Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8406

Referencing credential store from mail subsystem without alias results in returned password "undefined"

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 11.0.0.Alpha1
    • Component/s: Mail
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      1. Start EAP
      2. deploy attached deployment
      3. create credentials store => /subsystem=elytron/credential-store=mail-credential-store:add(uri="cr-store://test/mail-credential-store?keyStoreType=JCEKS;modifiable=true;create=true", relative-to=jboss.server.data.dir, credential-reference={clear-text=clear-text-value-passdlfkj4})
      4. create mail session => /subsystem=mail/mail-session=aaa:add(jndi-name="java:jboss/mail/aaa")
      5. create mail server pointing to the credential reference without provided alias => /subsystem=mail/mail-session=aaa/server=smtp:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mail-credential-store}, username=aaa)
      6. request password authentization on the mail session and check used password, for this you can use attached application and doing request e.g. via curl => curl -i 'http://localhost:8080/mail_server_attributes/mailPassword.jsp?jndiName=java:jboss/mail/aaa&protocol=smtp'

      You should get no password => application returning FAIL, but instead you get "undefined"

      Show
      Start EAP deploy attached deployment create credentials store => /subsystem=elytron/credential-store=mail-credential-store:add(uri="cr-store://test/mail-credential-store?keyStoreType=JCEKS;modifiable=true;create=true", relative-to=jboss.server.data.dir, credential-reference={clear-text=clear-text-value-passdlfkj4}) create mail session => /subsystem=mail/mail-session=aaa:add(jndi-name="java:jboss/mail/aaa") create mail server pointing to the credential reference without provided alias => /subsystem=mail/mail-session=aaa/server=smtp:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mail-credential-store}, username=aaa) request password authentization on the mail session and check used password, for this you can use attached application and doing request e.g. via curl => curl -i 'http://localhost:8080/mail_server_attributes/mailPassword.jsp?jndiName=java:jboss/mail/aaa&protocol=smtp' You should get no password => application returning FAIL, but instead you get "undefined"

      Description

      When using credential-reference pointing only to store without password, it results in using password "undefined"

      As providing password which is incorrect one is very bad from security point of view, marking as blocker for GA.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mstefank Martin Stefanko
                  Reporter:
                  mstefank Martin Stefanko
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: