Bug 1315441

Summary: [GSS] (6.4.z) Flagging of invalid login credential for datasource is inconsistent.
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Lami Akagwu <lakagwu>
Component: SecurityAssignee: Lin Gao <lgao>
Status: CLOSED DEFERRED QA Contact: Josef Cacek <jcacek>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.4.6CC: anmiller, bbaranow, bdawidow, bmaxwell, cdewolf, darran.lofthouse, lgao, msochure, ppenicka, pskopek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-06 15:19:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lami Akagwu 2016-03-07 18:18:46 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
Always

There are multiple parts to this

(1) If the security-domain is defined for a datasource and the password is invalid, an error is reported in the console which is expected
        <datasource jndi-name="java:/DefaultDS2" pool-name="DefaultDS2" enabled="true" use-java-context="true">
                    <connection-url>jdbc:oracle:thin:@hostname:1521:ora1</connection-url>
                    <driver>oracle</driver>
                    <security>
                         <security-domain>encryptedPassword2</security-domain>
                    </security>
                </datasource>

(2) If the 'password' for the datasource is invalid no error is reported in the console log at startup e.g
        <datasource jndi-name="java:/DefaultDS2" pool-name="DefaultDS2" enabled="true" use-java-context="true">
                    <connection-url>jdbc:oracle:thin:@hostname:1521:ora1</connection-url>
                    <driver>oracle</driver>
                    <security>
                         <user-name>user</user-name>
                         <password>passwd</password>

                    </security>
                </datasource>


3. Whether or not you use a security-domain for a datasource, an invalid 'username' doesn't get flagged in the console.

Actual results:

Expected results:
Invalid username and password should be flagged as login errors in the console log.
It shouldn't make a difference whether or not you use security-credentials


Additional info:

Comment 7 JBoss JIRA Server 2016-03-16 06:41:51 UTC
Lin Gao <lgao> updated the status of jira SECURITY-938 to Coding In Progress

Comment 10 JBoss JIRA Server 2016-05-25 17:01:09 UTC
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-3812 to Resolved

Comment 13 Miroslav Sochurek 2016-06-06 11:17:16 UTC
More info from Lin for the Triage call:

Some conflicts I see to merge this commit to EAP 6.4.x are:

1). Some new Injected dependencies were added in EAP 7 Services(like AbstractDataSourceService, AbstractResourceAdapterDeploymentService, etc), which are not in EAP 6 yet.
2). The missing class(PicketBoxSubjectFactory) in IronJacamar 1.0 branch which is used for EAP 6.x.
3). JBoss Module dependency declaration, EAP 7 uses feature pack to compose the target archive, EAP 6 specify the module dependencies in a different location.

And it needs 2 parts to fix the issue by improving the ability to assist customer to find out the root cause of the exception(NOTE, no functionality fix):

a). Fixes in connector subsystem, which needs the cherry-pick from EAP 7 commit which has the conflicts above
b). Fixes in PicketBox(https://issues.jboss.org/browse/SECURITY-938), which needs an upgrade of PicketBox which is still not happen yet for both EAP 7 and 6(out of my control...)

Comment 17 JBoss JIRA Server 2016-07-29 02:48:51 UTC
Lin Gao <lgao> updated the status of jira SECURITY-938 to Resolved

Comment 18 JBoss JIRA Server 2016-08-23 11:38:43 UTC
Jiri Pallich <jpallich> updated the status of jira JBEAP-3812 to Closed