Bug 1181457

Summary: [GSS](6.4.z) Second security vault warning is displayed even if only one vault definition is present in the server configuration
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Josef Cacek <jcacek>
Component: SecurityAssignee: Ivo Studensky <istudens>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4.0CC: anmiller, bbaranow, bdawidow, bmaxwell, istudens, jtymel, lakagwu, pskopek, tfonteyn
Target Milestone: CR1Keywords: Regression
Target Release: EAP 6.4.5   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1389201 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1235745, 1255390    
Attachments:
Description Flags
secured-webapp.war none

Description Josef Cacek 2015-01-13 08:37:04 UTC 
Created attachment 979509 [details]
secured-webapp.war

Description of problem:

I have only one vault configured in the standalone.xml but I see following warning message in the server log file after login attempt (bindCredentials login module option uses a vaulted password):
09:10:58,854 WARN  [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000378: Attempt to create the second Security Vault [org.picketbox.plugins.vault.PicketBoxSecurityVault] is invalid. Only one Security Vault is supported. Change your configuration, please.

Version-Release number of selected component (if applicable):
6.4.0.ER1

How reproducible:
always

Steps to Reproduce:
*) install EAP and set JBOSS_HOME environment variable

*) generate a vault in /tmp folder and store "secret" value as "bindCredential" attribute in block "ldap"

mkdir /tmp/vault
keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault22 -keypass vault22 -dname "CN=localhost,OU=JBoss Middleware,O=Red Hat,L=Brno,C=CZ" -keystore /tmp/vault/vault.keystore
$JBOSS_HOME/bin/vault.sh -a bindCredential -b ldap -e /tmp/vault -i 22 -k /tmp/vault/vault.keystore -p vault22 -s 87654321 -v vault -x secret

*) start test LDAP server (ApacheDS on port 10389)

git clone https://github.com/kwart/ldap-server.git
cd ldap-server
git checkout second-vault-issue-test
mvn clean package exec:java

*) start the EAP

$JBOSS_HOME/bin/standalone.sh

*) configure EAP using CLI (vault, vaulted system property, security domain with AdvancedLdap login module)

$JBOSS_HOME/bin/jboss-cli.sh -c << EOT
/core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/tmp/vault/vault.keystore"), ("KEYSTORE_PASSWORD" => "MASK-Ci5JS1kjxPX"), ("KEYSTORE_ALIAS" => "vault"), ("SALT" => "87654321"),("ITERATION_COUNT" => "22"), ("ENC_FILE_DIR" => "/tmp/vault/")])
/system-property=jboss.test:add(value="\${VAULT::ldap::bindCredential::1}")
/subsystem=security/security-domain=web-tests:add(cache-type=default)
/subsystem=security/security-domain=web-tests/authentication=classic:add
/subsystem=security/security-domain=web-tests/authentication=classic/login-module=org.jboss.security.negotiation.AdvancedLdapLoginModule:add(code=org.jboss.security.negotiation.AdvancedLdapLoginModule, flag=required, module-options=[("baseFilter"=>"(uid={0})"), ("bindDN"=>"uid=admin,ou=system"), ("rolesCtxDN"=>"dc=jboss,dc=org"), ("baseCtxDN"=>"dc=jboss,dc=org"), ("java.naming.security.authentication"=>"simple"), ("java.naming.provider.url"=>"ldap://127.0.0.1:10389"), ("bindCredential"=>"VAULT::ldap::bindCredential::1"), ("roleAttributeID"=>"cn"), ("roleFilter"=>"(member={1})")])
:reload
quit
EOT

*) deploy secured-webapp.war (attached) and try to log in

cp secured-webapp.war $JBOSS_HOME/standalone/deployments

go to http://localhost:8080/secured-webapp/
login dialog should appear, use jduke/theduke credentials to log-in

*) check server log

Actual results:
The warning is present.

Expected results:
The warning shouldn't be there.
Comment 1 Ivo Studensky 2015-06-11 09:05:46 UTC 
Filed a PR with fix:
https://github.com/jbossas/jboss-eap/pull/2440

It also needs to revert the original fix in PicketBox, see 
https://issues.jboss.org/browse/SECURITY-893
Comment 6 Jan Tymel 2015-11-03 07:22:25 UTC 
Verified in EAP 6.4.5.CP.CR1
Comment 7 Ivo Studensky 2016-10-27 09:05:49 UTC 
PR #2440, see comment 1, was neglected and never merged. So I've created a new bz1389201 for tracking it.
Comment 8 Petr Penicka 2017-01-17 11:43:00 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.
Comment 9 Petr Penicka 2017-01-17 11:43:07 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.