Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10273

Elytron, mechanism-names is not checked on defined allowed values.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 7.1.0.DR17
    • 7.1.0.DR16
    • Security
    • None

      Although mechanism-names attributes model metadata define allowed values. This is not checked and I am allowed to execute this command

      /subsystem=elytron/kerberos-security-factory=c:add(principal="HTTP/localhost", path="/not/exist", mechanism-names=[DOES_NOT_EXIST])
      
      [standalone@localhost:9990 /] /subsystem=elytron/kerberos-security-factory=c:add(principal="HTTP/localhost", path="/not/exist", mechanism-names=[DOES_NOT_EXIST])
      {
          "outcome" => "failed",
          "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException: GSSException: Improperly formatted Object Identifier String - null",
          "rolled-back" => true
      }
      
      elytron.model
      "mechanism-names" => {
          "type" => LIST,
          "description" => "The mechanism names the credential should be usable with. Names will be converted to OIDs and used together with OIDs from mechanism-oids attribute.",
          "expressions-allowed" => true,
          "required" => false,
          "nillable" => true,
          "default" => [
              "KRB5",
              "SPNEGO"
          ],
          "allowed" => [
              "KRB5LEGACY",
              "GENERIC",
              "KRB5",
              "KRB5V2",
              "SPNEGO"
          ],
          "value-type" => STRING,
          "access-type" => "read-write",
          "storage" => "configuration",
          "restart-required" => "resource-services"
      }
      

      From log it is apparent OID instantiation is performed. So either this happens before "allowed" check or allowed check is not working properly.

      server.log
      07:15:56,489 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([
          ("subsystem" => "elytron"),
          ("kerberos-security-factory" => "c")
      ]): java.lang.IllegalArgumentException: GSSException: Improperly formatted Object Identifier String - null
      	at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.lambda$getValueSupplier$1(KerberosSecurityFactoryDefinition.java:172)
      	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
      	at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
      	at java.util.LinkedList$LLSpliterator.forEachRemaining(LinkedList.java:1235)
      	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
      	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
      	at java.util.stream.StreamSpliterators$WrappingSpliterator.forEachRemaining(StreamSpliterators.java:312)
      	at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:742)
      	at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
      	at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
      	at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
      	at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
      	at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
      	at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.getValueSupplier(KerberosSecurityFactoryDefinition.java:174)
      	at org.wildfly.extension.elytron.TrivialAddHandler.performRuntime(TrivialAddHandler.java:77)
      	at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:151)
      	at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:979)
      	at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:722)
      	at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:441)
      	at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1397)
      	at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:421)
      	at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:243)
      	at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:263)
      	at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:229)
      	at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:243)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:217)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:137)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:161)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157)
      	at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:287)
      	at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:244)
      	at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254)
      	at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225)
      	at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:157)
      	at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70)
      	at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      	at org.jboss.threads.JBossThread.run(JBossThread.java:320)
      Caused by: GSSException: Improperly formatted Object Identifier String - null
      	at org.ietf.jgss.Oid.<init>(Oid.java:71)
      	at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.lambda$getValueSupplier$1(KerberosSecurityFactoryDefinition.java:170)
      	... 39 more
      
      

            rhn-cservice-bbaranow Bartosz Baranowski
            mchoma@redhat.com Martin Choma
            Martin Choma Martin Choma
            Martin Choma Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: