From 14abc5539fa471c4b63c93b3e9b18c95515e77a4 Mon Sep 17 00:00:00 2001 From: Tomasz Adamski Date: Fri, 17 Mar 2017 17:43:39 +0100 Subject: [PATCH 1/2] WFLY-8409 Do not stop IIOP from starting with invalid SSL configuration (backward compatibility) --- .../wildfly/iiop/openjdk/ConfigValidator.java | 37 +++++++++++++------ .../iiop/openjdk/IIOPSubsystemAdd.java | 3 -- .../iiop/openjdk/logging/IIOPLogger.java | 28 +++++++------- .../openjdk/security/NoSSLSocketFactory.java | 12 +++--- 4 files changed, 45 insertions(+), 35 deletions(-) diff --git a/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/ConfigValidator.java b/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/ConfigValidator.java index daa0abf9c226..2ae7be83925d 100644 --- a/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/ConfigValidator.java +++ b/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/ConfigValidator.java @@ -40,28 +40,43 @@ public static void validateConfig(final OperationContext context, final ModelNod final boolean serverRequiresSsl = IIOPRootDefinition.SERVER_REQUIRES_SSL.resolveModelAttribute(context, resourceModel).asBoolean(); final boolean clientRequiresSsl = IIOPRootDefinition.CLIENT_REQUIRES_SSL.resolveModelAttribute(context, resourceModel).asBoolean(); - validateSSLConfig(context, resourceModel, supportSSL, serverRequiresSsl, clientRequiresSsl); + final boolean sslConfigured = isSSLConfigured(context, resourceModel); + + validateSSLConfig(supportSSL, sslConfigured, serverRequiresSsl, clientRequiresSsl); + validateSSLSocketBinding(context, resourceModel, sslConfigured); validateIORTransportConfig(context, resourceModel, supportSSL, serverRequiresSsl); validateORBInitializerConfig(context, resourceModel); } - private static void validateSSLConfig(final OperationContext context, final ModelNode model, final boolean supportSSL, + private static boolean isSSLConfigured(final OperationContext context, final ModelNode resourceModel) throws OperationFailedException { + final ModelNode securityDomainNode = IIOPRootDefinition.SECURITY_DOMAIN.resolveModelAttribute(context, resourceModel); + final ModelNode serverSSLContextNode = IIOPRootDefinition.SERVER_SSL_CONTEXT.resolveModelAttribute(context, resourceModel); + final ModelNode clientSSLContextNode = IIOPRootDefinition.CLIENT_SSL_CONTEXT.resolveModelAttribute(context, resourceModel); + if (!securityDomainNode.isDefined() && (!serverSSLContextNode.isDefined() || !clientSSLContextNode.isDefined())){ + return false; + } else { + return true; + } + } + + private static void validateSSLConfig(final boolean supportSSL, final boolean sslConfigured, final boolean serverRequiresSsl, final boolean clientRequiresSsl) throws OperationFailedException { - if (supportSSL) { - // if SSL is to be used, then either a JSSE domain or a pair of client/server SSL contexts must be defined. - final ModelNode securityDomainNode = IIOPRootDefinition.SECURITY_DOMAIN.resolveModelAttribute(context, model); - final ModelNode serverSSLContextNode = IIOPRootDefinition.SERVER_SSL_CONTEXT.resolveModelAttribute(context, model); - final ModelNode clientSSLContextNode = IIOPRootDefinition.CLIENT_SSL_CONTEXT.resolveModelAttribute(context, model); - if (!securityDomainNode.isDefined() && (!serverSSLContextNode.isDefined() || !clientSSLContextNode.isDefined())) { - throw IIOPLogger.ROOT_LOGGER.noSecurityDomainOrSSLContextsSpecified(); - } - } else if(serverRequiresSsl || clientRequiresSsl) { + if (supportSSL && !sslConfigured) { + throw IIOPLogger.ROOT_LOGGER.noSecurityDomainOrSSLContextsSpecified(); + } else if (serverRequiresSsl || clientRequiresSsl) { // if either the server or the client requires SSL, then SSL support must have been enabled. throw IIOPLogger.ROOT_LOGGER.sslNotConfigured(); } } + private static void validateSSLSocketBinding(final OperationContext context, final ModelNode resourceModel, final boolean sslConfigured) throws OperationFailedException{ + ModelNode sslSocketBinding = IIOPRootDefinition.SSL_SOCKET_BINDING.resolveModelAttribute(context, resourceModel); + if(sslSocketBinding.isDefined() && !sslConfigured){ + IIOPLogger.ROOT_LOGGER.sslPortWithoutSslConfiguration(); + } + } + private static void validateIORTransportConfig(final OperationContext context, final ModelNode resourceModel, final boolean sslConfigured, final boolean serverRequiresSsl) throws OperationFailedException { validateSSLAttribute(context, resourceModel, sslConfigured, serverRequiresSsl, IIOPRootDefinition.INTEGRITY); diff --git a/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/IIOPSubsystemAdd.java b/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/IIOPSubsystemAdd.java index d8c5c0e311b0..c955ac2bc8e5 100644 --- a/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/IIOPSubsystemAdd.java +++ b/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/IIOPSubsystemAdd.java @@ -203,9 +203,6 @@ public void execute(DeploymentProcessorTarget processorTarget) { String sslSocketBinding = props.getProperty(Constants.ORB_SSL_SOCKET_BINDING); if(sslSocketBinding != null) { - if (!sslConfigured) { - throw IIOPLogger.ROOT_LOGGER.sslPortWithoutSslConfiguration(); - } builder.addDependency(SocketBinding.JBOSS_BINDING_NAME.append(sslSocketBinding), SocketBinding.class, orbService.getIIOPSSLSocketBindingInjector()); } diff --git a/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/logging/IIOPLogger.java b/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/logging/IIOPLogger.java index ccef3eeaebe4..8b9e66590c49 100644 --- a/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/logging/IIOPLogger.java +++ b/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/logging/IIOPLogger.java @@ -22,17 +22,6 @@ package org.wildfly.iiop.openjdk.logging; -import static org.jboss.logging.Logger.Level.ERROR; -import static org.jboss.logging.Logger.Level.INFO; -import static org.jboss.logging.Logger.Level.WARN; - -import java.io.IOException; -import java.net.MalformedURLException; - -import javax.naming.ConfigurationException; -import javax.naming.InvalidNameException; -import javax.naming.NamingException; - import org.jboss.as.controller.OperationFailedException; import org.jboss.logging.BasicLogger; import org.jboss.logging.Logger; @@ -43,7 +32,6 @@ import org.jboss.logging.annotations.Param; import org.jboss.msc.service.StartException; import org.omg.CORBA.BAD_INV_ORDER; -import org.omg.CORBA.COMM_FAILURE; import org.omg.CORBA.CompletionStatus; import org.omg.CORBA.INTERNAL; import org.omg.CORBA.MARSHAL; @@ -51,6 +39,14 @@ import org.wildfly.iiop.openjdk.rmi.RMIIIOPViolationException; import org.wildfly.iiop.openjdk.rmi.ir.IRConstructionException; +import javax.naming.ConfigurationException; +import javax.naming.InvalidNameException; +import javax.naming.NamingException; +import java.io.IOException; +import java.net.MalformedURLException; + +import static org.jboss.logging.Logger.Level.*; + /** * @author James R. Perkins * @author Stefan Guilhen @@ -399,14 +395,16 @@ public interface IIOPLogger extends BasicLogger { @Message(id = 108, value = "Security attribute server-requires-ssl is not supported in previous iiop-openjdk versions and can't be converted") String serverRequiresSslNotSupportedInPreviousVersions(); + @LogMessage(level = WARN) @Message(id = 109, value = "SSL socket is required by server but secure connections have not been configured") - COMM_FAILURE cannotCreateSSLSocket(); + void cannotCreateSSLSocket(); @Message(id = 110, value = "Client requires SSL but server does not support it") IllegalStateException serverDoesNotSupportSsl(); - @Message(id = 111, value = "SSL has not been configured but ssl-port property has been specified") - OperationFailedException sslPortWithoutSslConfiguration(); + @LogMessage(level = WARN) + @Message(id = 111, value = "SSL has not been configured but ssl-port property has been specified - the connection will use clear-text protocol") + void sslPortWithoutSslConfiguration(); @Message(id = 112, value = "Security initializer was set to 'elytron' but no authentication-context has been specified") OperationFailedException elytronInitializerMissingAuthContext(); diff --git a/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/security/NoSSLSocketFactory.java b/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/security/NoSSLSocketFactory.java index 4bd72e8e2ad8..9ce4dedd7c46 100644 --- a/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/security/NoSSLSocketFactory.java +++ b/iiop-openjdk/src/main/java/org/wildfly/iiop/openjdk/security/NoSSLSocketFactory.java @@ -43,20 +43,20 @@ public class NoSSLSocketFactory extends SocketFactoryBase { @Override public ServerSocket createServerSocket(String type, InetSocketAddress inetSocketAddress) throws IOException { + //we can only warn here because of backward compatibility if (type.equals(Constants.SSL_SOCKET_TYPE)) { - throw IIOPLogger.ROOT_LOGGER.cannotCreateSSLSocket(); - } else { - return super.createServerSocket(type, inetSocketAddress); + IIOPLogger.ROOT_LOGGER.cannotCreateSSLSocket(); } + return super.createServerSocket(type, inetSocketAddress); } @Override public Socket createSocket(String type, InetSocketAddress inetSocketAddress) throws IOException { + //we can only warn here because of backward compatibility if (type.contains(Constants.SSL_SOCKET_TYPE)){ - throw IIOPLogger.ROOT_LOGGER.cannotCreateSSLSocket(); - } else { - return super.createSocket(type, inetSocketAddress); + IIOPLogger.ROOT_LOGGER.cannotCreateSSLSocket(); } + return super.createSocket(type, inetSocketAddress); } } From b32c53f7b3ecdb27fdce1ffcc22edadc1137886a Mon Sep 17 00:00:00 2001 From: Tomasz Adamski Date: Wed, 19 Apr 2017 23:17:43 +0200 Subject: [PATCH 2/2] WFLY-8409 IIOPSubsystemTestCase: standard config quickfix --- .../test/resources/org/wildfly/iiop/openjdk/subsystem-3.0.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iiop-openjdk/src/test/resources/org/wildfly/iiop/openjdk/subsystem-3.0.xml b/iiop-openjdk/src/test/resources/org/wildfly/iiop/openjdk/subsystem-3.0.xml index c9cc956810ce..e27c4fb5514c 100644 --- a/iiop-openjdk/src/test/resources/org/wildfly/iiop/openjdk/subsystem-3.0.xml +++ b/iiop-openjdk/src/test/resources/org/wildfly/iiop/openjdk/subsystem-3.0.xml @@ -7,7 +7,7 @@ - +