cli/src/main/java/org/jboss/as/cli/embedded/ThreadLocalContextSelector.java

@@ -26,10 +26,14 @@
 import org.jboss.logmanager.LogContextSelector;
 import org.jboss.stdio.StdioContext;
 import org.jboss.stdio.StdioContextSelector;
+import org.wildfly.security.manager.WildFlySecurityManager;
 
 /**
  * {@link org.jboss.stdio.StdioContextSelector} and {@link org.jboss.logmanager.LogContextSelector}
  * that uses an {@link java.lang.InheritableThreadLocal} as a source of the contexts.
+ * <p>
+ * Note that if the logger is a CLI logger the default contexts will be used regardless of the thread-local contexts.
+ * </p>
  *
  * @author Brian Stansberry (c) 2015 Red Hat Inc.
  */
@@ -39,6 +43,7 @@
 
     private final Contexts localContexts;
     private final Contexts defaultContexts;
+    private final ClassLoader cliClassLoader;
 
     ThreadLocalContextSelector(Contexts local, Contexts defaults) {
         assert local != null;
@@ -48,6 +53,7 @@
         assert defaults.getLogContext() != null;
         this.localContexts = local;
         this.defaultContexts = defaults;
+        cliClassLoader = ThreadLocalContextSelector.class.getClassLoader();
     }
 
     Contexts pushLocal() {
@@ -62,13 +68,22 @@ void restore(Contexts toRestore) {
 
     @Override
     public StdioContext getStdioContext() {
+        // CLI loggers should only use the default stdio context regardless if the thread-local context is set.
+        if (WildFlySecurityManager.getCurrentContextClassLoaderPrivileged().equals(cliClassLoader)) {
+            return defaultContexts.getStdioContext();
+        }
         Contexts threadContext = threadLocal.get();
         StdioContext local = threadContext != null ? threadContext.getStdioContext() : null;
         return local == null ? defaultContexts.getStdioContext() : local;
     }
 
     @Override
     public LogContext getLogContext() {
+        // CLI loggers should only use the default stdio context regardless if the thread-local context is set This
+        // allows the context configured for CLI, e.g. jboss-cli-logging.properties.
+        if (WildFlySecurityManager.getCurrentContextClassLoaderPrivileged().equals(cliClassLoader)) {
+            return defaultContexts.getLogContext();
+        }
         Contexts threadContext = threadLocal.get();
         LogContext local = threadContext != null ? threadContext.getLogContext() : null;
         return local == null ? defaultContexts.getLogContext() : local;

controller/src/main/java/org/jboss/as/controller/OperationContextImpl.java

@@ -1499,7 +1499,7 @@ public void registerCapability(RuntimeCapability capability) {
         registerCapability(capability, activeStep, null);
     }
 
-    void registerCapability(RuntimeCapability capability, Step step, String attribute) {
+    void registerCapability(RuntimeCapability<?> capability, Step step, String attribute) {
         assert isControllingThread();
         assertStageModel(currentStage);
         ensureLocalCapabilityRegistry();
@@ -1614,7 +1614,7 @@ void removeCapability(String capabilityName, Step step) {
         CapabilityScope context = createCapabilityContext(step.address);
         RuntimeCapabilityRegistration capReg = managementModel.getCapabilityRegistry().removeCapability(capabilityName, context, step.address);
         if (capReg != null) {
-            RuntimeCapability capability = capReg.getCapability();
+            RuntimeCapability<?> capability = capReg.getCapability();
             for (String required : capability.getRequirements()) {
                 removeRequirement(required, context, step);
             }
@@ -1994,7 +1994,7 @@ private RuntimeRequirementRegistration createRequirementRegistration(String requ
         return new RuntimeRequirementRegistration(required, dependent, context, rp, runtimeOnly);
     }
 
-    private RuntimeCapabilityRegistration createCapabilityRegistration(RuntimeCapability capability, Step step, String attribute) {
+    private RuntimeCapabilityRegistration createCapabilityRegistration(RuntimeCapability<?> capability, Step step, String attribute) {
         CapabilityScope context = createCapabilityContext(step.address);
         RegistrationPoint rp = new RegistrationPoint(step.address, attribute);
         return new RuntimeCapabilityRegistration(capability, context, rp);

controller/src/main/java/org/jboss/as/controller/capability/RuntimeCapability.java

@@ -300,6 +300,46 @@ private ServiceName getServiceName() {
         return additionalPackages;
     }
 
+    @Override
+    public String getName() {
+        return super.getName();
+    }
+
+    @Override
+    public Set<String> getRequirements() {
+        return super.getRequirements();
+    }
+
+    @Override
+    public boolean isDynamicallyNamed() {
+        return super.isDynamicallyNamed();
+    }
+
+    @Override
+    public String getDynamicName(String dynamicNameElement) {
+        return super.getDynamicName(dynamicNameElement);
+    }
+
+    @Override
+    public String getDynamicName(PathAddress address) {
+        return super.getDynamicName(address);
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        return super.equals(o);
+    }
+
+    @Override
+    public int hashCode() {
+        return super.hashCode();
+    }
+
+    @Override
+    public String toString() {
+        return super.toString();
+    }
+
     /**
      * Builder for a {@link RuntimeCapability}.
      *

controller/src/main/java/org/jboss/as/controller/capability/registry/CapabilityRegistration.java

@@ -38,7 +38,7 @@
  *
  * @author Brian Stansberry (c) 2014 Red Hat Inc.
  */
-public class CapabilityRegistration<C extends Capability> implements Comparable<CapabilityRegistration> {
+public class CapabilityRegistration<C extends Capability> implements Comparable<CapabilityRegistration<C>> {
 
     private final Map<PathAddress, RegistrationPoint> registrationPoints = new LinkedHashMap<>();
     private final C capability;

controller/src/main/java/org/jboss/as/controller/capability/registry/RuntimeCapabilityRegistration.java

@@ -31,9 +31,9 @@
  *
  * @author Brian Stansberry (c) 2014 Red Hat Inc.
  */
-public class RuntimeCapabilityRegistration extends CapabilityRegistration<RuntimeCapability> {
+public class RuntimeCapabilityRegistration extends CapabilityRegistration<RuntimeCapability<?>> {
 
-    public RuntimeCapabilityRegistration(RuntimeCapability capability, CapabilityScope context, RegistrationPoint registrationPoint) {
+    public RuntimeCapabilityRegistration(RuntimeCapability<?> capability, CapabilityScope context, RegistrationPoint registrationPoint) {
         super(capability, context, registrationPoint);
     }
 

controller/src/main/java/org/jboss/as/controller/operations/global/ReadFeatureDescriptionHandler.java

@@ -814,8 +814,7 @@ private void addRequiredCapabilities(ModelNode feature,
                     }
                 }
                 // WFLY-4164 record the fixed requirements of the registration's capabilities
-                Set<RuntimeCapability> regCaps = registration.getCapabilities();
-                for (RuntimeCapability regCap : regCaps) {
+                for (RuntimeCapability<?> regCap : registration.getCapabilities()) {
                     for (String capReq : regCap.getRequirements()) {
                         if (!required.containsKey(capReq)) {
                             ModelNode capability = new ModelNode();

core-feature-pack/src/main/resources/modules/system/layers/base/sun/jdk/main/module.xml

@@ -43,6 +43,7 @@
                 <path name="com/sun/net/ssl/internal/ssl"/>
                 <path name="com/sun/crypto/provider"/>
                 <path name="sun/security/action"/>
+                <path name="sun/security/ssl"/>
                 <path name="sun/security/pkcs"/>
                 <path name="sun/security/x509"/>
                 <path name="sun/invoke"/>

elytron/src/main/java/org/wildfly/extension/elytron/SSLDefinitions.java

@@ -563,7 +563,7 @@ static ResourceDefinition getTrustManagerDefinition() {
                 ModelNode crlNode = CERTIFICATE_REVOCATION_LIST.resolveModelAttribute(context, model);
 
                 if (crlNode.isDefined()) {
-                    return createX509CRLExtendedTrustManager(serviceBuilder, context, algorithm, providerName, providersInjector, keyStoreInjector, crlNode);
+                    return createX509CRLExtendedTrustManager(serviceBuilder, context, algorithm, providerName, providersInjector, keyStoreInjector, crlNode, aliasFilter);
                 }
 
                 DelegatingTrustManager delegatingTrustManager = new DelegatingTrustManager();
@@ -601,7 +601,7 @@ static ResourceDefinition getTrustManagerDefinition() {
                 };
             }
 
-            private ValueSupplier<TrustManager> createX509CRLExtendedTrustManager(ServiceBuilder<TrustManager> serviceBuilder, OperationContext context, String algorithm, String providerName, InjectedValue<Provider[]> providersInjector, InjectedValue<KeyStore> keyStoreInjector, ModelNode crlNode) throws OperationFailedException {
+            private ValueSupplier<TrustManager> createX509CRLExtendedTrustManager(ServiceBuilder<TrustManager> serviceBuilder, OperationContext context, String algorithm, String providerName, InjectedValue<Provider[]> providersInjector, InjectedValue<KeyStore> keyStoreInjector, ModelNode crlNode, String aliasFilter) throws OperationFailedException {
                 String crlPath = PATH.resolveModelAttribute(context, crlNode).asStringOrNull();
                 String crlRelativeTo = RELATIVE_TO.resolveModelAttribute(context, crlNode).asStringOrNull();
                 int certPath = MAXIMUM_CERT_PATH.resolveModelAttribute(context, crlNode).asInt();
@@ -618,6 +618,14 @@ static ResourceDefinition getTrustManagerDefinition() {
                     TrustManagerFactory trustManagerFactory = createTrustManagerFactory(providersInjector.getOptionalValue(), providerName, algorithm);
                     KeyStore keyStore = keyStoreInjector.getOptionalValue();
 
+                    if (aliasFilter != null) {
+                        try {
+                            keyStore = FilteringKeyStore.filteringKeyStore(keyStore, AliasFilter.fromString(aliasFilter));
+                        } catch (Exception e) {
+                            throw new StartException(e);
+                        }
+                    }
+
                     if (crlPath != null) {
                         try {
                             X509CRLExtendedTrustManager trustManager = new X509CRLExtendedTrustManager(keyStore, trustManagerFactory, new FileInputStream(resolveFileLocation(crlPath, crlRelativeTo, pathManagerInjector)), certPath, null);

elytron/src/test/java/org/wildfly/extension/elytron/CertificateAuthoritiesTestCase.java

@@ -142,7 +142,12 @@ public Void run() {
 
     @Before
     public void init() throws Exception {
-        String subsystemXml = System.getProperty("java.vendor").startsWith("IBM") ? "tls-ibm.xml" : "tls-sun.xml";
+        String subsystemXml;
+        if (JdkUtils.isIbmJdk()) {
+            subsystemXml = "tls-ibm.xml";
+        } else {
+            subsystemXml = JdkUtils.getJavaSpecVersion() <= 12 ? "tls-sun.xml" : "tls-oracle13plus.xml";
+        }
         services = super.createKernelServicesBuilder(new TestEnvironment()).setSubsystemXmlResource(subsystemXml).build();
         if (!services.isSuccessfulBoot()) {
             Assert.fail(services.getBootError().toString());

elytron/src/test/java/org/wildfly/extension/elytron/JdkUtils.java

@@ -0,0 +1,39 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2019 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.wildfly.extension.elytron;
+
+/**
+ * @author <a href="mailto:ropalka@redhat.com">Richard Opalka</a>
+ */
+final class JdkUtils {
+
+    private static final String javaSpecVersion = System.getProperty("java.specification.version");
+    private static final String javaVendor = System.getProperty("java.vendor");
+
+    private JdkUtils() {}
+
+    static int getJavaSpecVersion() {
+        if ("1.8".equals(javaSpecVersion)) return 8;
+        return Integer.parseInt(javaSpecVersion);
+    }
+
+    static boolean isIbmJdk() {
+        return javaVendor.startsWith("IBM");
+    }
+
+}

elytron/src/test/java/org/wildfly/extension/elytron/KeyStoresTestCase.java

@@ -394,7 +394,12 @@ public Void run() {
 
     @Before
     public void init() throws Exception {
-        String subsystemXml = System.getProperty("java.vendor").startsWith("IBM") ? "tls-ibm.xml" : "tls-sun.xml";
+        String subsystemXml;
+        if (JdkUtils.isIbmJdk()) {
+            subsystemXml = "tls-ibm.xml";
+        } else {
+            subsystemXml = JdkUtils.getJavaSpecVersion() <= 12 ? "tls-sun.xml" : "tls-oracle13plus.xml";
+        }
         services = super.createKernelServicesBuilder(new TestEnvironment()).setSubsystemXmlResource(subsystemXml).build();
         if (!services.isSuccessfulBoot()) {
             Assert.fail(services.getBootError().toString());

elytron/src/test/java/org/wildfly/extension/elytron/TlsTestCase.java

@@ -302,7 +302,12 @@ public static void cleanUpTests() {
     @Before
     public void prepare() throws Throwable {
         if (services != null) return;
-        String subsystemXml = System.getProperty("java.vendor").startsWith("IBM") ? "tls-ibm.xml" : "tls-sun.xml";
+        String subsystemXml;
+        if (JdkUtils.isIbmJdk()) {
+            subsystemXml = "tls-ibm.xml";
+        } else {
+            subsystemXml = JdkUtils.getJavaSpecVersion() <= 12 ? "tls-sun.xml" : "tls-oracle13plus.xml";
+        }
         services = super.createKernelServicesBuilder(new TestEnvironment()).setSubsystemXmlResource(subsystemXml).build();
         if (!services.isSuccessfulBoot()) {
             Assert.fail(services.getBootError().toString());

elytron/src/test/resources/org/wildfly/extension/elytron/tls-oracle13plus.xml

@@ -0,0 +1,86 @@
+<!-- for needs of SaslTestCase and KeyStoresTestCase -->
+<subsystem xmlns="urn:wildfly:elytron:7.0" default-ssl-context="ClientSslContextNoAuth">
+    <providers>
+        <provider-loader name="ManagerProviderLoader" class-names="sun.security.ssl.SunJSSE"/>
+    </providers>
+    <security-domains>
+        <security-domain name="MyDomain" default-realm="FileRealm">
+            <realm name="FileRealm"/>
+        </security-domain>
+    </security-domains>
+    <security-realms>
+        <filesystem-realm name="FileRealm" levels="2">
+            <file path="filesystem-realm" relative-to="jboss.server.config.dir" />
+        </filesystem-realm>
+    </security-realms>
+    <credential-stores>
+        <credential-store name="test" location="target/tlstest.keystore">
+            <implementation-properties>
+                <property name="keyStoreType" value="JCEKS"/>
+            </implementation-properties>
+            <credential-reference clear-text="super_secret"/>
+        </credential-store>
+    </credential-stores>
+    <tls>
+        <key-stores>
+            <key-store name="FireflyKeystore" >
+                <credential-reference store="test" alias="master-password-alias"/>
+                <implementation type="JKS" />
+                <file path="firefly.keystore" relative-to="jboss.server.config.dir"/>
+            </key-store>
+            <key-store name="LocalhostKeystore" >
+                <credential-reference store="test" alias="master-password-alias"/>
+                <implementation type="JKS" />
+                <file path="localhost.keystore" relative-to="jboss.server.config.dir" required="true"/>
+            </key-store>
+            <key-store name="ElytronCaTruststore" >
+                <credential-reference clear-text="Elytron"/>
+                <implementation type="JKS" />
+                <file path="target/test-classes/org/wildfly/extension/elytron/ca.truststore"/>
+            </key-store>
+            <key-store name="NewKeyStore" >
+                <credential-reference clear-text="Elytron"/>
+                <implementation type="JKS" />
+                <file path="target/not-existing.keystore" required="false"/>
+            </key-store>
+            <key-store name="AutomaticKeystore" >
+                <credential-reference clear-text="Elytron"/>
+                <implementation/>
+                <file path="firefly.keystore" relative-to="jboss.server.config.dir"/>
+            </key-store>
+            <filtering-key-store name="FilteringKeyStore" key-store="FireflyKeystore" alias-filter="NONE:+firefly"/>
+        </key-stores>
+        <key-managers>
+            <key-manager name="ServerKeyManager" algorithm="SunX509" key-store="LocalhostKeystore" alias-filter="NONE:+localhost">
+                <credential-reference store="test" alias="the-key-alias"/>
+            </key-manager>
+            <key-manager name="ClientKeyManager" algorithm="SunX509" key-store="FireflyKeystore">
+                <credential-reference clear-text="Elytron"/>
+            </key-manager>
+            <key-manager name="MyKeyManager" algorithm="SunX509" key-store="FireflyKeystore" providers="ManagerProviderLoader" provider-name="SunJSSE">
+                <credential-reference store="test" alias="the-key-alias"/>
+            </key-manager>
+        </key-managers>
+        <trust-managers>
+            <trust-manager name="CaTrustManager" algorithm="SunX509" key-store="ElytronCaTruststore" alias-filter="NONE:+mykey"/>
+            <trust-manager name="MyTrustManager" algorithm="SunX509" key-store="ElytronCaTruststore" providers="ManagerProviderLoader" provider-name="SunJSSE"/>
+            <trust-manager name="ProviderTrustManager" algorithm="SunX509" key-store="ElytronCaTruststore" providers="ManagerProviderLoader" provider-name="SunJSSE"/>
+            <trust-manager name="trust-with-crl" algorithm="PKIX" key-store="ElytronCaTruststore">
+                <certificate-revocation-list path="crl.pem" relative-to="jboss.server.config.dir" maximum-cert-path="2"/>
+            </trust-manager>
+            <trust-manager name="trust-with-crl-dp" algorithm="PKIX" key-store="ElytronCaTruststore">
+                <certificate-revocation-list />
+            </trust-manager>
+        </trust-managers>
+        <server-ssl-contexts>
+            <server-ssl-context name="ServerSslContextNoAuth" key-manager="ServerKeyManager" trust-manager="CaTrustManager"/>
+            <server-ssl-context name="ServerSslContextAuth" protocols="TLSv1.3 TLSv1.2 TLSv1.1" key-manager="ServerKeyManager" trust-manager="CaTrustManager"
+                                want-client-auth="true" need-client-auth="true" authentication-optional="false" use-cipher-suites-order="false"
+                                providers="ManagerProviderLoader" provider-name="SunJSSE" session-timeout="321" maximum-session-cache-size="123"/>
+        </server-ssl-contexts>
+        <client-ssl-contexts>
+            <client-ssl-context name="ClientSslContextNoAuth" trust-manager="CaTrustManager" />
+            <client-ssl-context name="ClientSslContextAuth" protocols="SSLv2 SSLv3 TLSv1 TLSv1.3 TLSv1.2" key-manager="ClientKeyManager" trust-manager="CaTrustManager" providers="ManagerProviderLoader"/>
+        </client-ssl-contexts>
+    </tls>
+</subsystem>

logging/src/main/java/org/jboss/as/logging/KnownModelVersion.java

@@ -14,7 +14,8 @@
     VERSION_4_0_0(ModelVersion.create(4, 0, 0), false),
     VERSION_5_0_0(ModelVersion.create(5, 0, 0), true),
     VERSION_6_0_0(ModelVersion.create(6, 0, 0), true),
-    VERSION_7_0_0(ModelVersion.create(7, 0, 0), false),
+    VERSION_7_0_0(ModelVersion.create(7, 0, 0), true),
+    VERSION_8_0_0(ModelVersion.create(8, 0, 0), false),
     ;
     private final ModelVersion modelVersion;
     private final boolean hasTransformers;