Bug 977417 - jboss-cli.sh allows creation of an invalid jsse element within a security-domain
jboss-cli.sh allows creation of an invalid jsse element within a security-domain
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.1.0
Unspecified Unspecified
unspecified Severity unspecified
: ER3
: EAP 6.2.0
Assigned To: Emmanuel Hugonnet (ehsavoie)
Josef Cacek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-24 09:54 EDT by Thomas Hauser
Modified: 2013-12-15 11:15 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-15 11:15:08 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-1575 Major Resolved jboss-cli.sh allows creation of an invalid jsse element within a security-domain 2013-09-25 04:14:38 EDT

  None (edit)
Description Thomas Hauser 2013-06-24 09:54:45 EDT
Description of problem:
The jboss-cli.sh allows me to add a jsse definition which is not valid. Apparently you must have a keystore-password or truststore-password, but this restriction is not enforced in the cli. This puts the server into an unstartable state, as well.

Version-Release number of selected component (if applicable):
7.2.0.Final-redhat-8

How reproducible:
Always.

Steps to Reproduce:
1) Start the server in either standalone or domain mode (admin-only or normal):

2) Start the jboss-cli.sh session:
./jboss-cli.sh -c

3) Add a new security-domain definition:
Standalone:
/subsystem=security/security-domain=new:add()
Domain:
/profile=full/subsystem=security/security-domain=new:add()

4) Add a new jsse element to the new security-domain:
Standalone:
/subsystem=security/security-domain=new/jsse=classic:add()
Domain:
/profile=full/subsystem=security/security-domain=new/jsse=classic:add()

5) Observe command success:
{"outcome" => "success"}

6) Reload the server:
:reload

7) Observe the stacktrace upon the server's attempted reload:
http://pastebin.test.redhat.com/148589

8) The server is now in a state where it cannot start.

Actual results:
CLI allows me to add a jsse element with no contents. However, this results in a situation where the server cannot start.

Expected results:
If attributes are required, a command lacking them should not succeed.

Additional info:
This may not be a CLI issue per se, since looking at a bug like https://bugzilla.redhat.com/show_bug.cgi?id=900810 seems to indicate it may be a server side issue. However, I'd still like to draw attention to this situation.
Comment 1 Thomas Hauser 2013-06-24 09:56:43 EDT
See https://issues.jboss.org/browse/WFLY-1575
Comment 2 Alexey Loubyansky 2013-06-24 10:46:30 EDT
This is not a CLI issue, it's reflected by the CLI. It should be fixed in the Domain Management of Security. I guess, it should be moved to Security.
Comment 4 Emmanuel Hugonnet (ehsavoie) 2013-08-14 05:38:43 EDT
After some discussions on IRC, it should be valid to have an empty JSSE element. Thus the issue is in the parser that is more restrictive than the schema or the cli.
Also due to a refactoring of the SSL Configuration in Wildfly this will not be pushed to upstream.
Comment 5 Emmanuel Hugonnet (ehsavoie) 2013-09-05 09:36:36 EDT
https://github.com/jbossas/jboss-eap/pull/317
Comment 7 Ondrej Lukas 2013-09-25 04:14:30 EDT
Verified on 6.2.0.ER3

Note You need to log in before you can comment on or make changes to this bug.