1174871 – [GSS] (6.1.3 patch) SECURITY-871, WFLY-1904 - Vault fixes for system properties and LDAP integration

Bug 1174871 - [GSS] (6.1.3 patch) SECURITY-871, WFLY-1904 - Vault fixes for system properties and LDAP integration

Summary: [GSS] (6.1.3 patch) SECURITY-871, WFLY-1904 - Vault fixes for system properti...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security
Sub Component:
Version:	6.1.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	One-off release
Assignee:	Derek Horton
QA Contact:	Pavel Slavicek
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1170767 (view as bug list)
Depends On:	JBPAPP6-1735 1170764
Blocks:	1183067 1179497
TreeView+	depends on / blocked

Reported:	2014-12-16 16:15 UTC by Derek Horton
Modified:	2019-08-19 12:38 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	PATCH NAME: bz-1174871 PRODUCT NAME: JBoss Enterprise Application Platform VERSION: 6.1.3 SHORT DESCRIPTION: LONG DESCRIPTION: MANUAL INSTALL INSTRUCTIONS: Backup and remove the following files: $JBOSS_HOME/modules/system/layers/base/org/jboss/as/server/main/jboss-as-server-7.2.3.Final-redhat-2.jar $JBOSS_HOME/modules/system/layers/base/org/jboss/as/server/main/module.xml $JBOSS_HOME/modules/system/layers/base/org/jboss/security/negotiation/main/jboss-negotiation-extras-2.2.5.Final-redhat-2.jar $JBOSS_HOME/modules/system/layers/base/org/jboss/security/negotiation/main/module.xml Extract the patched files by either: Using unzip: unzip -d $JBOSS_HOME/ bz-1174871.zip Or by extracting the files from the zip to the following locations: $JBOSS_HOME/modules/system/layers/base/org/jboss/as/server/main/jboss-as-server-7.2.3.Final-redhat-2-bz-1174871.jar $JBOSS_HOME/modules/system/layers/base/org/jboss/as/server/main/module.xml $JBOSS_HOME/modules/system/layers/base/org/jboss/security/negotiation/main/jboss-negotiation-extras-2.2.5.Final-redhat-2-bz-1174871.jar $JBOSS_HOME/modules/system/layers/base/org/jboss/security/negotiation/main/module.xml Instructions to uninstall: Restore the following files that were backed up before the patch was installed: $JBOSS_HOME/modules/system/layers/base/org/jboss/as/server/main/jboss-as-server-7.2.3.Final-redhat-2.jar $JBOSS_HOME/modules/system/layers/base/org/jboss/as/server/main/module.xml $JBOSS_HOME/modules/system/layers/base/org/jboss/security/negotiation/main/jboss-negotiation-extras-2.2.5.Final-redhat-2.jar $JBOSS_HOME/modules/system/layers/base/org/jboss/security/negotiation/main/module.xml COMPATIBILITY: DEPENDENCIES: JBoss Enterprise Application Platform 6.1.3 SUPERSEDES: SUPERSEDED BY: CREATOR: Derek Horton DATE: 5 January 2015
Clone Of:
Clones:	1179497 (view as bug list)
Environment:
Last Closed:	2019-08-19 12:38:38 UTC
Type:	Support Patch
Embargoed:

Attachments	(Terms of Use)
BZ1174871.zip (859.63 KB, application/zip) 2014-12-16 17:15 UTC, Derek Horton	no flags	Details
BZ1174871.zip (859.42 KB, application/zip) 2015-01-06 23:08 UTC, Derek Horton	no flags	Details
Show Obsolete (2) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SECURITY-871	0	Major	Resolved	AdvancedLdapLoginModule should be able to retrieve bindCredential from Vault	2019-01-10 09:56:25 UTC
Red Hat Issue Tracker	WFLY-1904	0	Major	Closed	Usage of vault for system-properties throws java.lang.SecurityException	2019-01-10 09:56:25 UTC

Description Derek Horton 2014-12-16 16:15:04 UTC

Description of problem:

One-off patch for including WFLY-1904 and SECURITY-871

WFLY-1904 - Usage of vault for system-properties throws java.lang.SecurityException
SECURITY-871 - AdvancedLdapLoginModule should be able to retrieve bindCredential from Vault


Steps to Reproduce:
1.  Configure Vault

2.  Configure a system property that uses a "vaultified" string (WFLY-1904)

    <system-properties>
        <property name="my.property" value="${VAULT::LDAP::bindCredential::1}"/>
    </system-properties>

3.  Configure the AdvancedLdap login module to use a "vaultified" string for the bindCredential (SECURITY-871)

    <module-option name="bindCredential" value="VAULT::LDAP::bindCredential::1"/>

Comment 1 Derek Horton 2014-12-16 17:15:25 UTC

Created attachment 969672 [details]
BZ1174871.zip

Comment 2 Jimmy Wilson 2014-12-16 21:42:31 UTC

*** Bug 1170767 has been marked as a duplicate of this bug. ***

Comment 3 Derek Horton 2014-12-17 16:47:19 UTC

WFLY-1904 is committed here:

http://git.app.eng.bos.redhat.com/git/jbossas/jboss-as.git/log/?h=eap-6.1.3-bz-1174871

SECURITY-871 is committed here:
http://git.app.eng.bos.redhat.com/git/jboss-negotiation.git/log/?h=security-negotiation-2.2.5.Final-bz-1174871

Comment 5 Josef Cacek 2015-01-05 10:10:16 UTC

Verification failed.

The BZ talks about EAP version 6.1.3 (Summary and Version fields), but the one-off is for the 6.1.1 version. 

Either the fields in BZ or the included patch have to be fixed.

Comment 6 JBoss JIRA Server 2015-01-06 15:59:21 UTC

Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-871 to Resolved

Comment 7 Derek Horton 2015-01-06 23:08:49 UTC

Created attachment 976981 [details]
BZ1174871.zip

Comment 9 Jimmy Wilson 2015-01-08 21:40:25 UTC

This BZ has been fixed for 6.1.3, but it is for a future FSW rollup patch now.  The 6.1.1 work has been split into bug 1179497 because of the underlying module.xml conflicts.  If it is too late to finish this patch this week, that's fine.  If it isn't, please do.  In either case, bug 1179497 will be submitted next week.

Comment 10 Josef Cacek 2015-01-12 13:19:59 UTC

Patch verified.

Patch MD5 sum:
dd473db6fbfc4796f359c38aa4885bb6  BZ1174871.zip

Regression tests run (AS TS):
https://jenkins.mw.lab.eng.bos.redhat.com/hudson/job/eap-as-6.1.1-one-off-jcacek/5/

The patched jboss-negotiation-extras artifact was compiled with target Java version 5. (The unpatched version was compiled with target Java version 6).

Note You need to log in before you can comment on or make changes to this bug.