-
Bug
-
Resolution: Done
-
Major
-
None
My WFCORE-5303 fix doesn't work properly for read-attribute and read-resource when it comes to credential store expressions.
This is because RuntimeExpressionResolver looks up the ElytronExpressionResolver using an OperationContext.getCapabilityRuntimeAPI call, and that is rejected in Stage.MODEL, which is when read-attribute and read-resource are attempting the resolution. The result is the expression is not recognized as a credential store expression, and instead is treated as a system property / env var expression with a colon care delimiting a default value from the name of the property/env var. So the 'default value' part of the expression gets returned.
There is no leak of secure information here, as the expression isn't really resolved. The correct behavior would be to return the full expression string, not just the part of it that's being returned, plus a response-header noting the expression was deliberately not resolved.
A possible solution is to defer the resolution to Stage.RUNTIME, and that might be a good idea in general. But for now I think I'll improve how the ElytronExpressionResolver is made available to RuntimeExpressionResolver such that after the management op that adds the elytron resource (incl the boot op) is complete no further lookups are needed. The current capability lookup will be left as a fallback option for use during parallel boot, where it serves as a way for subsystems executing Stage.RUNTIME concurrently with the elytron subsystem to get access to the elytron resolver.
- blocks
-
WFCORE-5696 Credential store expression resolution not usable for deployment descriptors and annotations.
- Closed
- is cloned by
-
JBEAP-22751 (7.4.z) WFCORE-5709 - Invalid read-attribute and read-resource output for credential store expressions with resolve-expressions=true
- Closed