Bug 977417

Summary: jboss-cli.sh allows creation of an invalid jsse element within a security-domain
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Thomas Hauser <thauser>
Component: SecurityAssignee: Emmanuel Hugonnet (ehsavoie) <ehugonne>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.1.0CC: brian.stansberry, cdewolf, ehugonne, jcacek, olukas
Target Milestone: ER3   
Target Release: EAP 6.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-15 16:15:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas Hauser 2013-06-24 13:54:45 UTC 
Description of problem:
The jboss-cli.sh allows me to add a jsse definition which is not valid. Apparently you must have a keystore-password or truststore-password, but this restriction is not enforced in the cli. This puts the server into an unstartable state, as well.

Version-Release number of selected component (if applicable):
7.2.0.Final-redhat-8

How reproducible:
Always.

Steps to Reproduce:
1) Start the server in either standalone or domain mode (admin-only or normal):

2) Start the jboss-cli.sh session:
./jboss-cli.sh -c

3) Add a new security-domain definition:
Standalone:
/subsystem=security/security-domain=new:add()
Domain:
/profile=full/subsystem=security/security-domain=new:add()

4) Add a new jsse element to the new security-domain:
Standalone:
/subsystem=security/security-domain=new/jsse=classic:add()
Domain:
/profile=full/subsystem=security/security-domain=new/jsse=classic:add()

5) Observe command success:
{"outcome" => "success"}

6) Reload the server:
:reload

7) Observe the stacktrace upon the server's attempted reload:
http://pastebin.test.redhat.com/148589

8) The server is now in a state where it cannot start.

Actual results:
CLI allows me to add a jsse element with no contents. However, this results in a situation where the server cannot start.

Expected results:
If attributes are required, a command lacking them should not succeed.

Additional info:
This may not be a CLI issue per se, since looking at a bug like https://bugzilla.redhat.com/show_bug.cgi?id=900810 seems to indicate it may be a server side issue. However, I'd still like to draw attention to this situation.
Comment 1 Thomas Hauser 2013-06-24 13:56:43 UTC 
See https://issues.jboss.org/browse/WFLY-1575
Comment 2 Alexey Loubyansky 2013-06-24 14:46:30 UTC 
This is not a CLI issue, it's reflected by the CLI. It should be fixed in the Domain Management of Security. I guess, it should be moved to Security.
Comment 4 Emmanuel Hugonnet (ehsavoie) 2013-08-14 09:38:43 UTC 
After some discussions on IRC, it should be valid to have an empty JSSE element. Thus the issue is in the parser that is more restrictive than the schema or the cli.
Also due to a refactoring of the SSL Configuration in Wildfly this will not be pushed to upstream.
Comment 5 Emmanuel Hugonnet (ehsavoie) 2013-09-05 13:36:36 UTC 
https://github.com/jbossas/jboss-eap/pull/317
Comment 7 Ondrej Lukas 2013-09-25 08:14:30 UTC 
Verified on 6.2.0.ER3