[jboss-jira] [JBoss JIRA] (WFCORE-3421) Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
Martin Choma (JIRA)
issues at jboss.org
Thu Nov 16 12:57:00 EST 2017
[ https://issues.jboss.org/browse/WFCORE-3421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13490801#comment-13490801 ]
Martin Choma edited comment on WFCORE-3421 at 11/16/17 12:56 PM:
-----------------------------------------------------------------
These are attributes in elytron subsystem which use "requires" and "default" at once.
{noformat}
"search-recursive" => {
"type" => BOOLEAN,
"description" => "Indicates if attribute LDAP search queries are recursive.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => true,
"requires" => ["filter"]
},
"role-recursion-name" => {
"type" => STRING,
"description" => "Determine LDAP attribute of role entry which will be substitute for \"{0}\" in filter-name when searching roles of role.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "cn",
"requires" => ["role-recursion"],
"min-length" => 1L,
"max-length" => 2147483647L
},
"version-comparison" => {
"type" => STRING,
"description" => "When set to 'less-than' a Provider will match against the filter if the Provider's version is less-than the version specified here. Setting to 'greater-than' has the opposite effect. Has no effect if a provider-version has not been specified in the filter.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "less-than",
"requires" => ["provider-version"],
"allowed" => [
"less-than",
"greater-than"
]
}
"required" => {
"type" => BOOLEAN,
"description" => "Is the file required to exist at the time the KeyStore service starts?",
"attribute-group" => "file",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => false,
"requires" => ["path"],
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "all-services"
},
{noformat}
Examples where setting an attribute to it's default value does mean that it's required attribute must also be defined:
{noformat}
[standalone at localhost:9990 /] /subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{search-recursive=false}]})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'identity-mapping.attribute-mapping[0].filter' needs to be set or passed before attribute 'identity-mapping.attribute-mapping[0].search-recursive' can be correctly set",
"rolled-back" => true
}
[standalone at localhost:9990 /] /subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{role-recursion-name=cn}]})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'identity-mapping.attribute-mapping[0].role-recursion' needs to be set or passed before attribute 'identity-mapping.attribute-mapping[0].role-recursion-name' can be correctly set",
"rolled-back" => true
}
[standalone at localhost:9990 /] /subsystem=elytron/mechanism-provider-filtering-sasl-server-factory=a:add(sasl-server-factory=elytron,filters=[{provider-name=a, version-comparison=less-than}]
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'filters[0].provider-version' needs to be set or passed before attribute 'filters[0].version-comparison' can be correctly set",
"rolled-back" => true
}
[standalone at localhost:9990 /] /subsystem=elytron/key-store=b:add(type=JKS, credential-reference={clear-text=a}, required=false
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'path' needs to be set or passed before attribute 'required' can be correctly set",
"rolled-back" => true
}
{noformat}
On the other hand if I omit these attributes in CLI (role-recursion-name, search-recursive, version-comparison, required), so actually let default value to be applied, then CLI command is not failing on that error
was (Author: mchoma):
These are attributes in elytron subsystem which use "requires" and "default" at once.
{noformat}
"search-recursive" => {
"type" => BOOLEAN,
"description" => "Indicates if attribute LDAP search queries are recursive.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => true,
"requires" => ["filter"]
},
"role-recursion-name" => {
"type" => STRING,
"description" => "Determine LDAP attribute of role entry which will be substitute for \"{0}\" in filter-name when searching roles of role.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "cn",
"requires" => ["role-recursion"],
"min-length" => 1L,
"max-length" => 2147483647L
},
"version-comparison" => {
"type" => STRING,
"description" => "When set to 'less-than' a Provider will match against the filter if the Provider's version is less-than the version specified here. Setting to 'greater-than' has the opposite effect. Has no effect if a provider-version has not been specified in the filter.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => "less-than",
"requires" => ["provider-version"],
"allowed" => [
"less-than",
"greater-than"
]
}
"required" => {
"type" => BOOLEAN,
"description" => "Is the file required to exist at the time the KeyStore service starts?",
"attribute-group" => "file",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => false,
"requires" => ["path"],
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "all-services"
},
{noformat}
Examples where setting an attribute to it's default value does mean that it's required attribute must also be defined:
{noformat}
[standalone at localhost:9990 /] /subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{search-recursive=false}]})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'identity-mapping.attribute-mapping[0].filter' needs to be set or passed before attribute 'identity-mapping.attribute-mapping[0].search-recursive' can be correctly set",
"rolled-back" => true
}
[standalone at localhost:9990 /] /subsystem=elytron/ldap-realm=a:add(dir-context=a,identity-mapping={rdn-identifier=a,attribute-mapping=[{role-recursion-name=cn}]})
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'identity-mapping.attribute-mapping[0].role-recursion' needs to be set or passed before attribute 'identity-mapping.attribute-mapping[0].role-recursion-name' can be correctly set",
"rolled-back" => true
}
[standalone at localhost:9990 /] /subsystem=elytron/mechanism-provider-filtering-sasl-server-factory=a:add(sasl-server-factory=elytron,filters=[{provider-name=a, version-comparison=less-than}]
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'filters[0].provider-version' needs to be set or passed before attribute 'filters[0].version-comparison' can be correctly set",
"rolled-back" => true
}
[standalone at localhost:9990 /] /subsystem=elytron/key-store=b:add(type=JKS, credential-reference={clear-text=a}, required=false
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0380: Attribute 'path' needs to be set or passed before attribute 'required' can be correctly set",
"rolled-back" => true
}
{noformat}
> Incorrect usage of requires for defining the relationship between outflow-anonymous and outflow-security-domains
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-3421
> URL: https://issues.jboss.org/browse/WFCORE-3421
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 4.0.0.Alpha2
> Reporter: ehsavoie Hugonnet
>
> If outflow-anonymous is set to false then there is no need for outflow-security-domains as the default configuration shows clearly.
> So
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,outflow-anonymous=false,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> should work like
> {noformat}
> /subsystem=elytron/security-domain=ApplicationDomain:add(default-realm=ApplicationRealm,realms=[{realm=ApplicationRealm,role-decoder=groups-to-roles}])
> {noformat}
> A custom validation code is required instead of relying on the setRequires of SimpleAttributeDefinition
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list