Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-1575

jboss-cli.sh allows creation of an invalid jsse element within a security-domain

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 8.0.0.Beta1
    • 8.0.0.Alpha2
    • Security
    • None
    • Linux 3.9.4-200.fc18.x86_64 #1 SMP Fri May 24 20:10:49 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

    • Hide

      1) Build Wildfly 8.0.0.Alpha2 and start it (admin-only or normal):
      ./standalone.sh

      2) Start the jboss-cli.sh session:
      ./jboss-cli.sh -c

      3) Add a new security-domain definition:
      /subsystem=security/security-domain=new:add()

      4) Add a new jsse element to the new security-domain:
      /subsystem=security/security-domain=new/jsse=classic:add()

      5) Observe command success:

      {"outcome" => "success"}

      6) Reload the server:
      :reload

      7) Observe the stacktrace upon the server's attempted reload:
      http://pastebin.test.redhat.com/148589

      8) The server is now in a state where it cannot start.

      Show
      1) Build Wildfly 8.0.0.Alpha2 and start it (admin-only or normal): ./standalone.sh 2) Start the jboss-cli.sh session: ./jboss-cli.sh -c 3) Add a new security-domain definition: /subsystem=security/security-domain=new:add() 4) Add a new jsse element to the new security-domain: /subsystem=security/security-domain=new/jsse=classic:add() 5) Observe command success: {"outcome" => "success"} 6) Reload the server: :reload 7) Observe the stacktrace upon the server's attempted reload: http://pastebin.test.redhat.com/148589 8) The server is now in a state where it cannot start.

      The jboss-cli.sh allows me to add a security-domain definition which is not valid. Apparently you must have a keystore-password or truststore-password, but this restriction is not enforced in the cli.

      I do not have too deep an understanding of how the cli decides that a given attribute is required, but I have seen cases where the cli will warn me if I try to do something without all required attributes. Something similar should probably be done here.

              ehugonne1@redhat.com Emmanuel Hugonnet
              thauser_jira Thomas Hauser (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: