Created attachment 979509 [details] secured-webapp.war Description of problem: I have only one vault configured in the standalone.xml but I see following warning message in the server log file after login attempt (bindCredentials login module option uses a vaulted password): 09:10:58,854 WARN [org.jboss.security] (http-/127.0.0.1:8080-1) PBOX000378: Attempt to create the second Security Vault [org.picketbox.plugins.vault.PicketBoxSecurityVault] is invalid. Only one Security Vault is supported. Change your configuration, please. Version-Release number of selected component (if applicable): 6.4.0.ER1 How reproducible: always Steps to Reproduce: *) install EAP and set JBOSS_HOME environment variable *) generate a vault in /tmp folder and store "secret" value as "bindCredential" attribute in block "ldap" mkdir /tmp/vault keytool -genseckey -alias vault -storetype jceks -keyalg AES -keysize 128 -storepass vault22 -keypass vault22 -dname "CN=localhost,OU=JBoss Middleware,O=Red Hat,L=Brno,C=CZ" -keystore /tmp/vault/vault.keystore $JBOSS_HOME/bin/vault.sh -a bindCredential -b ldap -e /tmp/vault -i 22 -k /tmp/vault/vault.keystore -p vault22 -s 87654321 -v vault -x secret *) start test LDAP server (ApacheDS on port 10389) git clone https://github.com/kwart/ldap-server.git cd ldap-server git checkout second-vault-issue-test mvn clean package exec:java *) start the EAP $JBOSS_HOME/bin/standalone.sh *) configure EAP using CLI (vault, vaulted system property, security domain with AdvancedLdap login module) $JBOSS_HOME/bin/jboss-cli.sh -c << EOT /core-service=vault:add(vault-options=[("KEYSTORE_URL" => "/tmp/vault/vault.keystore"), ("KEYSTORE_PASSWORD" => "MASK-Ci5JS1kjxPX"), ("KEYSTORE_ALIAS" => "vault"), ("SALT" => "87654321"),("ITERATION_COUNT" => "22"), ("ENC_FILE_DIR" => "/tmp/vault/")]) /system-property=jboss.test:add(value="\${VAULT::ldap::bindCredential::1}") /subsystem=security/security-domain=web-tests:add(cache-type=default) /subsystem=security/security-domain=web-tests/authentication=classic:add /subsystem=security/security-domain=web-tests/authentication=classic/login-module=org.jboss.security.negotiation.AdvancedLdapLoginModule:add(code=org.jboss.security.negotiation.AdvancedLdapLoginModule, flag=required, module-options=[("baseFilter"=>"(uid={0})"), ("bindDN"=>"uid=admin,ou=system"), ("rolesCtxDN"=>"dc=jboss,dc=org"), ("baseCtxDN"=>"dc=jboss,dc=org"), ("java.naming.security.authentication"=>"simple"), ("java.naming.provider.url"=>"ldap://127.0.0.1:10389"), ("bindCredential"=>"VAULT::ldap::bindCredential::1"), ("roleAttributeID"=>"cn"), ("roleFilter"=>"(member={1})")]) :reload quit EOT *) deploy secured-webapp.war (attached) and try to log in cp secured-webapp.war $JBOSS_HOME/standalone/deployments go to http://localhost:8080/secured-webapp/ login dialog should appear, use jduke/theduke credentials to log-in *) check server log Actual results: The warning is present. Expected results: The warning shouldn't be there.
Filed a PR with fix: https://github.com/jbossas/jboss-eap/pull/2440 It also needs to revert the original fix in PicketBox, see https://issues.jboss.org/browse/SECURITY-893
Verified in EAP 6.4.5.CP.CR1
PR #2440, see comment 1, was neglected and never merged. So I've created a new bz1389201 for tracking it.
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.