Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 921383

Summary:

<security-domain> in ironjacamar.xml in rar file causes SecurityException

Product:

[JBoss] JBoss Enterprise Application Platform 6

Reporter:

Hisanobu Okuda <hokuda>

Component:

JCA

Assignee:

baranowb <bbaranow>

Status:

CLOSED WONTFIX

QA Contact:

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

6.0.1

CC:

bbaranow, hokuda

Target Milestone:

---

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2013-09-20 07:56:31 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
reproducible rar	none

Description Hisanobu Okuda 2013-03-14 05:31:13 UTC

Description of problem:

When configuring ironjacamar.xml in rar file as follow:-

<?xml version="1.0" encoding="UTF-8"?>
<ironjacamar>
  <connection-definitions>
    <connection-definition
	class-name="org.jboss.jca.samples.helloworld.HelloWorldManagedConnectionFactory"
	jndi-name="java:/eis/HelloWorld">
      <security>
	<security-domain>test</security-domain>
      </security>
      <recovery>
	<recover-credential>
	  <user-name>test</user-name>
	  <password>password</password>
	</recover-credential>
      </recovery>
    </connection-definition>
  </connection-definitions>
</ironjacamar>

an exception is thrown at startup and re-deploying rar

14:26:53,568 ERROR [org.jboss.as.connector.deployers.RADeployer] (MSC service thread 1-5) IJ020007: Exception during createSubject(): PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
	at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84) [picketbox-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
	at org.jboss.jca.deployers.common.AbstractResourceAdapterDeployer$1.run(AbstractResourceAdapterDeployer.java:2402) [ironjacamar-deployers-common-1.0.13.Final-redhat-1.jar:1.0.13.Final-redhat-1]
	at org.jboss.jca.deployers.common.AbstractResourceAdapterDeployer$1.run(AbstractResourceAdapterDeployer.java:2397) [ironjacamar-deployers-common-1.0.13.Final-redhat-1.jar:1.0.13.Final-redhat-1]
	at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_37]
	at org.jboss.jca.deployers.common.AbstractResourceAdapterDeployer.createSubject(AbstractResourceAdapterDeployer.java:2396) [ironjacamar-deployers-common-1.0.13.Final-redhat-1.jar:1.0.13.Final-redhat-1]
	at org.jboss.jca.deployers.common.AbstractResourceAdapterDeployer.createObjectsAndInjectValue(AbstractResourceAdapterDeployer.java:2174) [ironjacamar-deployers-common-1.0.13.Final-redhat-1.jar:1.0.13.Final-redhat-1]
	at org.jboss.jca.deployers.common.AbstractResourceAdapterDeployer.createObjectsAndInjectValue(AbstractResourceAdapterDeployer.java:1097) [ironjacamar-deployers-common-1.0.13.Final-redhat-1.jar:1.0.13.Final-redhat-1]
	at org.jboss.as.connector.services.resourceadapters.deployment.ResourceAdapterDeploymentService$AS7RaDeployer.doDeploy(ResourceAdapterDeploymentService.java:185)
	at org.jboss.as.connector.services.resourceadapters.deployment.ResourceAdapterDeploymentService.start(ResourceAdapterDeploymentService.java:101)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [rt.jar:1.6.0_37]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [rt.jar:1.6.0_37]
	at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_37]



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.deploy the attached rar
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Hisanobu Okuda 2013-03-14 05:32:58 UTC

Created attachment 709875 [details]
reproducible rar

Comment 2 Hisanobu Okuda 2013-03-14 05:35:42 UTC

No principal and credential to create a subject are provided at startup:

Breakpoint hit: "thread=MSC service thread 1-3", org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(), line=136 bci=0                                                                          

MSC service thread 1-3[1] locals
Method arguments:
principal = null
credential = null
activeSubject = instance of javax.security.auth.Subject(id=6612)
Local variables:
MSC service thread 1-3[1]
MSC service thread 1-1[1] where
  [1] org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid (JBossCachedAuthenticationManager.java:136)
  [2] org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject (JBossSecuritySubjectFactory.java:83)
  [3] org.jboss.jca.deployers.common.AbstractResourceAdapterDeployer$1.run (AbstractResourceAdapterDeployer.java:2,402)
  [4] org.jboss.jca.deployers.common.AbstractResourceAdapterDeployer$1.run (AbstractResourceAdapterDeployer.java:2,397)
  [5] java.security.AccessController.doPrivileged (native method)
  [6] org.jboss.jca.deployers.common.AbstractResourceAdapterDeployer.createSubject (AbstractResourceAdapterDeployer.java:2,396)
  [7] org.jboss.jca.deployers.common.AbstractResourceAdapterDeployer.createObjectsAndInjectValue(AbstractResourceAdapterDeployer.java:2,174)
  [8] org.jboss.jca.deployers.common.AbstractResourceAdapterDeployer.createObjectsAndInjectValue (AbstractResourceAdapterDeployer.java:1,097)
  [9] org.jboss.as.connector.services.resourceadapters.deployment.ResourceAdapterDeploymentService$AS7RaDeployer.doDeploy (ResourceAdapterDeploymentService.java:185)
  [10] org.jboss.as.connector.services.resourceadapters.deployment.ResourceAdapterDeploymentService.start (ResourceAdapterDeploymentService.java:101)
  [11] org.jboss.msc.service.ServiceControllerImpl$StartTask.startService (ServiceControllerImpl.java:1,811)
  [12] org.jboss.msc.service.ServiceControllerImpl$StartTask.run (ServiceControllerImpl.java:1,746)
  [13] java.util.concurrent.ThreadPoolExecutor$Worker.runTask (ThreadPoolExecutor.java:886)
  [14] java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:908)
  [15] java.lang.Thread.run (Thread.java:662)
MSC service thread 1-1[1]

Comment 3 baranowb 2013-03-15 14:44:19 UTC

I claim thee.

Comment 4 baranowb 2013-03-18 11:40:31 UTC

Ok. So, attached RAR has the "recover" part commented out, so I assume that its not about "recover" since connection factory does not required interface:

http://docs.jboss.org/ironjacamar/userguide/1.1/en-US/html_single/#deployingra_extensions ( its a bit vague so Im not quite sure if Im correct).

Attached RAR fails with above exception ONLY if the security domain 'test' is not defined in the server xml conf under '...:domain:security:...'.
This seems to be a intentional, if no SD present in server XML or any other XML(login-config.xml ?) this RAR should fail on deployment?

Comment 5 Hisanobu Okuda 2013-03-19 00:44:24 UTC

Hi Bartosz,

Since this is an issue on EAP6, I suppose you are mentioning about standalone.xml. Even if <security-domain name="test" cache-type="default"> is defined in standalone.xml, the exception is thrown at startup.

Comment 6 baranowb 2013-03-19 07:15:38 UTC

Hi Hisanobu, indeed - "standalone.xml" - I dont remember if I actually ran this against 6.0.1 or only against 6.1 and github master - however the recovery remained commented out. I will give it a go once more to be sure.

Comment 7 baranowb 2013-03-19 10:00:11 UTC

10:48:21,343 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-5) JBAS015876: Starting deployment of "jca-helloworld-rar-full-0.0.1-SNAPSHOT.rar"
10:48:21,586 INFO  [org.jboss.as.osgi] (MSC service thread 1-3) JBAS011907: Register module: Module "deployment.jca-helloworld-rar-full-0.0.1-SNAPSHOT.rar:main" from Service Module Loader
10:48:21,635 INFO  [org.jboss.as.connector.deployment] (MSC service thread 1-6) JBAS010406: Registered connection factory java:/eis/HelloWorld
10:48:21,725 INFO  [org.hibernate.validator.util.Version] (MSC service thread 1-6) Hibernate Validator 4.2.0.Final-redhat-2
10:48:21,774 INFO  [org.jboss.as.connector.deployers.RADeployer] (MSC service thread 1-6) IJ020002: Deployed: file:/home/baranowb/redhat/git/jboss-as-private/build/target/jboss-eap-6.0/standalone/tmp/vfs/tempc3544b20a7fc1c06/jca-helloworld-rar-full-0.0.1-SNAPSHOT.rar-54ee6dfcba5894e8/contents/
10:48:21,778 INFO  [org.jboss.as.connector.deployment] (MSC service thread 1-5) JBAS010401: Bound JCA ConnectionFactory [java:/eis/HelloWorld]
10:48:21,998 INFO  [org.jboss.as.server] (DeploymentScanner-threads - 2) JBAS018559: Deployed "jca-helloworld-rar-full-0.0.1-SNAPSHOT.rar"


This is console output from 6.0.1 branch.
To avoid above exception:


                <security-domain name="test" cache-type="default">
                    <authentication>
                        <login-module code="ConfiguredIdentity" flag="required">
                            <module-option name="userName" value="baranowb"/>
			     <module-option name="password" value="1#qetuozcbm"/>
                            <module-option name="principal" value="ManagementRealm"/>
                        </login-module>
                    </authentication>
                </security-domain>

Comment 8 baranowb 2013-03-19 10:01:33 UTC

The test domain must be in standalone.xml -> domain:security subsystem.

Comment 9 baranowb 2013-03-19 10:13:19 UTC

Can you paste security-domain which makes this deployment fail?

Comment 10 Hisanobu Okuda 2013-03-21 01:43:51 UTC

Here is my "test" security-domain:-

                <security-domain name="test" cache-type="default">
                    <authentication>
                        <login-module code="UsersRoles" flag="optional"/>
                    </authentication>
                </security-domain>

Comment 11 baranowb 2013-03-26 08:08:14 UTC

Just a note, the reproducer is broken, it has two jacamars descriptors, one in rar/META-INF, second int rar/jar/META-INF

Comment 12 baranowb 2013-03-27 11:07:55 UTC

Ive forged test case: https://github.com/baranowb/jboss-as/tree/ironjacamar-test it fails due to null principial.
 
pskopek: If I switch security-domain to security-domain-and-application it still fails. 

Iv debuged test and talked with pskopek. However, Im not sure I get it properly. This auth error happens when pool is about to be filled with connections at deployment time(I think). However this is done when no valid principial in SecurityContext. 
When RAR is deployed, deployer requests valid subject. The JBossSecuritySubjectFactory and JBossCachedAuthenticationManager depend on SecurityContext to fetch principial. The UsersRoles module than authenticates principial against properties files.

This wont work, for such case, the ConfiguredIdentity should be used.

Unless Im missing something, the UsersRoles wont work. If there is more to this, could you share use case/deployment setup etc. ?

Comment 14 baranowb 2013-09-20 07:56:31 UTC

Wont fix. According to pskopek, unless there is context. Deployment time can not be authenticated against user principial, since its deployment.