Loading...

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 3.0.0.Beta27
Affects Version/s: None
Component/s: Security
Labels:
None

Steps to Reproduce:
Hide

/subsystem=elytron/credential-store=cstore001:add(credential-reference={clear-text=pass123}, create=true, location=cstore001.jceks)

/subsystem=elytron/credential-store=cstore001/alias=password:add(secret-value=pass123)

/subsystem=elytron/credential-store=cstore002:add(credential-reference={clear-text=pass123}, create=true, location=cstore002.jceks)

/subsystem=elytron/credential-store=cstore002/alias=password:add(secret-value=pass987)

Now we create another credential store with credential-reference to first credential store

/subsystem=elytron/credential-store=cstore003:add(credential-reference={store=cstore001, alias=password}, create=true, location=cstore003.jceks)

/subsystem=elytron/credential-store=cstore003/alias=alias001:add(secret-value=value001)

List of aliases in this credential store

/subsystem=elytron/credential-store=cstore003:read-children-resources(child-type=alias) { "outcome" => "success", "result" => {"alias001" => {}} }

Now we change credential-reference to second credential store which contains under same alias "password" different value

/subsystem=elytron/credential-store=cstore003:write-attribute(name=credential-reference.store, value=cstore002) {"outcome" => "success"}

We have still access to credential store cstore003 with wrong password

[standalone@localhost:9990 /] /subsystem=elytron/credential-store=cstore003/alias=alias002:add(secret-value=value002) {"outcome" => "success"} [standalone@localhost:9990 /] /subsystem=elytron/credential-store=cstore003:read-children-resources(child-type=alias) { "outcome" => "success", "result" => { "alias001" => {}, "alias002" => {} } }

After reload everything works right.
Show
/subsystem=elytron/credential-store=cstore001:add(credential-reference={clear-text=pass123}, create= true , location=cstore001.jceks) /subsystem=elytron/credential-store=cstore001/alias=password:add(secret-value=pass123) /subsystem=elytron/credential-store=cstore002:add(credential-reference={clear-text=pass123}, create= true , location=cstore002.jceks) /subsystem=elytron/credential-store=cstore002/alias=password:add(secret-value=pass987) Now we create another credential store with credential-reference to first credential store /subsystem=elytron/credential-store=cstore003:add(credential-reference={store=cstore001, alias=password}, create= true , location=cstore003.jceks) /subsystem=elytron/credential-store=cstore003/alias=alias001:add(secret-value=value001) List of aliases in this credential store /subsystem=elytron/credential-store=cstore003:read-children-resources(child-type=alias) { "outcome" => "success" , "result" => { "alias001" => {}} } Now we change credential-reference to second credential store which contains under same alias "password" different value /subsystem=elytron/credential-store=cstore003:write-attribute(name=credential-reference.store, value=cstore002) { "outcome" => "success" } We have still access to credential store cstore003 with wrong password [standalone@localhost:9990 /] /subsystem=elytron/credential-store=cstore003/alias=alias002:add(secret-value=value002) { "outcome" => "success" } [standalone@localhost:9990 /] /subsystem=elytron/credential-store=cstore003:read-children-resources(child-type=alias) { "outcome" => "success" , "result" => { "alias001" => {}, "alias002" => {} } } After reload everything works right.

Application server must be reloaded when is updated credential reference of credential store. There isn't any information that it needs reload.

In model is "restart-required" => "no-services" and credential-reference update operation ends with success message without any information about reload.

Unable to find source-code formatter for language: collapse. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml

"credential-reference" => {
                "type" => OBJECT,
                "description" => "Credential reference to be used to create protection parameter.",
                "expressions-allowed" => false,
                "required" => true,
                "nillable" => false,
                "access-constraints" => {"sensitive" => {"credential" => {"type" => "core"}}},
                "value-type" => {
                    "store" => {
                        "type" => STRING,
                        "description" => "The name of the credential store holding the alias to credential.",
                        "expressions-allowed" => false,
                        "required" => false,
                        "nillable" => true,
                        "capability-reference" => "org.wildfly.security.credential-store",
                        "min-length" => 1L,
                        "max-length" => 2147483647L
                    },
                    "alias" => {
                        "type" => STRING,
                        "description" => "The alias which denotes stored secret or credential in the store.",
                        "expressions-allowed" => true,
                        "required" => false,
                        "nillable" => true,
                        "min-length" => 1L,
                        "max-length" => 2147483647L
                    },
                    "type" => {
                        "type" => STRING,
                        "description" => "The type of credential this reference is denoting.",
                        "expressions-allowed" => true,
                        "required" => false,
                        "nillable" => true,
                        "min-length" => 1L,
                        "max-length" => 2147483647L
                    },
                    "clear-text" => {
                        "type" => STRING,
                        "description" => "Secret specified using clear text. Check credential store way of supplying credential/secrets to services.",
                        "expressions-allowed" => true,
                        "required" => false,
                        "nillable" => true,
                        "min-length" => 1L,
                        "max-length" => 2147483647L
                    }
                },
                "access-type" => "read-write",
                "storage" => "configuration",
                "restart-required" => "no-services"
            },

clones

JBEAP-10747 EAP server must be reloaded when is updated credential reference of credential store. There isn't any information that it needs reload.

Verified

Details

Description

Attachments

Issue Links

Activity

People

Dates