Details
-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
Undefined
-
---
-
---
Description
When enabling single-sign-on with a credential-reference in the Undertow subsystem using the store and clear-text attributes, the automatic credential store update that should happen is never triggered. Looking closer, it appears that the appropriate model update takes place (e.g., the clear-text attribute is saved and removed from the model) but the actual runtime update to the credential store itself is never triggered. This issue can be reproduced using the following steps:
### Pre-requisite steps
/subsystem=elytron/credential-store=myCredStore:add(location=mycredstore.cs, relative-to=jboss.server.config.dir, credential-reference={clear-text=StorePassword}, create=true)
/subsystem=undertow/application-security-domain=other:add(security-domain=ApplicationDomain)
/subsystem=elytron/key-store=myKS:add(path=keystore.jks, relative-to=jboss.server.config.dir, credential-reference={clear-text=secret}, type=JKS)
### Enable single-sign-on
/subsystem=undertow/application-security-domain=other/setting=single-sign-on:add(key-store=myKS, key-alias=localhost, domain=localhost, credential-reference={store=myCredStore,alias=myNewAlias,clear-text=myNewPassword})
# At this point, the output of the above operation is supposed to indicate that a credential-store update took place and executing the read-aliases() operation on the credential-store is supposed to show 'myNewAlias'. However, this doesn't happen.
This issue only affects credential store updates that take place when enabling single-sign-on. If the credential-reference.clear-text value is updated for an existing single-sign-on element using the write-attribute operation, the corresponding credential store update is successfully triggered.
As a quick sanity check, I tried testing credential store updates with some other resources from the clustering subsystems (e.g., I tried adding the jgroups AUTH protocol resource with key-credential-reference and shared-secret-reference) but the credential store update was successfully triggered for these when adding the resource. The main difference appears to be that CredentialReference.getCredentialSourceSupplier(...) is successfully triggered during the runtime phase in this case but it does not get triggered for the single-sign-on case. This method triggers the credential store update.
