e4e959
@@ -26,12 +26,16 @@
import org.jboss.as.controller.OperationFailedException;
 import org.jboss.as.controller.VaultReader;
 import org.jboss.as.controller.logging.ControllerLogger;
 import org.jboss.dmr.ModelNode;
+import org.jboss.logging.Logger;
 
 /**
  *
  * @author <a href="kabir.khan@jboss.com">Kabir Khan</a>
  */
 public class RuntimeExpressionResolver extends ExpressionResolverImpl {
+
+    private static final Logger log = Logger.getLogger(RuntimeExpressionResolver.class);
+
     private final VaultReader vaultReader;
 
     public RuntimeExpressionResolver(VaultReader vaultReader) {
@@ -43,12 +47,29 @@
public class RuntimeExpressionResolver extends ExpressionResolverImpl {
         String expression = node.asString();
         if (expression.length() > 3) {
             String vaultedData = expression.substring(2, expression.length() -1);
-            if (vaultReader != null && vaultReader.isVaultFormat(vaultedData)) {
+            if (vaultReader == null) {
+                // No VaultReader was configured or could be loaded given the modules on the classpath
+                // This is common in WildFly Core itself as the org.picketbox module is not present
+                // to allow loading the standard RuntimeVaultReader impl
+
+                // Just check for a picektbox vault pattern and if present reject
+                // We don't want to let vault expressions pass as other resolvers will treat the ":'
+                // as a system property name vs default value delimiter
+                if (VaultReader.STANDARD_VAULT_PATTERN.matcher(vaultedData).matches()) {
+                    log.tracef("Cannot resolve %s -- it is in the default vault format but no vault reader is available", vaultedData);
+                    throw ControllerLogger.ROOT_LOGGER.cannotResolveExpression(expression);
+                }
+                log.tracef("Not resolving %s -- no vault reader available and not in default vault format", vaultedData);
+            } else if (vaultReader.isVaultFormat(vaultedData)) {
                 try {
-                    node.set(vaultReader.retrieveFromVault(vaultedData));
+                    String retrieved = vaultReader.retrieveFromVault(vaultedData);
+                    log.tracef("Retrieved %s from vault for %s", retrieved, vaultedData);
+                    node.set(retrieved);
                 } catch (VaultReader.NoSuchItemException nsie) {
                     throw ControllerLogger.ROOT_LOGGER.cannotResolveExpression(expression);
                 }
+            } else {
+                log.tracef("Not resolving %s -- not in vault format", vaultedData);
             }
         }
     }
