Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.0.1.CR1, 7.0.1.GA
Affects Version/s: 7.0.0.ER6
Component/s: Security
Labels:
None

Bugzilla References:
https://bugzilla.redhat.com/show_bug.cgi?id=1315441
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.0.z.GA
Git Pull Request:
https://github.com/jbossas/jboss-eap7/pull/510

Sprint:
EAP 7.0.1

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

If the security-domain is defined for a datasource and the password is not a valid encoded SecureIdentity password, there will be a LoginException within the login module: SecureIdentity, which should be set to current SecurityContext. But the SecurityContext is missing at the time when creating the subject for data-source deployment, same for resource-adapter deployment.

<datasource jndi-name="java:/DefaultDS2" pool-name="DefaultDS2" enabled="true" use-java-context="true">
                    <connection-url>jdbc:oracle:thin:@hostname:1521:ora1</connection-url>
                    <driver>oracle</driver>
                    <security>
                         <security-domain>encryptedPassword2</security-domain>
                    </security>
                </datasource>
                <security-domain name="encryptedPassword2">
                    <authentication>
                        <login-module code="SecureIdentity" flag="required">
                            <module-option name="username" value="${user:none}"/>
                            <module-option name="password" value="${password:none}"/>
                        </login-module>
                    </authentication>
                </security-domain>

Expected:

SecurityContext is set when creating the subject for data-source or resource-adapter deployment.

This is part of the fix for issues described in the linked Bugzilla, which ensures that the SecurityContext should be set.

Another part of the fix is on the linked issue: ~~JBEAP-4733~~, once that is done, the issues described in the linked Bugzilla can be verified by starting EAP using configuration above with command line:

bin/standalone.sh -Duser=sa -Dpassword=9fdd42c2a7390d

then you can see the root exception like:

Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:966)
	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:824)
	at com.sun.crypto.provider.BlowfishCipher.engineDoFinal(BlowfishCipher.java:319)
	at javax.crypto.Cipher.doFinal(Cipher.java:2165)
	at org.picketbox.datasource.security.SecureIdentityLoginModule.decode(SecureIdentityLoginModule.java:197)
	at org.picketbox.datasource.security.SecureIdentityLoginModule.commit(SecureIdentityLoginModule.java:116)
	... 31 more

printed out to the console

is blocked by

WFLY-6372 Flagging of invalid login credential for datasource is inconsistent.

Closed

is related to

JBEAP-3813 [GSS](7.0.z) Upgrade PicketBox from 4.9.6.Final to 4.9.7.Final

Verified

relates to

JBEAP-4733 (7.0.z) Flagging of invalid login credential for datasource is inconsistent - JBossSecuritySubjectFactory should check the root cause exception

Verified

Assignee:: Lin Gao

Reporter:: Lin Gao

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2016/03/15 2:12 AM

Updated:: 2020/09/14 5:31 AM

Resolved:: 2016/05/25 1:01 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates