-
Bug
-
Resolution: Done
-
Major
-
None
Reading or writing to an encrypted filesystem-realm identity using a wrong secret key results in (expected) failure but without clear message what is wrong. For example
[standalone@embedded /] /subsystem=elytron/filesystem-realm=enc2:read-identity(identity=id1)
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.RuntimeException: WFLYELY01007: Could not read identity with name [id1].",
"rolled-back" => true
}
[standalone@embedded /] /subsystem=elytron/filesystem-realm=enc2:add-identity-attribute(identity=id1,name=attr2,value=[val2])
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.RuntimeException: WFLYELY01008: Failed to obtain the authorization identity.",
"rolled-back" => true
}
with some details in server log
ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 1) WFLYCTL0013: Operation ("add-identity-attribute") failed - address: ([
("subsystem" => "elytron"),
("filesystem-realm" => "enc2")
]): java.lang.RuntimeException: WFLYELY01008: Failed to obtain the authorization identity.
at org.wildfly.extension.elytron@19.0.0.Beta6-SNAPSHOT//org.wildfly.extension.elytron.ModifiableRealmDecorator$AddIdentityAttributeHandler.executeRuntimeStep(ModifiableRealmDecorator.java:263)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:59)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:1045)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:777)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:466)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1427)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:449)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.ModelControllerImpl.lambda$executeForResponse$0(ModelControllerImpl.java:260)
at org.wildfly.security.elytron-base@1.18.4.CR1-SNAPSHOT//org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:304)
at org.wildfly.security.elytron-base@1.18.4.CR1-SNAPSHOT//org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:270)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.ModelControllerImpl.executeForResponse(ModelControllerImpl.java:260)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.ModelControllerImpl.executeOperation(ModelControllerImpl.java:254)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:237)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:241)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:163)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:159)
at org.wildfly.security.elytron-base@1.18.4.CR1-SNAPSHOT//org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:328)
at org.wildfly.security.elytron-base@1.18.4.CR1-SNAPSHOT//org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:285)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225)
at org.jboss.as.controller@19.0.0.Beta6-SNAPSHOT//org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:159)
at org.jboss.as.protocol@19.0.0.Beta6-SNAPSHOT//org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70)
at org.jboss.as.protocol@19.0.0.Beta6-SNAPSHOT//org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:829)
at org.jboss.threads@2.4.0.Final//org.jboss.threads.JBossThread.run(JBossThread.java:513)
Caused by: org.wildfly.security.auth.server.RealmUnavailableException: ELY01012: Filesystem-backed realm unexpectedly failed to open path "plain1/N/F/NFSDC.xml" for identity name "id1"
at org.wildfly.security.elytron-base@1.18.4.CR1-SNAPSHOT//org.wildfly.security.auth.realm.FileSystemSecurityRealm$Identity.loadIdentityPrivileged(FileSystemSecurityRealm.java:972)
at org.wildfly.security.elytron-base@1.18.4.CR1-SNAPSHOT//org.wildfly.security.auth.realm.FileSystemSecurityRealm$Identity.loadIdentity(FileSystemSecurityRealm.java:944)
at org.wildfly.security.elytron-base@1.18.4.CR1-SNAPSHOT//org.wildfly.security.auth.realm.FileSystemSecurityRealm$Identity.getAuthorizationIdentity(FileSystemSecurityRealm.java:938)
at org.wildfly.extension.elytron@19.0.0.Beta6-SNAPSHOT//org.wildfly.extension.elytron.ModifiableRealmDecorator$AddIdentityAttributeHandler.executeRuntimeStep(ModifiableRealmDecorator.java:261)
... 28 more
Caused by: org.wildfly.security.auth.server.RealmUnavailableException: ELY01015: Filesystem-backed realm encountered invalid file content in path "plain1/N/F/NFSDC.xml" line 4 for identity name "id1"
at org.wildfly.security.elytron-base@1.18.4.CR1-SNAPSHOT//org.wildfly.security.auth.realm.FileSystemSecurityRealm$Identity.parseAttribute(FileSystemSecurityRealm.java:1267)
at org.wildfly.security.elytron-base@1.18.4.CR1-SNAPSHOT//org.wildfly.security.auth.realm.FileSystemSecurityRealm$Identity.parseAttributes(FileSystemSecurityRealm.java:1229)
at org.wildfly.security.elytron-base@1.18.4.CR1-SNAPSHOT//org.wildfly.security.auth.realm.FileSystemSecurityRealm$Identity.parseIdentityContents(FileSystemSecurityRealm.java:1023)
at org.wildfly.security.elytron-base@1.18.4.CR1-SNAPSHOT//org.wildfly.security.auth.realm.FileSystemSecurityRealm$Identity.parseIdentity(FileSystemSecurityRealm.java:982)
at org.wildfly.security.elytron-base@1.18.4.CR1-SNAPSHOT//org.wildfly.security.auth.realm.FileSystemSecurityRealm$Identity.loadIdentityPrivileged(FileSystemSecurityRealm.java:965)
... 31 more
To improve the UX for such cases, it should be clear that it's not possible to decrypt attributes or password, probably because of a wrong key.