-
Bug
-
Resolution: Done
-
Critical
-
7.1.0.DR16
-
None
Although mechanism-names attributes model metadata define allowed values. This is not checked and I am allowed to execute this command
/subsystem=elytron/kerberos-security-factory=c:add(principal="HTTP/localhost", path="/not/exist", mechanism-names=[DOES_NOT_EXIST]) [standalone@localhost:9990 /] /subsystem=elytron/kerberos-security-factory=c:add(principal="HTTP/localhost", path="/not/exist", mechanism-names=[DOES_NOT_EXIST]) { "outcome" => "failed", "failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException: GSSException: Improperly formatted Object Identifier String - null", "rolled-back" => true }
elytron.model
"mechanism-names" => { "type" => LIST, "description" => "The mechanism names the credential should be usable with. Names will be converted to OIDs and used together with OIDs from mechanism-oids attribute.", "expressions-allowed" => true, "required" => false, "nillable" => true, "default" => [ "KRB5", "SPNEGO" ], "allowed" => [ "KRB5LEGACY", "GENERIC", "KRB5", "KRB5V2", "SPNEGO" ], "value-type" => STRING, "access-type" => "read-write", "storage" => "configuration", "restart-required" => "resource-services" }
From log it is apparent OID instantiation is performed. So either this happens before "allowed" check or allowed check is not working properly.
server.log
07:15:56,489 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([ ("subsystem" => "elytron"), ("kerberos-security-factory" => "c") ]): java.lang.IllegalArgumentException: GSSException: Improperly formatted Object Identifier String - null at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.lambda$getValueSupplier$1(KerberosSecurityFactoryDefinition.java:172) at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) at java.util.LinkedList$LLSpliterator.forEachRemaining(LinkedList.java:1235) at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) at java.util.stream.StreamSpliterators$WrappingSpliterator.forEachRemaining(StreamSpliterators.java:312) at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:742) at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.getValueSupplier(KerberosSecurityFactoryDefinition.java:174) at org.wildfly.extension.elytron.TrivialAddHandler.performRuntime(TrivialAddHandler.java:77) at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:151) at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:979) at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:722) at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:441) at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1397) at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:421) at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:243) at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:263) at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:229) at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:243) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:217) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:137) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:161) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157) at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:287) at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:244) at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254) at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225) at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:157) at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70) at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: GSSException: Improperly formatted Object Identifier String - null at org.ietf.jgss.Oid.<init>(Oid.java:71) at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.lambda$getValueSupplier$1(KerberosSecurityFactoryDefinition.java:170) ... 39 more
- is cloned by
-
WFCORE-2657 Elytron, mechanism-names is not checked on defined allowed values.
- Resolved
- is incorporated by
-
JBEAP-10387 Bulk backport Elytron wfcore changes
- Closed
-
JBEAP-10119 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta16
- Closed