JBoss authentication using masked credential-reference silently fails after some application functions are executed

Solution Verified - Updated -

Issue

  • After a fresh restart, JBoss authentication using a masked value works fine and continues to work fine until certain functionality in our application is executed. After that, authentication silently fails constantly until JBoss is restarted again. For instance, our ldap password is masked so ldap cannot authenticate any request any more at this point, but using a clear text password instead of the masked value avoids the issue:
                <dir-context name="ldap_connection" url="ldaps://ip:port" principal="value" referral-mode="follow" ssl-context="ldaps-context">
                    <credential-reference clear-text="MASK-value"/>
                </dir-context>
  • With an attempted reload via CLI, we see it fails with the following BadPaddingException trying to unmask a password:
ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.security.key-store.applicationKS: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.applicationKS: WFLYELY00004: Unable to start the service.
    at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:200)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
    at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
    at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at org.jboss.as.controller.security.CredentialReference$MaskCredentialSource.getCredential(CredentialReference.java:814)
    at org.wildfly.security.credential.source.CredentialSource.getCredential(CredentialSource.java:133)
    at org.wildfly.extension.elytron.KeyStoreService.resolvePassword(KeyStoreService.java:346)
    at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:154)
    ... 8 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)
    at com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)
    at com.sun.crypto.provider.PBES1Core.doFinal(PBES1Core.java:432)
    at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316)
    at javax.crypto.Cipher.doFinal(Cipher.java:2168)
    at org.wildfly.security.util.PasswordBasedEncryptionUtil.decrypt(PasswordBasedEncryptionUtil.java:173)
    at org.wildfly.security.util.PasswordBasedEncryptionUtil.decodeAndDecrypt(PasswordBasedEncryptionUtil.java:102)
    at org.jboss.as.controller.security.CredentialReference$MaskCredentialSource.getCredential(CredentialReference.java:812)
    ... 11 more

Environment

  • JBoss Enterprise Application Platform (EAP) 7.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content