Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11691

Revise client side Security::getProviders usage in Elytron

    XMLWordPrintable

Details

    • Bug
    • Resolution: Obsolete
    • Major
    • None
    • 7.1.0.ER1
    • Security

    Description

      We hit issue with PasswordFactory on client side when WildflyElytronProvider is not used, because plain Security::getProviders is used in implementation.

      Therefore I have checked whole Elytron codebase and these are occurences which are suspicious to me.

      Suspicious occurences of Security::getProviders usage
      ./src/main/java/org/wildfly/security/password/PasswordFactory.java:        return getInstance(algorithm, Security::getProviders);
./src/main/java/org/wildfly/security/credential/Credential.java:        return verify(Security::getProviders, evidence);
./src/main/java/org/wildfly/security/credential/store/CredentialStore.java:        return getInstance(algorithm, Security::getProviders);
./src/main/java/org/wildfly/security/sasl/digest/DigestClientFactory.java:        providers = Security::getProviders;
./src/main/java/org/wildfly/security/sasl/scram/ScramSaslClientFactory.java:        providers = Security::getProviders;

      These are often classes which occures on server and client side at the same time. I understand on server side Security::getProviders is OK, because Elytron provider is registered globally by subsystem. But my understanding is this has to be changed to reflect client side as well. It means to be able to use providers from service loader mechanism as well.

      Not sure occurences of Security::getProviders usage
      ./src/main/java/org/wildfly/security/sasl/util/SaslFactories.java:    private static final SecurityProviderSaslClientFactory providerSaslClientFactory = new SecurityProviderSaslClientFactory(Security::getProviders);
      Full list of Security::getProviders usage
      [mchoma@localhost wildfly-elytron]$ grep -r "Security::getProviders" --include=*.java .
./src/main/java/org/wildfly/security/password/spec/BasicPasswordSpecEncoding.java:        return encode(password, Security::getProviders);
./src/main/java/org/wildfly/security/password/PasswordFactory.java:        return getInstance(algorithm, Security::getProviders);
./src/main/java/org/wildfly/security/ssl/SSLContextBuilder.java: *     <li>The provider supplier defaults to {@link Security#getProviders() Security::getProviders}</li>
./src/main/java/org/wildfly/security/ssl/SSLContextBuilder.java:    private Supplier<Provider[]> providerSupplier = Security::getProviders;
./src/main/java/org/wildfly/security/auth/realm/jdbc/JdbcSecurityRealmBuilder.java:    private Supplier<Provider[]> providers = Security::getProviders;
./src/main/java/org/wildfly/security/auth/realm/KeyStoreBackedSecurityRealm.java:        this(keyStore, Security::getProviders);
./src/main/java/org/wildfly/security/auth/realm/LegacyPropertiesSecurityRealm.java:        private Supplier<Provider[]> providers = Security::getProviders;
./src/main/java/org/wildfly/security/auth/realm/ldap/LdapSecurityRealmBuilder.java:    private Supplier<Provider[]> providers = Security::getProviders;
./src/main/java/org/wildfly/security/auth/realm/SimpleMapBackedSecurityRealm.java:        this(rewriter, Security::getProviders);
./src/main/java/org/wildfly/security/auth/client/AuthenticationConfiguration.java:        this.providerSupplier = ProviderUtil.aggregate(new ServiceLoaderSupplier<>(Provider.class, AuthenticationConfiguration.class.getClassLoader()), Security::getProviders);
./src/main/java/org/wildfly/security/auth/client/AuthenticationConfiguration.java:        return providerSupplier == null ? Security::getProviders : providerSupplier;
./src/main/java/org/wildfly/security/auth/client/AuthenticationConfiguration.java:        return useProviders(ProviderUtil.aggregate(new ServiceLoaderSupplier<>(Provider.class, AuthenticationConfiguration.class.getClassLoader()), Security::getProviders));
./src/main/java/org/wildfly/security/auth/client/ElytronXmlParser.java:    private static final Supplier<Provider[]> DEFAULT_PROVIDER_SUPPLIER = ProviderUtil.aggregate(new ServiceLoaderSupplier<>(Provider.class, ElytronXmlParser.class.getClassLoader()), Security::getProviders);
./src/main/java/org/wildfly/security/auth/client/ElytronXmlParser.java:                        providerSupplier = providerSupplier == null ? Security::getProviders : ProviderUtil.aggregate(providerSupplier, Security::getProviders);
./src/main/java/org/wildfly/security/credential/Credential.java:        return verify(Security::getProviders, evidence);
./src/main/java/org/wildfly/security/credential/store/CredentialStore.java:        return getInstance(algorithm, Security::getProviders);
./src/main/java/org/wildfly/security/http/util/SecurityProviderServerMechanismFactory.java:        this(Security::getProviders);
./src/main/java/org/wildfly/security/http/impl/ServerMechanismFactoryImpl.java:        providers = Security::getProviders;
./src/main/java/org/wildfly/security/sasl/util/SaslFactories.java:    private static final SecurityProviderSaslClientFactory providerSaslClientFactory = new SecurityProviderSaslClientFactory(Security::getProviders);
./src/main/java/org/wildfly/security/sasl/util/SaslFactories.java:    private static final SecurityProviderSaslServerFactory providerSaslServerFactory = new SecurityProviderSaslServerFactory(Security::getProviders);
./src/main/java/org/wildfly/security/sasl/util/SecurityProviderSaslClientFactory.java:        this(Security::getProviders);
./src/main/java/org/wildfly/security/sasl/util/SecurityProviderSaslServerFactory.java:        this(Security::getProviders);
./src/main/java/org/wildfly/security/sasl/otp/OTPSaslServerFactory.java:        providers = Security::getProviders;
./src/main/java/org/wildfly/security/sasl/digest/DigestServerFactory.java:        providers = Security::getProviders;
./src/main/java/org/wildfly/security/sasl/digest/DigestClientFactory.java:        providers = Security::getProviders;
./src/main/java/org/wildfly/security/sasl/scram/ScramSaslServerFactory.java:        providers = Security::getProviders;
./src/main/java/org/wildfly/security/sasl/scram/ScramSaslClientFactory.java:        providers = Security::getProviders;

      Attachments

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11692 Elytron client configuration file throws ConfigXMLParseException when credential key-store-reference is used

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11725 ElytronAuthenticator.getPasswordAuthentication() cannot obtain PasswordFactory for Elytron algorithms

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              rhn-support-ivassile Ilia Vassilev
              mchoma@redhat.com Martin Choma
              Darran Lofthouse
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: