Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10332

[GSS](7.1.0) LDAP credential is revealed when error occurs at startup

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.1.0.DR17
    • 6.4.0.GA
    • Management
    • None
    • Hide

      The issue intermittently occurs at the customer's system, and I could not reproduced the issue on my setup. You need cheating with debugger so that you observe the issue steadily.

      1. add the following line in JBOSS_HOME/bin/domain.conf

      HOST_CONTROLLER_JAVA_OPTS="$HOST_CONTROLLER_JAVA_OPTS -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=y"
      

      2. copy the attached host.xml to JBOSS_HOME/domain/configuration/

      3. start EAP

      # $JBOSS_HOME/bin/domain.sh
      

      4. attach debugger to the host controller

      #jdb -attach localhost:8787
      

      5. set a breakpoint in org.jboss.as.controller.OperationContextImpl.waitForRemovals()

      6. start the host controller

      main[1] run
      

      7. put a dummy key/value to realRemovingContollers hashmap, continue, and quit debugger

      Controller Boot Thread[1] print this.realRemovingControllers.put("hoge", "fuga")
      Controller Boot Thread[1] cont
      > ^D
      

      8. wait for 6 minutes, then you will see the LDAP credential "HIDDEN_SECRET" in the log messages several times

      [Host Controller] 15:48:44,177 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) JBAS014781: Step handler org.jboss.as.controller.AbstractAddStepHandler$1@63256b59 for operation {"operation" => "add","address" => [("host" => "master"),("core-service" => "management"),("ldap-connection" => "ldap-connection")],"url" => "ldaps://no_such_ldap_server.com:636","search-dn" => "dummy_dn","search-credential" => "HIDDEN_SECRET","referrals" => "IGNORE","security-realm" => undefined,"initial-context-factory" => undefined,"handles-referrals-for" => undefined} at address [
      [Host Controller]     ("host" => "master"),
      [Host Controller]     ("core-service" => "management"),
      [Host Controller]     ("ldap-connection" => "ldap-connection")
      [Host Controller] ] failed handling operation rollback -- java.util.concurrent.TimeoutException: java.util.concurrent.TimeoutException
      [Host Controller]       at org.jboss.as.controller.OperationContextImpl.waitForRemovals(OperationContextImpl.java:275) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
      [Host Controller]       at org.jboss.as.controller.AbstractOperationContext$Step.handleResult(AbstractOperationContext.java:1169) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
      [Host Controller]       at org.jboss.as.controller.AbstractOperationContext$Step.finalizeInternal(AbstractOperationContext.java:1122) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
      [Host Controller]       at org.jboss.as.controller.AbstractOperationContext$Step.finalizeStep(AbstractOperationContext.java:1097) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
      [Host Controller]       at org.jboss.as.controller.AbstractOperationContext$Step.access$300(AbstractOperationContext.java:1042) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
      [Host Controller]       at org.jboss.as.controller.AbstractOperationContext.handleContainerStabilityFailure(AbstractOperationContext.java:855) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
      [Host Controller]       at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:532) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
      [Host Controller]       at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:338) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
      [Host Controller]       at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:314) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
      [Host Controller]       at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1144) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
      [Host Controller]       at org.jboss.as.controller.ModelControllerImpl.boot(ModelControllerImpl.java:393) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
      [Host Controller]       at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:301) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
      [Host Controller]       at org.jboss.as.host.controller.DomainModelControllerService.boot(DomainModelControllerService.java:420) [jboss-as-host-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
      [Host Controller]       at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:263) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1]
      [Host Controller]       at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_102]
      
      Show
      The issue intermittently occurs at the customer's system, and I could not reproduced the issue on my setup. You need cheating with debugger so that you observe the issue steadily. 1. add the following line in JBOSS_HOME/bin/domain.conf HOST_CONTROLLER_JAVA_OPTS= "$HOST_CONTROLLER_JAVA_OPTS -agentlib:jdwp=transport=dt_socket,address=8787,server=y,suspend=y" 2. copy the attached host.xml to JBOSS_HOME/domain/configuration/ 3. start EAP # $JBOSS_HOME/bin/domain.sh 4. attach debugger to the host controller #jdb -attach localhost:8787 5. set a breakpoint in org.jboss.as.controller.OperationContextImpl.waitForRemovals() 6. start the host controller main[1] run 7. put a dummy key/value to realRemovingContollers hashmap, continue, and quit debugger Controller Boot Thread [1] print this .realRemovingControllers.put( "hoge" , "fuga" ) Controller Boot Thread [1] cont > ^D 8. wait for 6 minutes, then you will see the LDAP credential "HIDDEN_SECRET" in the log messages several times [Host Controller] 15:48:44,177 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread ) JBAS014781: Step handler org.jboss.as.controller.AbstractAddStepHandler$1@63256b59 for operation { "operation" => "add" , "address" => [( "host" => "master" ),( "core-service" => "management" ),( "ldap-connection" => "ldap-connection" )], "url" => "ldaps: //no_such_ldap_server.com:636" , "search-dn" => "dummy_dn" , "search-credential" => "HIDDEN_SECRET" , "referrals" => "IGNORE" , "security-realm" => undefined, "initial-context-factory" => undefined, "handles-referrals- for " => undefined} at address [ [Host Controller] ( "host" => "master" ), [Host Controller] ( "core-service" => "management" ), [Host Controller] ( "ldap-connection" => "ldap-connection" ) [Host Controller] ] failed handling operation rollback -- java.util.concurrent.TimeoutException: java.util.concurrent.TimeoutException [Host Controller] at org.jboss.as.controller.OperationContextImpl.waitForRemovals(OperationContextImpl.java:275) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] [Host Controller] at org.jboss.as.controller.AbstractOperationContext$Step.handleResult(AbstractOperationContext.java:1169) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] [Host Controller] at org.jboss.as.controller.AbstractOperationContext$Step.finalizeInternal(AbstractOperationContext.java:1122) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] [Host Controller] at org.jboss.as.controller.AbstractOperationContext$Step.finalizeStep(AbstractOperationContext.java:1097) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] [Host Controller] at org.jboss.as.controller.AbstractOperationContext$Step.access$300(AbstractOperationContext.java:1042) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] [Host Controller] at org.jboss.as.controller.AbstractOperationContext.handleContainerStabilityFailure(AbstractOperationContext.java:855) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] [Host Controller] at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:532) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] [Host Controller] at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:338) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] [Host Controller] at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:314) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] [Host Controller] at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1144) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] [Host Controller] at org.jboss.as.controller.ModelControllerImpl.boot(ModelControllerImpl.java:393) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] [Host Controller] at org.jboss.as.controller.AbstractControllerService.boot(AbstractControllerService.java:301) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] [Host Controller] at org.jboss.as.host.controller.DomainModelControllerService.boot(DomainModelControllerService.java:420) [jboss-as-host-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] [Host Controller] at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:263) [jboss-as-controller-7.5.11.Final-redhat-1.jar:7.5.11.Final-redhat-1] [Host Controller] at java.lang. Thread .run( Thread .java:745) [rt.jar:1.8.0_102]

      When an error occurs at startup, LDAP credential is shown in the log file. It should not appear.

              bstansbe@redhat.com Brian Stansberry
              rhn-support-hokuda Hisanobu Okuda
              Martin Simka Martin Simka
              Martin Simka Martin Simka
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: