[jboss-jira] [JBoss JIRA] (WFLY-13756) User is able to specify credential-reference with only store name
Jan Stourac (Jira)
issues at jboss.org
Fri Aug 7 17:28:02 EDT 2020
[ https://issues.redhat.com/browse/WFLY-13756?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Stourac updated WFLY-13756:
-------------------------------
Steps to Reproduce:
# unzip server and start it: {{./bin/standalone.sh &}}
# connect to servers CLI: {{./bin/jboss-cli.sh -c}}
# create an empty credential store
{code}
/subsystem=elytron/credential-store=mycredstore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create=true)
{code}
# now try to create imap server element referencing credential store - with no alias neither the 'clear-text' attribute specified
{code}
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mycredstore})
{code}
# same thing as before but in separate steps
{code}
/subsystem=mail/mail-session=default/server=imap:remove()
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp)
/subsystem=mail/mail-session=default/server=imap:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# all those operations have been successful even though that we have not specified neither 'alias' nor the 'clear-text' attribute
# let's now try 'key-store' resource
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore})
{code}
# this command fails which is correct
# now let's try in separate steps
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore, alias=myNewAlias, clear-text=myNewPassword})
/subsystem=elytron/key-store=exampleKS:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# first command passes successfully (that is correct), second command passes successfully too even though it should fail
was:
# unzip server and start it: {{./bin/standalone.sh &}}
# connect to servers CLI: {{./bin/jboss-cli.sh -c}}
# create an empty credential store
{code}
/subsystem=elytron/credential-store=mycredstore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create=true)
{code}
# now try to create imap server element referencing credential store - with no alias neither the 'clear-text' attribute specified
{code}
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mycredstore})
{code}
# same thing as before but in separate steps
{code}
/subsystem=mail/mail-session=default/server=imap:remove()
/subsystem=mail/mail-session=default/server=imap:add(outbound-socket-binding-ref=mail-smtp)
/subsystem=mail/mail-session=default/server=imap:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# all those operations have been successful even though that we have not specified neither 'alias' nor the 'clear-text' attribute
# let's now try 'key-store' resource
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference={store=mycredstore})
{code}
# this command fails which is correct
# now let's try in separate steps
{code}
/subsystem=elytron/key-store=exampleKS:add(relative-to=jboss.server.config.dir, path=example.keystore, type=JCEKS, credential-reference=\{store=mycredstore, alias=myNewAlias, clear-text=myNewPassword})
/subsystem=elytron/key-store=exampleKS:write-attribute(name=credential-reference,value={store=mycredstore})
{code}
# first command passes successfully (that is correct), second command passes successfully too even though it should fail
> User is able to specify credential-reference with only store name
> -----------------------------------------------------------------
>
> Key: WFLY-13756
> URL: https://issues.redhat.com/browse/WFLY-13756
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 20.0.0.Final, 20.0.1.Final
> Reporter: Jan Stourac
> Assignee: Darran Lofthouse
> Priority: Major
>
> It is possible to create a {{credential-reference}} to the credential store just with the name of credential store in question - without specifying {{alias}} (or {{clear-text}} in case of automatic addition of new record into the credential store, see doc [16.4.2. Automatic Updates of Credential Stores|https://docs.wildfly.org/20/WildFly_Elytron_Security.html#referencing-credentials]). Actual configuration error is revealed when server is reloaded with following error message in server log:
> {code}
> 22:03:26,791 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "elytron"),
> ("key-store" => "exampleKS")
> ]) - failure description: {"WFLYCTL0080: Failed services" => {"org.wildfly.security.key-store.exampleKS" => "WFLYELY00004: Unable to start the service.
> Caused by: java.io.IOException: WFLYELY00910: Password cannot be resolved for key-store '/tmp/cred/wildfly-20.0.1.Final/standalone/configuration/example.keystore'"}}
> {code}
> This misconfiguration is not possible to do in {{Wildfly 19.1.0.Final}} as you are requested to specify {{alias}} attribute too.
> I suspect that change in behavior has been introduced thanks to this new feature https://issues.redhat.com/browse/WFLY-12218 (see the doc referenced above).
> Correct behavior is to require credential store name and:
> # 'alias'
> # or 'alias' and 'clear-text'
> # or 'clear-text' (alias will be generated automatically in this case)
> as described in the referenced documentation.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list