| Summary: | Values for rhq.server.tomcat.security.client-auth-mode and rhq.communications.connector.security.client-auth-mode are not validated | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Operations Network | Reporter: | Filip Brychta <fbrychta> |
| Component: | Core Server, Usability | Assignee: | Josejulio Martínez <jmartine> |
| Status: | CLOSED ERRATA | QA Contact: | Filip Brychta <fbrychta> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | JON 3.3.6 | CC: | fbrychta, jmartine, spinder |
| Target Milestone: | ER01 | Keywords: | Triaged |
| Target Release: | JON 3.3.8 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-02-16 18:45:19 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Filip Brychta
2016-08-22 13:03:46 UTC
It already warns when setting rhq.communications.connector.security.client-auth-mode to 'tottalyIncorrect' (and using a secure transport method).
13:46:00,778 WARN [org.rhq.enterprise.communications.ServiceContainerConfiguration] (pool-6-thread-1) {ServiceContainerConfiguration.invalid-client-auth}The [rhq.communications.connector.security.client-auth-mode] preference specified is invalid [tottalyIncorrect] - it must be one of [none, want, need]. Setting it to [need].
It also maps true/false to need/none, see: https://github.com/rhq-project/rhq/blob/release/jon3.3.x/modules/enterprise/comm/src/main/java/org/rhq/enterprise/communications/ServiceContainerConfiguration.java#L432-L452
Do you think the warn should be changed to error?
I'll do something similar with rhq.server.tomcat.security.client-auth-mode
Sorry I missed the warning. I guess correct approach for validation issues of security properties would be to log warning and default to the most strict option. Otherwise an user could easily miss the warning and server would be running in unsecured mode. From the other attribute ('rhq.server.tomcat.security.client-auth-mode') I need to research a bit more.
Currently that one is used directly by the https connector (see jbossas/standalone/configuration/standalone-full-xml)
verify-client="${rhq.server.tomcat.security.client-auth-mode:false}"
I could use the DRM API to get the value, but I'm not sure if could set the value to a stricter one after starting the application server.
'rhq.server.tomcat.security.client-auth-mode' is passed directly to EAP.
See jbossas/standalone/configuration/standalone-full.xml line 523:
verify-client="${rhq.server.tomcat.security.client-auth-mode:false}"
It seems to be an EAP issue and not sure if we should do something about it.
I guess we could WARN, but I'm not sure we could set it up to something else at that point.
Just warning in case of 'rhq.server.tomcat.security.client-auth-mode' should be fine. 11:30:28,269 WARN [org.rhq.enterprise.communications.ServiceContainer] (pool-6-thread-1) {ServiceContainerConfiguration.invalid-tomcat-client-auth}The [rhq.server.tomcat.security.client-auth-mode] preference specified is invalid [some_wrong_value] - it must be one of [true, false].
This warning will appear only when selecting sslservlet as transport method.
Should be fixed with this PR:
https://github.com/rhq-project/rhq/pull/284
commit 78d83fb415f9cce035419e46fc4b992c151849ab
Merge: a40b39d 3404646
Author: Michael Burman <yak>
Date: Fri Jan 13 13:43:44 2017 +0200
Merge pull request #284 from josejulio/bugs/1369085-b
WARN when setting rhq.server.tomcat.security.client-auth-mode to a va…
commit 340464602844dd75facc87d07c908fe784b2ec43
Author: Josejulio Martínez <jmartine>
Date: Tue Jan 10 11:42:41 2017 -0600
WARN when setting rhq.server.tomcat.security.client-auth-mode to a value different than true or false.
Moving to ON_QA as available for test with build: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=534002 http://download.eng.bos.redhat.com/brewroot/packages/org.jboss.on-jboss-on-parent/3.3.0.GA/110/maven/org/jboss/on/jon-server-patch/3.3.0.GA/jon-server-patch-3.3.0.GA.zip maps to ER01 build of JON 3.3.8. Verified on:
JON 3.3.8.ER01
07:58:37,412 WARN [org.rhq.enterprise.communications.ServiceContainer] (pool-6-thread-1) {ServiceContainerConfiguration.invalid-tomcat-client-auth}The [rhq.server.tomcat.security.client-auth-mode] preference specified is invalid [incorrect] - it must be one of [true, false] (case sensitive).
08:27:59,409 WARN [org.rhq.enterprise.communications.ServiceContainerConfiguration] (pool-6-thread-1) {ServiceContainerConfiguration.invalid-client-auth}The [rhq.communications.connector.security.client-auth-mode] preference specified is invalid [incorr] - it must be one of [none, want, need]. Setting it to [need]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2017-0285.html |