Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8406

Referencing credential store from mail subsystem without alias results in returned password "undefined"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 11.0.0.Alpha1
    • None
    • Mail
    • None
    • Hide
      1. Start EAP
      2. deploy attached deployment
      3. create credentials store => /subsystem=elytron/credential-store=mail-credential-store:add(uri="cr-store://test/mail-credential-store?keyStoreType=JCEKS;modifiable=true;create=true", relative-to=jboss.server.data.dir, credential-reference={clear-text=clear-text-value-passdlfkj4})
      4. create mail session => /subsystem=mail/mail-session=aaa:add(jndi-name="java:jboss/mail/aaa")
      5. create mail server pointing to the credential reference without provided alias => /subsystem=mail/mail-session=aaa/server=smtp:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mail-credential-store}, username=aaa)
      6. request password authentization on the mail session and check used password, for this you can use attached application and doing request e.g. via curl => curl -i 'http://localhost:8080/mail_server_attributes/mailPassword.jsp?jndiName=java:jboss/mail/aaa&protocol=smtp'

      You should get no password => application returning FAIL, but instead you get "undefined"

      Show
      Start EAP deploy attached deployment create credentials store => /subsystem=elytron/credential-store=mail-credential-store:add(uri="cr-store://test/mail-credential-store?keyStoreType=JCEKS;modifiable=true;create=true", relative-to=jboss.server.data.dir, credential-reference={clear-text=clear-text-value-passdlfkj4}) create mail session => /subsystem=mail/mail-session=aaa:add(jndi-name="java:jboss/mail/aaa") create mail server pointing to the credential reference without provided alias => /subsystem=mail/mail-session=aaa/server=smtp:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mail-credential-store}, username=aaa) request password authentization on the mail session and check used password, for this you can use attached application and doing request e.g. via curl => curl -i 'http://localhost:8080/mail_server_attributes/mailPassword.jsp?jndiName=java:jboss/mail/aaa&protocol=smtp' You should get no password => application returning FAIL, but instead you get "undefined"

      When using credential-reference pointing only to store without password, it results in using password "undefined"

      As providing password which is incorrect one is very bad from security point of view, marking as blocker for GA.

              mstefank Martin Stefanko
              mstefank Martin Stefanko
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: