Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-7224

Missing validation check for simple-regex-realm-mapper and mapped-regex-realm-mapper in Elytron subsystem

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 11.0.0.Alpha1
    • 11.0.0.Alpha1
    • Security
    • None
    • Hide
      /subsystem=elytron/simple-regex-realm-mapper=SomeRealmMapper:add(pattern=somePattern)
      /subsystem=elytron/security-domain=SomeSecurityDomain:add(default-realm=ManagementRealm,realms=[{realm=ManagementRealm}],realm-mapper=SomeRealmMapper)
      {
          "outcome" => "failed",
          "failure-description" => {"WFLYCTL0180: Services with missing/unavailable dependencies" => undefined},
          "rolled-back" => true
      }
      
      Show
      /subsystem=elytron/simple-regex-realm-mapper=SomeRealmMapper:add(pattern=somePattern) /subsystem=elytron/security-domain=SomeSecurityDomain:add( default -realm=ManagementRealm,realms=[{realm=ManagementRealm}],realm-mapper=SomeRealmMapper) { "outcome" => "failed" , "failure-description" => { "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined}, "rolled-back" => true }

      Elytron subsystem allows to add realm mapper (e.g. simple-regex-realm-mapper) with pattern which does not include a capture group. In case when this realm mapper is used in add operation for security domain through CLI then operation fails with incomprehensible log:

      {
          "outcome" => "failed",
          "failure-description" => {"WFLYCTL0180: Services with missing/unavailable dependencies" => undefined},
          "rolled-back" => true
      }
      

      Exception in server log:

      ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.security.realm-mapper.SomeRealmMapper: org.jboss.msc.service.StartException in service org.wildfly.security.realm-mapper.SomeRealmMapper: Failed to start service
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: java.lang.IllegalArgumentException: ELY01065: Pattern requires a capture group
      	at org.wildfly.security.auth.util.SimpleRegexRealmMapper.<init>(SimpleRegexRealmMapper.java:64)
      	at org.wildfly.security.auth.util.SimpleRegexRealmMapper.<init>(SimpleRegexRealmMapper.java:49)
      	at org.wildfly.extension.elytron.RealmMapperDefinitions$SimpleRegexRealmMapperAddHandler.lambda$performRuntime$0(RealmMapperDefinitions.java:157)
      	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
      	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
      	... 3 more
      

      The same happens for mapped-regex-realm-mapper.

      Point here is that we allow to successfully add wrong realm mapper (without capture group) but we check whether it is wrong later in security domain. This check should be done during adding wrong realm mapper to avoid following incomprehensible CLI log and exception in server log.

              rhn-support-ivassile Ilia Vassilev
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: