Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8406

Referencing credential store from mail subsystem without alias results in returned password "undefined"

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 11.0.0.Alpha1
    • None
    • Mail
    • None
    • Hide
      1. Start EAP
      2. deploy attached deployment
      3. create credentials store => /subsystem=elytron/credential-store=mail-credential-store:add(uri="cr-store://test/mail-credential-store?keyStoreType=JCEKS;modifiable=true;create=true", relative-to=jboss.server.data.dir, credential-reference={clear-text=clear-text-value-passdlfkj4})
      4. create mail session => /subsystem=mail/mail-session=aaa:add(jndi-name="java:jboss/mail/aaa")
      5. create mail server pointing to the credential reference without provided alias => /subsystem=mail/mail-session=aaa/server=smtp:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mail-credential-store}, username=aaa)
      6. request password authentization on the mail session and check used password, for this you can use attached application and doing request e.g. via curl => curl -i 'http://localhost:8080/mail_server_attributes/mailPassword.jsp?jndiName=java:jboss/mail/aaa&protocol=smtp'

      You should get no password => application returning FAIL, but instead you get "undefined"

      Show
      Start EAP deploy attached deployment create credentials store => /subsystem=elytron/credential-store=mail-credential-store:add(uri="cr-store://test/mail-credential-store?keyStoreType=JCEKS;modifiable=true;create=true", relative-to=jboss.server.data.dir, credential-reference={clear-text=clear-text-value-passdlfkj4}) create mail session => /subsystem=mail/mail-session=aaa:add(jndi-name="java:jboss/mail/aaa") create mail server pointing to the credential reference without provided alias => /subsystem=mail/mail-session=aaa/server=smtp:add(outbound-socket-binding-ref=mail-smtp, credential-reference={store=mail-credential-store}, username=aaa) request password authentization on the mail session and check used password, for this you can use attached application and doing request e.g. via curl => curl -i 'http://localhost:8080/mail_server_attributes/mailPassword.jsp?jndiName=java:jboss/mail/aaa&protocol=smtp' You should get no password => application returning FAIL, but instead you get "undefined"

    Description

      When using credential-reference pointing only to store without password, it results in using password "undefined"

      As providing password which is incorrect one is very bad from security point of view, marking as blocker for GA.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-9257 Referencing credential store from mail subsystem without alias results in returned password "undefined"

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              mstefank Martin Stefanko
              mstefank Martin Stefanko
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: