Merge pull request #9835 from tadamski/WFLY-8409-ladybird

WFLY-8409 Do not stop IIOP from starting with invalid SSL configurati…

iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/ConfigValidator.java

@@ -40,28 +40,43 @@ public static void validateConfig(final OperationContext context, final ModelNod
         final boolean serverRequiresSsl = IIOPRootDefinition.SERVER_REQUIRES_SSL.resolveModelAttribute(context, resourceModel).asBoolean();
         final boolean clientRequiresSsl = IIOPRootDefinition.CLIENT_REQUIRES_SSL.resolveModelAttribute(context, resourceModel).asBoolean();
 
-        validateSSLConfig(context, resourceModel, supportSSL, serverRequiresSsl, clientRequiresSsl);
+        final boolean sslConfigured = isSSLConfigured(context, resourceModel);
+
+        validateSSLConfig(supportSSL, sslConfigured, serverRequiresSsl, clientRequiresSsl);
+        validateSSLSocketBinding(context, resourceModel, sslConfigured);
         validateIORTransportConfig(context, resourceModel, supportSSL, serverRequiresSsl);
         validateORBInitializerConfig(context, resourceModel);
     }
 
-    private static void validateSSLConfig(final OperationContext context, final ModelNode model, final boolean supportSSL,
+    private static boolean isSSLConfigured(final OperationContext context, final ModelNode resourceModel) throws OperationFailedException {
+        final ModelNode securityDomainNode = IIOPRootDefinition.SECURITY_DOMAIN.resolveModelAttribute(context, resourceModel);
+        final ModelNode serverSSLContextNode = IIOPRootDefinition.SERVER_SSL_CONTEXT.resolveModelAttribute(context, resourceModel);
+        final ModelNode clientSSLContextNode = IIOPRootDefinition.CLIENT_SSL_CONTEXT.resolveModelAttribute(context, resourceModel);
+        if (!securityDomainNode.isDefined() && (!serverSSLContextNode.isDefined() || !clientSSLContextNode.isDefined())){
+            return false;
+        } else {
+            return true;
+        }
+    }
+
+    private static void validateSSLConfig(final boolean supportSSL, final boolean sslConfigured,
                                           final boolean serverRequiresSsl, final boolean clientRequiresSsl) throws OperationFailedException {
 
-        if (supportSSL) {
-            // if SSL is to be used, then either a JSSE domain or a pair of client/server SSL contexts must be defined.
-            final ModelNode securityDomainNode = IIOPRootDefinition.SECURITY_DOMAIN.resolveModelAttribute(context, model);
-            final ModelNode serverSSLContextNode = IIOPRootDefinition.SERVER_SSL_CONTEXT.resolveModelAttribute(context, model);
-            final ModelNode clientSSLContextNode = IIOPRootDefinition.CLIENT_SSL_CONTEXT.resolveModelAttribute(context, model);
-            if (!securityDomainNode.isDefined() && (!serverSSLContextNode.isDefined() || !clientSSLContextNode.isDefined())) {
-                throw IIOPLogger.ROOT_LOGGER.noSecurityDomainOrSSLContextsSpecified();
-            }
-        } else if(serverRequiresSsl || clientRequiresSsl) {
+        if (supportSSL && !sslConfigured) {
+            throw IIOPLogger.ROOT_LOGGER.noSecurityDomainOrSSLContextsSpecified();
+        } else if (serverRequiresSsl || clientRequiresSsl) {
             // if either the server or the client requires SSL, then SSL support must have been enabled.
             throw IIOPLogger.ROOT_LOGGER.sslNotConfigured();
         }
     }
 
+    private static void validateSSLSocketBinding(final OperationContext context, final ModelNode resourceModel, final boolean sslConfigured) throws OperationFailedException{
+        ModelNode sslSocketBinding = IIOPRootDefinition.SSL_SOCKET_BINDING.resolveModelAttribute(context, resourceModel);
+        if(sslSocketBinding.isDefined() && !sslConfigured){
+            IIOPLogger.ROOT_LOGGER.sslPortWithoutSslConfiguration();
+        }
+    }
+
     private static void validateIORTransportConfig(final OperationContext context, final ModelNode resourceModel, final boolean sslConfigured,
                                                    final boolean serverRequiresSsl) throws OperationFailedException {
         validateSSLAttribute(context, resourceModel, sslConfigured, serverRequiresSsl, IIOPRootDefinition.INTEGRITY);

iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/IIOPSubsystemAdd.java

@@ -203,9 +203,6 @@ public void execute(DeploymentProcessorTarget processorTarget) {
 
         String sslSocketBinding = props.getProperty(Constants.ORB_SSL_SOCKET_BINDING);
         if(sslSocketBinding != null) {
-            if (!sslConfigured) {
-                throw IIOPLogger.ROOT_LOGGER.sslPortWithoutSslConfiguration();
-            }
             builder.addDependency(SocketBinding.JBOSS_BINDING_NAME.append(sslSocketBinding), SocketBinding.class,
                     orbService.getIIOPSSLSocketBindingInjector());
         }

iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/logging/IIOPLogger.java

@@ -22,17 +22,6 @@
 
 package org.wildfly.iiop.openjdk.logging;
 
-import static org.jboss.logging.Logger.Level.ERROR;
-import static org.jboss.logging.Logger.Level.INFO;
-import static org.jboss.logging.Logger.Level.WARN;
-
-import java.io.IOException;
-import java.net.MalformedURLException;
-
-import javax.naming.ConfigurationException;
-import javax.naming.InvalidNameException;
-import javax.naming.NamingException;
-
 import org.jboss.as.controller.OperationFailedException;
 import org.jboss.logging.BasicLogger;
 import org.jboss.logging.Logger;
@@ -43,14 +32,21 @@
 import org.jboss.logging.annotations.Param;
 import org.jboss.msc.service.StartException;
 import org.omg.CORBA.BAD_INV_ORDER;
-import org.omg.CORBA.COMM_FAILURE;
 import org.omg.CORBA.CompletionStatus;
 import org.omg.CORBA.INTERNAL;
 import org.omg.CORBA.MARSHAL;
 import org.omg.CORBA.NO_PERMISSION;
 import org.wildfly.iiop.openjdk.rmi.RMIIIOPViolationException;
 import org.wildfly.iiop.openjdk.rmi.ir.IRConstructionException;
 
+import javax.naming.ConfigurationException;
+import javax.naming.InvalidNameException;
+import javax.naming.NamingException;
+import java.io.IOException;
+import java.net.MalformedURLException;
+
+import static org.jboss.logging.Logger.Level.*;
+
 /**
  * @author <a href="mailto:jperkins@redhat.com">James R. Perkins</a>
  * @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a>
@@ -399,14 +395,16 @@ public interface IIOPLogger extends BasicLogger {
     @Message(id = 108, value = "Security attribute server-requires-ssl is not supported in previous iiop-openjdk versions and can't be converted")
     String serverRequiresSslNotSupportedInPreviousVersions();
 
+    @LogMessage(level = WARN)
     @Message(id = 109, value = "SSL socket is required by server but secure connections have not been configured")
-    COMM_FAILURE cannotCreateSSLSocket();
+    void cannotCreateSSLSocket();
 
     @Message(id = 110, value = "Client requires SSL but server does not support it")
     IllegalStateException serverDoesNotSupportSsl();
 
-    @Message(id = 111, value = "SSL has not been configured but ssl-port property has been specified")
-    OperationFailedException sslPortWithoutSslConfiguration();
+    @LogMessage(level = WARN)
+    @Message(id = 111, value = "SSL has not been configured but ssl-port property has been specified - the connection will use clear-text protocol")
+    void sslPortWithoutSslConfiguration();
 
     @Message(id = 112, value = "Security initializer was set to 'elytron' but no authentication-context has been specified")
     OperationFailedException elytronInitializerMissingAuthContext();

iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/security/NoSSLSocketFactory.java

@@ -43,20 +43,20 @@ public class NoSSLSocketFactory extends SocketFactoryBase {
 
     @Override
     public ServerSocket createServerSocket(String type, InetSocketAddress inetSocketAddress) throws IOException {
+        //we can only warn here because of backward compatibility
         if (type.equals(Constants.SSL_SOCKET_TYPE)) {
-            throw IIOPLogger.ROOT_LOGGER.cannotCreateSSLSocket();
-        } else {
-            return super.createServerSocket(type, inetSocketAddress);
+            IIOPLogger.ROOT_LOGGER.cannotCreateSSLSocket();
         }
+        return super.createServerSocket(type, inetSocketAddress);
     }
 
     @Override
     public Socket createSocket(String type, InetSocketAddress inetSocketAddress) throws IOException {
+        //we can only warn here because of backward compatibility
         if (type.contains(Constants.SSL_SOCKET_TYPE)){
-            throw IIOPLogger.ROOT_LOGGER.cannotCreateSSLSocket();
-        } else {
-            return super.createSocket(type, inetSocketAddress);
+            IIOPLogger.ROOT_LOGGER.cannotCreateSSLSocket();
         }
+        return super.createSocket(type, inetSocketAddress);
     }
 
 }

iiop-openjdk/src/test/resources/org/wildfly/iiop/openjdk/subsystem-3.0.xml

@@ -7,7 +7,7 @@
     <tcp high-water-mark="500" number-to-reclaim="30"/>
     <initializers security="elytron" authentication-context="iiop" transactions="spec"/>
     <naming root-context="JBoss/Naming/root2" export-corbaloc="false"/>
-    <security support-ssl="true" security-domain="domain" add-component-via-interceptor="false" client-requires-ssl="false" server-requires-ssl="true"/>
+    <security support-ssl="true" security-domain="domain" add-component-via-interceptor="false" client-requires-ssl="false" server-requires-ssl="false"/>
     <transport-config integrity="required" confidentiality="required" detect-replay="supported"
                       detect-misordering="supported"
                       trust-in-client="required" trust-in-target="supported"/>