Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1275

x509-credential-mapper in ldap-realm does not work correctly with server-ssl-context

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 1.1.0.CR3
    • 1.1.0.Beta52
    • None
    • None
    • Hide

      1) generate needed keystores and truststores

      2) configure Elytron application server:

      <security-domain name="security-domain-subject-dn" default-realm="ldap-realm-subject-dn" permission-mapper="default-permission-mapper" principal-decoder="x500AttributePrincipalDecoder">
    <realm name="ldap-realm-subject-dn"/>
</security-domain>
...
<ldap-realm name="ldap-realm-subject-dn" dir-context="elytron-ldap-dir-context" direct-verification="true">
    <identity-mapping rdn-identifier="uid" use-recursive-search="true" search-base-dn="o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org">
        <x509-credential-mapper subject-dn-from="businessCategory"/>
    </identity-mapping>
</ldap-realm>
...
<x500-attribute-principal-decoder name="x500AttributePrincipalDecoder" oid="2.5.4.3" maximum-segments="1"/>
...
<tls>
    <key-stores>
        <key-store name="keyStore" type="jks">
            <file path="PATH/server.keystore"/>
            <credential-reference clear-text="secretKeyStore"/>
        </key-store>
        <key-store name="trustStore" type="jks">
            <file path="PATH/server.truststore"/>
            <credential-reference clear-text="secretKeyStore"/>
        </key-store>
    </key-stores>
    <key-managers>
        <key-manager name="keyManager" algorithm="SunX509" key-store="keyStore">
            <credential-reference clear-text="secret"/>
        </key-manager>
    </key-managers>
    <trust-managers>
        <trust-manager name="trustManager" algorithm="SunX509" key-store="trustStore"/>
    </trust-managers>
    <server-ssl-contexts>
        <server-ssl-context name="serverSslContext" security-domain="security-domain-subject-dn" want-client-auth="true" need-client-auth="true" key-manager="keyManager" trust-manager="trustManager"/>
    </server-ssl-contexts>
</tls>
...
<dir-contexts>
    <dir-context name="elytron-ldap-dir-context" url="ldap://localhost:10389" principal="uid=admin,ou=system">
        <credential-reference clear-text="secret"/>
    </dir-context>
</dir-contexts>

      3) configure in undertow:

      <https-listener name="https" socket-binding="https" ssl-context="serverSslContext" enable-http2="true"/>

      4) configure LDAP server to include needed data

      5) try to access https://localhost:8443

      Show
      1) generate needed keystores and truststores 2) configure Elytron application server: <security-domain name= "security-domain-subject-dn" default -realm= "ldap-realm-subject-dn" permission-mapper= " default -permission-mapper" principal-decoder= "x500AttributePrincipalDecoder" > <realm name= "ldap-realm-subject-dn" /> </security-domain> ... <ldap-realm name= "ldap-realm-subject-dn" dir-context= "elytron-ldap-dir-context" direct-verification= " true " > <identity-mapping rdn-identifier= "uid" use-recursive-search= " true " search-base-dn= "o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org" > <x509-credential-mapper subject-dn-from= "businessCategory" /> </identity-mapping> </ldap-realm> ... <x500-attribute-principal-decoder name= "x500AttributePrincipalDecoder" oid= "2.5.4.3" maximum-segments= "1" /> ... <tls> <key-stores> <key-store name= "keyStore" type= "jks" > <file path= "PATH/server.keystore" /> <credential-reference clear-text= "secretKeyStore" /> </key-store> <key-store name= "trustStore" type= "jks" > <file path= "PATH/server.truststore" /> <credential-reference clear-text= "secretKeyStore" /> </key-store> </key-stores> <key-managers> <key-manager name= "keyManager" algorithm= "SunX509" key-store= "keyStore" > <credential-reference clear-text= "secret" /> </key-manager> </key-managers> <trust-managers> <trust-manager name= "trustManager" algorithm= "SunX509" key-store= "trustStore" /> </trust-managers> <server-ssl-contexts> <server-ssl-context name= "serverSslContext" security-domain= "security-domain-subject-dn" want-client-auth= " true " need-client-auth= " true " key-manager= "keyManager" trust-manager= "trustManager" /> </server-ssl-contexts> </tls> ... <dir-contexts> <dir-context name= "elytron-ldap-dir-context" url= "ldap: //localhost:10389" principal= "uid=admin,ou=system" > <credential-reference clear-text= "secret" /> </dir-context> </dir-contexts> 3) configure in undertow: <https-listener name= "https" socket-binding= "https" ssl-context= "serverSslContext" enable-http2= " true " /> 4) configure LDAP server to include needed data 5) try to access https://localhost:8443

      When ldap-realm with x509-credential-mapper is used in security-domain which is referenced from server-ssl-context then authorization fails. It seems it is caused by using ServerAuthenticationContext.NameAssignedState in [1] which fails in [2] due to [3]. This issue causes that x509-credential-mapper cannot work in server-ssl-context.

      Server log:

      2017-06-30 15:01:22,019 TRACE [org.wildfly.security] (default task-2) X500 principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as name [clientSubjectDn] (attribute values: [clientSubjectDn])
2017-06-30 15:01:22,022 TRACE [org.wildfly.security] (default task-2) Principal assigning: [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ], pre-realm rewritten: [clientSubjectDn], realm name: [ldap-realm-subject-dn], post-realm rewritten: [clientSubjectDn], realm rewritten: [clientSubjectDn]
2017-06-30 15:01:22,023 DEBUG [org.wildfly.security] (default task-2) Obtaining lock for identity [clientSubjectDn]...
2017-06-30 15:01:22,028 DEBUG [org.wildfly.security] (default task-2) Obtained lock for identity [clientSubjectDn].
2017-06-30 15:01:22,044 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]]
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://localhost:10389]
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [uid=admin,ou=system]
2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
2017-06-30 15:01:22,081 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@6ca3ef32] successfully created. Connection established to LDAP server.
2017-06-30 15:01:22,084 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn].
2017-06-30 15:01:22,086 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [null]. Binary attributes are [null].
2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@6ca3ef32] was closed. Connection closed or just returned to the pool.
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://localhost:10389]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [uid=admin,ou=system]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
2017-06-30 15:01:22,154 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
2017-06-30 15:01:22,179 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@75395ba6] successfully created. Connection established to LDAP server.
2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn].
2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary attributes are [].
2017-06-30 15:01:22,195 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,197 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,198 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@75395ba6] was closed. Connection closed or just returned to the pool.
2017-06-30 15:01:22,200 TRACE [org.wildfly.security] (default task-2) X500 principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as name [clientSubjectDn] (attribute values: [clientSubjectDn])
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://localhost:10389]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [uid=admin,ou=system]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
2017-06-30 15:01:22,212 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@22d42495] successfully created. Connection established to LDAP server.
2017-06-30 15:01:22,213 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn].
2017-06-30 15:01:22,214 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary attributes are [].
2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,227 TRACE [org.wildfly.security] (default task-2) X509 client certificate accepted by X509EvidenceVerifier
2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@22d42495] was closed. Connection closed or just returned to the pool.
2017-06-30 15:01:22,228 TRACE [org.wildfly.security] (default task-2) Authentication succeed for principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ]
2017-06-30 15:01:22,240 ERROR [org.xnio.nio] (default I/O-4) XNIO000011: Task io.undertow.protocols.ssl.SslConduit$5$1@46b65284 failed with an exception: java.lang.RuntimeException: ELY01112: Authentication cannot succeed; not authorized
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
	at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:265)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.unwrap(ALPNLimitingSSLEngine.java:73)
	at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:749)
	at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:646)
	at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
	at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1046)
	at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:592)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:472)
Caused by: java.lang.IllegalStateException: ELY01112: Authentication cannot succeed; not authorized
	at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.succeed(ServerAuthenticationContext.java:1947)
	at org.wildfly.security.auth.server.ServerAuthenticationContext.succeed(ServerAuthenticationContext.java:492)
	at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:123)
	at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72)
	at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869)
	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
	at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

      Since there is no documentation for this scenario it is possible that this is just a configuration issue - in that case please provide valid configuration for this scenario.

      [1] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/ssl/SecurityDomainTrustManager.java#L120
      [2] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/ssl/SecurityDomainTrustManager.java#L122
      [3] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java#L1943

              jkalina@redhat.com Jan Kalina (Inactive)
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: