Bug 1055577
| Summary: | EAP should print ERROR or WARNING when 2 vaults are defined | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Josef Cacek <jcacek> |
| Component: | Security, Domain Management | Assignee: | Peter Skopek <pskopek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Pavel Slavicek <pslavice> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2.0, 6.3.0 | CC: | bdawidow, kkhan, pkremens |
| Target Milestone: | DR11 | ||
| Target Release: | EAP 6.4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | ShouldBeFixed | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1160715 | ||
| Bug Blocks: | |||
Verified in 6.4.0.DR11. Following warning is displayed during server reload: 08:30:48,610 WARN [org.jboss.security] (MSC service thread 1-2) PBOX000378: Attempt to create the second Security Vault [org.picketbox.plugins.vault.PicketBoxSecurityVault] is invalid. Only one Security Vault is supported. Change your configuration, please. |
Print an error/warning message, when a user tries to add 2 vaults to the server. A user is able to define the vault on 2 different places in the EAP: - /core-service=vault:add(...) - /subsystem=security/vault=classic:add(...) If both of them are defined, then no error/warning is displayed. The user can then use a value from the latter entry for instance to protect password in a datasource (again without any warning). He will only see following exception during next server start: 15:23:08,207 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 25) JBAS014612: Operation ("enable") failed - address: ([ ("subsystem" => "datasources"), ("data-source" => "ExampleDS") ]): java.lang.SecurityException: JBAS013311: Security Exception at org.jboss.as.security.vault.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:104) at org.jboss.as.server.RuntimeExpressionResolver.resolvePluggableExpression(RuntimeExpressionResolver.java:45) at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionType(ExpressionResolverImpl.java:115) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressionsRecursively(ExpressionResolverImpl.java:58) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.ExpressionResolverImpl.resolveExpressions(ExpressionResolverImpl.java:40) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.ModelControllerImpl.resolveExpressions(ModelControllerImpl.java:588) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.OperationContextImpl.resolveExpressions(OperationContextImpl.java:796) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.ParallelBootOperationContext.resolveExpressions(ParallelBootOperationContext.java:340) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AttributeDefinition$1.resolveExpressions(AttributeDefinition.java:298) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AttributeDefinition.resolveValue(AttributeDefinition.java:362) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:321) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AttributeDefinition.resolveModelAttribute(AttributeDefinition.java:295) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.connector.util.ModelNodeUtil.getResolvedStringIfSetOrGetDefault(ModelNodeUtil.java:33) at org.jboss.as.connector.subsystems.datasources.DataSourceModelNodeUtil.from(DataSourceModelNodeUtil.java:149) at org.jboss.as.connector.subsystems.datasources.DataSourceEnable.addServices(DataSourceEnable.java:166) at org.jboss.as.connector.subsystems.datasources.DataSourceEnable$1.execute(DataSourceEnable.java:95) at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:607) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AbstractOperationContext.doCompleteStep(AbstractOperationContext.java:485) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AbstractOperationContext.completeStepInternal(AbstractOperationContext.java:282) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:277) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at org.jboss.as.controller.ParallelBootOperationStepHandler$ParallelBootTask.run(ParallelBootOperationStepHandler.java:343) [jboss-as-controller-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_45] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_45] at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45] at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.1.Final-redhat-1.jar:2.1.1.Final-redhat-1] Caused by: org.jboss.security.vault.SecurityVaultException: java.lang.IllegalArgumentException: Null input buffer at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:279) at org.jboss.as.security.vault.RuntimeVaultReader.getValue(RuntimeVaultReader.java:129) at org.jboss.as.security.vault.RuntimeVaultReader.getValueAsString(RuntimeVaultReader.java:112) at org.jboss.as.security.vault.RuntimeVaultReader.retrieveFromVault(RuntimeVaultReader.java:102) ... 24 more Caused by: java.lang.IllegalArgumentException: Null input buffer at javax.crypto.Cipher.doFinal(Cipher.java:2083) [jce.jar:1.7.0_10] at org.picketbox.util.EncryptionUtil.decrypt(EncryptionUtil.java:134) at org.picketbox.plugins.vault.PicketBoxSecurityVault.retrieve(PicketBoxSecurityVault.java:275) ... 27 more Commands to reproduce the issue: keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault22 -keypass vault22 -dname CN=localhost, OU=JBoss Middleware, O=Red Hat, L=Brno, C=CZ -keystore /home/jcacek/test/vault/vault.keystore ./vault.sh -a passa -b exampleds -e /home/jcacek/test/vault -i 22 -k /home/jcacek/test/vault/vault.keystore -p vault22 -s 87654321 -v vault -x sa ./vault.sh -a passb -b exampleds -e /home/jcacek/test/vault2 -i 22 -k /home/jcacek/test/vault2/vault.keystore -p vault22 -s 87654321 -v vault -x sa CLI: /core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/home/jcacek/test/vault/vault.keystore"), ("KEYSTORE_PASSWORD" => "MASK-Ci5JS1kjxPX"), ("KEYSTORE_ALIAS" => "vault"), ("SALT" => "87654321"),("ITERATION_COUNT" => "22"), ("ENC_FILE_DIR" => "/home/jcacek/test/vault/")]) /subsystem=security/vault=classic:add(vault-options=[("KEYSTORE_URL" => "/home/jcacek/test/vault2/vault.keystore"), ("KEYSTORE_PASSWORD" => "MASK-Ci5JS1kjxPX"), ("KEYSTORE_ALIAS" => "vault"), ("SALT" => "87654321"),("ITERATION_COUNT" => "22"), ("ENC_FILE_DIR" => "/home/jcacek/test/vault2/")]) [standalone@localhost:9999 /] /subsystem=datasources/data-source=ExampleDS:write-attribute(name=password, value=expression "${VAULT::exampleds::passa::1}") { "outcome" => "failed", "failure-description" => "JBAS014749: Operation handler failed: JBAS013311: Security Exception", "rolled-back" => true } [standalone@localhost:9999 /] /subsystem=datasources/data-source=ExampleDS:write-attribute(name=password, value=expression "${VAULT::exampleds::passb::1}") { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } }