Bug 977417 - jboss-cli.sh allows creation of an invalid jsse element within a security-domain
Summary: jboss-cli.sh allows creation of an invalid jsse element within a security-domain
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ER3
: EAP 6.2.0
Assignee: Emmanuel Hugonnet (ehsavoie)
QA Contact: Josef Cacek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-24 13:54 UTC by Thomas Hauser
Modified: 2013-12-15 16:15 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-15 16:15:08 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker WFLY-1575 0 Major Resolved jboss-cli.sh allows creation of an invalid jsse element within a security-domain 2013-09-25 08:14:38 UTC

Description Thomas Hauser 2013-06-24 13:54:45 UTC
Description of problem:
The jboss-cli.sh allows me to add a jsse definition which is not valid. Apparently you must have a keystore-password or truststore-password, but this restriction is not enforced in the cli. This puts the server into an unstartable state, as well.

Version-Release number of selected component (if applicable):
7.2.0.Final-redhat-8

How reproducible:
Always.

Steps to Reproduce:
1) Start the server in either standalone or domain mode (admin-only or normal):

2) Start the jboss-cli.sh session:
./jboss-cli.sh -c

3) Add a new security-domain definition:
Standalone:
/subsystem=security/security-domain=new:add()
Domain:
/profile=full/subsystem=security/security-domain=new:add()

4) Add a new jsse element to the new security-domain:
Standalone:
/subsystem=security/security-domain=new/jsse=classic:add()
Domain:
/profile=full/subsystem=security/security-domain=new/jsse=classic:add()

5) Observe command success:
{"outcome" => "success"}

6) Reload the server:
:reload

7) Observe the stacktrace upon the server's attempted reload:
http://pastebin.test.redhat.com/148589

8) The server is now in a state where it cannot start.

Actual results:
CLI allows me to add a jsse element with no contents. However, this results in a situation where the server cannot start.

Expected results:
If attributes are required, a command lacking them should not succeed.

Additional info:
This may not be a CLI issue per se, since looking at a bug like https://bugzilla.redhat.com/show_bug.cgi?id=900810 seems to indicate it may be a server side issue. However, I'd still like to draw attention to this situation.

Comment 1 Thomas Hauser 2013-06-24 13:56:43 UTC
See https://issues.jboss.org/browse/WFLY-1575

Comment 2 Alexey Loubyansky 2013-06-24 14:46:30 UTC
This is not a CLI issue, it's reflected by the CLI. It should be fixed in the Domain Management of Security. I guess, it should be moved to Security.

Comment 4 Emmanuel Hugonnet (ehsavoie) 2013-08-14 09:38:43 UTC
After some discussions on IRC, it should be valid to have an empty JSSE element. Thus the issue is in the parser that is more restrictive than the schema or the cli.
Also due to a refactoring of the SSL Configuration in Wildfly this will not be pushed to upstream.

Comment 5 Emmanuel Hugonnet (ehsavoie) 2013-09-05 13:36:36 UTC
https://github.com/jbossas/jboss-eap/pull/317

Comment 7 Ondrej Lukas 2013-09-25 08:14:30 UTC
Verified on 6.2.0.ER3


Note You need to log in before you can comment on or make changes to this bug.