Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8406

Referencing credential store from mail subsystem without alias results in returned password "undefined"

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • None
    • 11.0.0.Alpha1
    • Mail
    • None
    • Hide
      1. Start EAP
      2. deploy attached deployment
      3. create credentials store => /subsystem=elytron/credential-store=mail-credential-store:add(uri="cr-store://test/mail-credential-store?keyStoreType=JCEKS;modifiable=true;create=true", relative-to=jboss.server.data.dir, credential-reference={clear-text=clear-text-value-passdlfkj4})
      4. create mail session => /subsystem=mail/mail-session=aaa:add(jndi-name="java:jboss/mail/aaa")
      5. create mail server pointing to the credential reference without provided alias => /subsystem=mail/mail-session=aaa/server=smtp:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mail-credential-store}, username=aaa)
      6. request password authentization on the mail session and check used password, for this you can use attached application and doing request e.g. via curl => curl -i 'http://localhost:8080/mail_server_attributes/mailPassword.jsp?jndiName=java:jboss/mail/aaa&protocol=smtp'

      You should get no password => application returning FAIL, but instead you get "undefined"

      Show
      Start EAP deploy attached deployment create credentials store => /subsystem=elytron/credential-store=mail-credential-store:add(uri="cr-store://test/mail-credential-store?keyStoreType=JCEKS;modifiable=true;create=true", relative-to=jboss.server.data.dir, credential-reference={clear-text=clear-text-value-passdlfkj4}) create mail session => /subsystem=mail/mail-session=aaa:add(jndi-name="java:jboss/mail/aaa") create mail server pointing to the credential reference without provided alias => /subsystem=mail/mail-session=aaa/server=smtp:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mail-credential-store}, username=aaa) request password authentization on the mail session and check used password, for this you can use attached application and doing request e.g. via curl => curl -i 'http://localhost:8080/mail_server_attributes/mailPassword.jsp?jndiName=java:jboss/mail/aaa&protocol=smtp' You should get no password => application returning FAIL, but instead you get "undefined"

    Description

      When using credential-reference pointing only to store without password, it results in using password "undefined"

      As providing password which is incorrect one is very bad from security point of view, marking as blocker for GA.

      Attachments

        Issue Links

          Activity

            People

              mstefank Martin Stefanko
              mstefank Martin Stefanko
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: