Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-24180

[GSS](7.4.z) WFCORE - Security domain cache can be created with type default when using a JAAS realm for remoting

    XMLWordPrintable

Details

    • False
    • None
    • False
    • +
    • Hide
      • Create the infinispan cache:
      /subsystem=infinispan/cache-container=security:add()
/subsystem=infinispan/cache-container=security/local-cache=auth-cache:add()
/subsystem=infinispan/cache-container=security/local-cache=auth-cache/component=expiration:add(lifespan=300000, max-idle=60000)
/subsystem=infinispan/cache-container=security/local-cache=auth-cache/memory=heap:add(size=1000)
/subsystem=infinispan/cache-container=security:write-attribute(name=default-cache, value=auth-cache)
reload
      • Create properties files for a security domain:
      cat ${JBOSS_HOME}/standalone/configuration/jbossws-users.properties
# A sample users.properties file for use with the UsersRolesLoginModule
kermit=therealfrog
cat ${JBOSS_HOME}/standalone/configuration/jbossws-roles.properties 
# A sample roles.properties file for use with the UsersRolesLoginModule
kermit=friend
      • Create the security-domain using properties files (default user in the application is kermit=therealfrog in the files and the application):
      /subsystem=security/security-domain=jaas-domain:add(cache-type=infinispan)
/subsystem=security/security-domain=jaas-domain/authentication=classic:add(login-modules=[{code=UsersRoles, flag=required, module-options={usersProperties=>"file://${jboss.server.config.dir}/jbossws-users.properties", rolesProperties=>"file://${jboss.server.config.dir}/jbossws-roles.properties", unauthenticatedIdentity=anonymous}}])
      • Create the jaas realm and assign to remote:
      /core-service=management/security-realm=jaas-realm:add()
/core-service=management/security-realm=jaas-realm/authentication=jaas:add(name=jaas-domain)
/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=security-realm, value=jaas-realm)
reload
      • Deploy the sample application sample-ejb.war.
      mvn clean package
      • In the standalone.conf add the following line to use byteman with the attached reproducer.btm.
      JAVA_OPTS="$JAVA_OPTS -javaagent:/path/to/byteman-download-4.0.19/lib/byteman.jar=script:/path/to/reproducer.btm,boot:/path/to/byteman-download-4.0.19/lib/byteman.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Dorg.jboss.byteman.verbose=true"
      • When booting up the server the infinispan cache will be delayed for 30 by a byteman rule.
      11:36:21,093 ERROR [stderr] (MSC service thread 1-3) -----> ConfigurationServiceConfigurator.accept sleeping 30s... security jaas-domain
      • During those 30s execute the ejb client in the application (it throws an error but the authentication is created with DefaultAuthenticationCacheFactory):
      java -cp ${JBOSS_HOME}/bin/client/jboss-client.jar:target/classes com.redhat.sample.client.CalculatorClient

      11:36:37,460 ERROR [stderr] (default task-1) -----> JNDIBasedSecurityManagement.createSecurityDomainContext org.jboss.as.security.plugins.DefaultAuthenticationCacheFactory@598ff108 org.picketbox:main:org.jboss.security.auth.callback.JBossCallbackHandler org.picketbox:main:org.jboss.security.authentication.JBossCachedAuthenticationManager
      • Once fully started after the 30s check the cache is not infinispan (LRUCache) executing the client again:
      java -cp ${JBOSS_HOME}/bin/client/jboss-client.jar:target/classes com.redhat.sample.client.CalculatorClient

      11:38:48,149 ERROR [stderr] (default task-1) -----> JBossCachedAuthenticationManager.isValid kermit cache=class org.jboss.as.security.lru.LRUCache
      • If you don't execute the client during the 30s sleep the cache is infinispan:
      11:40:25,557 ERROR [stderr] (default task-1) -----> JBossCachedAuthenticationManager.isValid kermit cache=class org.jboss.as.clustering.infinispan.DefaultCache
      Show
      Create the infinispan cache: /subsystem=infinispan/cache-container=security:add() /subsystem=infinispan/cache-container=security/local-cache=auth-cache:add() /subsystem=infinispan/cache-container=security/local-cache=auth-cache/component=expiration:add(lifespan=300000, max-idle=60000) /subsystem=infinispan/cache-container=security/local-cache=auth-cache/memory=heap:add(size=1000) /subsystem=infinispan/cache-container=security:write-attribute(name= default -cache, value=auth-cache) reload Create properties files for a security domain: cat ${JBOSS_HOME}/standalone/configuration/jbossws-users.properties # A sample users.properties file for use with the UsersRolesLoginModule kermit=therealfrog cat ${JBOSS_HOME}/standalone/configuration/jbossws-roles.properties # A sample roles.properties file for use with the UsersRolesLoginModule kermit=friend Create the security-domain using properties files (default user in the application is kermit=therealfrog in the files and the application): /subsystem=security/security-domain=jaas-domain:add(cache-type=infinispan) /subsystem=security/security-domain=jaas-domain/authentication=classic:add(login-modules=[{code=UsersRoles, flag=required, module-options={usersProperties=> "file: //${jboss.server.config.dir}/jbossws-users.properties" , rolesProperties=> "file://${jboss.server.config.dir}/jbossws-roles.properties" , unauthenticatedIdentity=anonymous}}]) Create the jaas realm and assign to remote: /core-service=management/security-realm=jaas-realm:add() /core-service=management/security-realm=jaas-realm/authentication=jaas:add(name=jaas-domain) /subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=security-realm, value=jaas-realm) reload Deploy the sample application sample-ejb.war. mvn clean package In the standalone.conf add the following line to use byteman with the attached reproducer.btm . JAVA_OPTS= "$JAVA_OPTS -javaagent:/path/to/byteman-download-4.0.19/lib/byteman.jar=script:/path/to/reproducer.btm,boot:/path/to/byteman-download-4.0.19/lib/byteman.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Dorg.jboss.byteman.verbose= true " When booting up the server the infinispan cache will be delayed for 30 by a byteman rule. 11:36:21,093 ERROR [stderr] (MSC service thread 1-3) -----> ConfigurationServiceConfigurator.accept sleeping 30s... security jaas-domain During those 30s execute the ejb client in the application (it throws an error but the authentication is created with DefaultAuthenticationCacheFactory): java -cp ${JBOSS_HOME}/bin/client/jboss-client.jar:target/classes com.redhat.sample.client.CalculatorClient 11:36:37,460 ERROR [stderr] (default task-1) -----> JNDIBasedSecurityManagement.createSecurityDomainContext org.jboss.as.security.plugins.DefaultAuthenticationCacheFactory@598ff108 org.picketbox:main:org.jboss.security.auth.callback.JBossCallbackHandler org.picketbox:main:org.jboss.security.authentication.JBossCachedAuthenticationManager Once fully started after the 30s check the cache is not infinispan (LRUCache) executing the client again: java -cp ${JBOSS_HOME}/bin/client/jboss-client.jar:target/classes com.redhat.sample.client.CalculatorClient 11:38:48,149 ERROR [stderr] (default task-1) -----> JBossCachedAuthenticationManager.isValid kermit cache=class org.jboss.as.security.lru.LRUCache If you don't execute the client during the 30s sleep the cache is infinispan: 11:40:25,557 ERROR [stderr] (default task-1) -----> JBossCachedAuthenticationManager.isValid kermit cache=class org.jboss.as.clustering.infinispan.DefaultCache

    Description

      There is a race at server boot between the service for the security-domain and the remoting interface when configured to use a JAAS realm. The JaasService waits for the security-manager but not for the security-domain (here).

      This way the remoting can start when the security-domain is not ready yet and then, if there is a client call at this point, the authentication is created with an incorrect cache. In this scenario the security-domain is created in the JNDI lookup here with the default LRU cache. Finally when the security-domain is started by the boot process the cache is not replaced (these lines).

      The final issue is the security-domain and its authentication is using a default cache instead of a infinispan one. So if the security-domain was configured to use infinispan all those settings are lost.

      Attachments

        1. reproducer.btm
          0.9 kB
        2. sample-ejb.zip
          16 kB

        Issue Links

          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-24167 (7.4.z) Upgrade WildFly Core from 15.0.19.Final-redhat-00001 to 15.0.21.Final-redhat-00002

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-rmartinc Ricardo Martin Camarero
              rhn-support-rmartinc Ricardo Martin Camarero
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: