Bug 1023084 - [GSS] (6.3.0) Bug in JBossJSSESecurityDomain.java - attempting to use wrong provider
Summary: [GSS] (6.3.0) Bug in JBossJSSESecurityDomain.java - attempting to use wrong p...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.1.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ER4
: EAP 6.3.0
Assignee: Anil Saldhana
QA Contact: Josef Cacek
Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks: 1067574 1067584
TreeView+ depends on / blocked
 
Reported: 2013-10-24 15:08 UTC by Derek Horton
Modified: 2014-08-12 02:08 UTC (History)
6 users (show)

Doc Type: Bug Fix
Doc Text:
Previous versions of JBoss EAP 6 included a bug which caused JBossJSSESecurityDomain.java to attempt to use the keystore/truststore provider to get instances of the trust manager. This behavior was incorrect as the "trust-manager-factory-provider" setting cannot be used in the JSSE section of a security domain. Using this setting (even if properly configured) would result in an exception during start up. This bug has been resolved in this release and the "trust-manager-factory-provider" setting can now be used to set the `trustManagerFactoryProvider`.
Clone Of:
: 1067574 (view as bug list)
Environment:
Last Closed: 2014-06-28 15:53:46 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
JBoss Issue Tracker SECURITY-762 Major Resolved Bug in JBossJSSESecurityDomain.java - attempting to use wrong provider 2014-07-24 07:27:00 UTC

Description Derek Horton 2013-10-24 15:08:01 UTC
Description of problem:
There is a bug in JBossJSSESecurityDomain.java where it attempts to use the keystore/truststore provider to get instances of the trust manager.

The code reads:
         if (trustManagerFactoryProvider != null)
            trustManagerFactory = TrustManagerFactory.getInstance(algorithm, trustStoreProvider);
         else
            trustManagerFactory = TrustManagerFactory.getInstance(algorithm);


I think it should read:
         if (trustManagerFactoryProvider != null)
            trustManagerFactory = TrustManagerFactory.getInstance(algorithm, trustManagerFactoryProvider);
         else
            trustManagerFactory = TrustManagerFactory.getInstance(algorithm);


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
Setup a security-domain that defines a JSSE keystore/truststore:
+                    <!--
+                    <jsse keystore-url="/home/dehort/dev/java/jboss-eap-6.1.1/standalone/configuration/server.keystore"
+                      keystore-password="123456" 
+                      key-manager-factory-algorithm="SunX509" 
+                      key-manager-factory-provider="SunJSSE"/>
+                    -->
+                    <jsse truststore-url="/home/dehort/dev/java/jboss-eap-6.1.1/standalone/configuration/server.keystore"
+                      truststore-password="123456" 
+                      trust-manager-factory-algorithm="SunX509" 
+                      trust-manager-factory-provider="SunJSSE"/>

Actual results:


Expected results:


Additional info:

Comment 1 Derek Horton 2013-10-29 16:13:25 UTC
Fixed.  Checked into:
https://svn.jboss.org/repos/picketbox/branches/eap62

Comment 5 Scott Mumford 2014-05-13 02:43:41 UTC
Included release note text from duplicate bug 1067574. Marking for inclusion in 6.3.0 Release Notes.

Comment 7 Derek Horton 2014-05-14 13:52:36 UTC
Fixed in 4.0.19.SP6 which based on 1088897 should be used in 6.3.0.

Comment 8 Hynek Mlnarik 2014-05-14 15:00:11 UTC
Verified in EAP 6.3.0.ER4

Comment 9 Nichola Moore 2014-05-15 04:57:23 UTC
As per bz 1097167, this has been set back to known issue.

I removed the doc text so here it is, ready to be reinstated:

Previous versions of JBoss EAP 6 included a bug which caused JBossJSSESecurityDomain.java to attempt to use the keystore/truststore provider to get instances of the trust manager. This behavior was incorrect as the "trust-manager-factory-provider" setting cannot be used in the JSSE section of a security domain.  Using this setting (even if properly configured) would result in an exception during start up. This bug has been resolved in this release and the "trust-manager-factory-provider" setting can now be used to set the `trustManagerFactoryProvider`.

Comment 10 Nichola Moore 2014-05-15 04:58:28 UTC
Reinstated doc text.

Comment 11 Scott Mumford 2014-07-17 04:11:24 UTC
Making public for inclusion in 6.3.0 Release Notes.


Note You need to log in before you can comment on or make changes to this bug.