default" => "less-than",
    "requires" => ["provider-version"],
    "allowed" => [
        "less-than",
        "greater-than"
    ]
}

"required" => {
    "type" => BOOLEAN,
    "description" => "Is the file required to exist at the time the KeyStore service starts?",
    "attribute-group" => "file",
    "expressions-allowed" => true,
    "required" => false,
    "nillable" => true,
    "default" => false,
    "requires" => ["path"],
    "access-type" => "read-write",
    "storage" => "configuration",
    "restart-required" => "all-services"
},
{noformat}
e.g.
{noformat}
[standalone at localhost:9990 /] /subsystem=elytron/key-store=b:add(type=JKS, credential-reference={clear-text=a}, required=false
{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0380: Attribute 'path' needs to be set or passed before attribute 'required' can be correctly set",
    "rolled-back" => true
}
{noformat}

> Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
> ----------------------------------------------------------------------------------------------------------------
>
>                 Key: WFCORE-3421
>                 URL: https://issues.jboss.org/browse/WFCORE-3421
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 4.0.0.Alpha2
>            Reporter: ehsavoie Hugonnet
>
> If outflow-anonymous is set to false then there is no need for outflow-security-domains as the default configuration shows clearly.
> So 
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> should work like 
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> A custom validation code is required instead of relying on the setRequires of SimpleAttributeDefinition



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list