Hide Forgot
Description of problem: Because of bz1369081 it's possible to put incorrect values to rhq.server.tomcat.security.client-auth-mode and rhq.communications.connector.security.client-auth-mode properties. Server starts without any error even with incorrect values so user might incorrectly think the client auth is enabled even though it is not because of typo in property value. Version-Release number of selected component (if applicable): JON3.3.x How reproducible: Always Steps to Reproduce: 1. set up two way ssl agent <> server communication 2. set rhq.server.tomcat.security.client-auth-mode=tottalyIncorrect 3. start JON server Actual results: Server is started correctly without any error. Expected results: There should be error visible that given property is incorrect and client auth is not enabled. Additional info:
It already warns when setting rhq.communications.connector.security.client-auth-mode to 'tottalyIncorrect' (and using a secure transport method). 13:46:00,778 WARN [org.rhq.enterprise.communications.ServiceContainerConfiguration] (pool-6-thread-1) {ServiceContainerConfiguration.invalid-client-auth}The [rhq.communications.connector.security.client-auth-mode] preference specified is invalid [tottalyIncorrect] - it must be one of [none, want, need]. Setting it to [need]. It also maps true/false to need/none, see: https://github.com/rhq-project/rhq/blob/release/jon3.3.x/modules/enterprise/comm/src/main/java/org/rhq/enterprise/communications/ServiceContainerConfiguration.java#L432-L452 Do you think the warn should be changed to error? I'll do something similar with rhq.server.tomcat.security.client-auth-mode
Sorry I missed the warning. I guess correct approach for validation issues of security properties would be to log warning and default to the most strict option. Otherwise an user could easily miss the warning and server would be running in unsecured mode.
From the other attribute ('rhq.server.tomcat.security.client-auth-mode') I need to research a bit more. Currently that one is used directly by the https connector (see jbossas/standalone/configuration/standalone-full-xml) verify-client="${rhq.server.tomcat.security.client-auth-mode:false}" I could use the DRM API to get the value, but I'm not sure if could set the value to a stricter one after starting the application server.
'rhq.server.tomcat.security.client-auth-mode' is passed directly to EAP. See jbossas/standalone/configuration/standalone-full.xml line 523: verify-client="${rhq.server.tomcat.security.client-auth-mode:false}" It seems to be an EAP issue and not sure if we should do something about it. I guess we could WARN, but I'm not sure we could set it up to something else at that point.
Just warning in case of 'rhq.server.tomcat.security.client-auth-mode' should be fine.
11:30:28,269 WARN [org.rhq.enterprise.communications.ServiceContainer] (pool-6-thread-1) {ServiceContainerConfiguration.invalid-tomcat-client-auth}The [rhq.server.tomcat.security.client-auth-mode] preference specified is invalid [some_wrong_value] - it must be one of [true, false]. This warning will appear only when selecting sslservlet as transport method. Should be fixed with this PR: https://github.com/rhq-project/rhq/pull/284
commit 78d83fb415f9cce035419e46fc4b992c151849ab Merge: a40b39d 3404646 Author: Michael Burman <yak> Date: Fri Jan 13 13:43:44 2017 +0200 Merge pull request #284 from josejulio/bugs/1369085-b WARN when setting rhq.server.tomcat.security.client-auth-mode to a va… commit 340464602844dd75facc87d07c908fe784b2ec43 Author: Josejulio Martínez <jmartine> Date: Tue Jan 10 11:42:41 2017 -0600 WARN when setting rhq.server.tomcat.security.client-auth-mode to a value different than true or false.
Moving to ON_QA as available for test with build: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=534002 http://download.eng.bos.redhat.com/brewroot/packages/org.jboss.on-jboss-on-parent/3.3.0.GA/110/maven/org/jboss/on/jon-server-patch/3.3.0.GA/jon-server-patch-3.3.0.GA.zip maps to ER01 build of JON 3.3.8.
Verified on: JON 3.3.8.ER01 07:58:37,412 WARN [org.rhq.enterprise.communications.ServiceContainer] (pool-6-thread-1) {ServiceContainerConfiguration.invalid-tomcat-client-auth}The [rhq.server.tomcat.security.client-auth-mode] preference specified is invalid [incorrect] - it must be one of [true, false] (case sensitive). 08:27:59,409 WARN [org.rhq.enterprise.communications.ServiceContainerConfiguration] (pool-6-thread-1) {ServiceContainerConfiguration.invalid-client-auth}The [rhq.communications.connector.security.client-auth-mode] preference specified is invalid [incorr] - it must be one of [none, want, need]. Setting it to [need]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2017-0285.html