Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2074

SSO from FORM authentication required a distributed session

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Major
    • 1.20.5.CR1
    • 1.14.1.Final
    • HTTP
    • None
    • Undefined

    Description

      Presently SSO only works on failover if also have a distributed HTTP session. 

      The SSO support is supposed to be operating independently of the session otherwise we should have just used the session to replicate the identity.  I suspect that when we attempt to restore the identity we check if we have a session scope but as it does not exist we skip attempting the restoration, we should be open to restoration being possible without a session.

      Overall however it feels like this approach will require some clean up which may be needed for ELY-1626 - instead of the current approach which intercepts session access and converts to SSO we may be better making SSO a real scope or something similar so mechanisms can interact directly with it.  The approach today where we wrap the scope access and intercept the calls means mechanisms can easily make invalid assumptions about scope availability such as in this case.

      The following TRACE logging shows a successful failover where a web application is marked as being distributed:

      2021-01-26 11:01:34,120 TRACE [org.wildfly.security.http.servlet] (default task-1) Created ServletSecurityContextImpl enableJapi=true, integratedJaspi=true, applicationContext=default-host /simple-webapp
2021-01-26 11:01:34,121 TRACE [org.wildfly.security.http.servlet] (default task-1) No AuthConfigProvider for layer=HttpServlet, appContext=default-host /simple-webapp
2021-01-26 11:01:34,121 TRACE [org.wildfly.security.http.servlet] (default task-1) JASPIC Unavailable, using HTTP authentication.
2021-01-26 11:01:34,158 TRACE [org.wildfly.security] (default task-1) No CachedIdentity to restore.
2021-01-26 11:01:34,158 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1@4b6842ff] for mechanism [FORM]
2021-01-26 11:01:34,160 TRACE [org.wildfly.security] (default task-1) Handling SocketAddressCallback
2021-01-26 11:01:34,160 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='FORM' host-name='localhost' protocol='http'
2021-01-26 11:01:34,160 TRACE [org.wildfly.security.http.form] (default task-1) Trying to re-authenticate session 3t7EGcnmInMeUYH3-thjyQpTyOanRdoX3Dm-BcS6. Request URI: [http://localhost:8080/simple-webapp/secured], Context path: [/simple-webapp]
2021-01-26 11:01:34,160 TRACE [org.wildfly.security] (default task-1) Principal assigning: [alice], pre-realm rewritten: [alice], realm name: [example-realm], post-realm rewritten: [alice], realm rewritten: [alice]
2021-01-26 11:01:34,165 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [alice] -> decoded roles [Users, user] -> domain decoded roles [] -> realm mapped roles [Users, user] -> domain mapped roles [Users, user]
2021-01-26 11:01:34,166 TRACE [org.wildfly.security] (default task-1) Authorizing principal alice.
2021-01-26 11:01:34,166 TRACE [org.wildfly.security] (default task-1) Authorizing against the following attributes: [groups] => [user, Users]
2021-01-26 11:01:34,166 TRACE [org.wildfly.security] (default task-1) Authorizing against the following runtime attributes: [Source-Address] => [127.0.0.1]
2021-01-26 11:01:34,166 TRACE [org.wildfly.security] (default task-1) Permission mapping: identity [alice] with roles [Users, user] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
2021-01-26 11:01:34,166 TRACE [org.wildfly.security] (default task-1) Authorization succeed
2021-01-26 11:01:34,166 TRACE [org.wildfly.security] (default task-1) Handling CachedIdentityAuthorizeCallback: principal = alice  authorizedIdentity = SecurityIdentity{principal=alice, securityDomain=org.wildfly.security.auth.server.SecurityDomain@61f54c5f, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='example-realm', securityRealm=org.wildfly.security.auth.realm.FileSystemSecurityRealm@78079856}, creationTime=2021-01-26T11:01:34.165503Z}
2021-01-26 11:01:34,167 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: succeed
2021-01-26 11:01:34,167 TRACE [org.wildfly.security] (default task-1) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=alice, securityDomain=org.wildfly.security.auth.server.SecurityDomain@61f54c5f, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='example-realm', securityRealm=org.wildfly.security.auth.realm.FileSystemSecurityRealm@78079856}, creationTime=2021-01-26T11:01:34.165503Z}
2021-01-26 11:01:34,168 TRACE [org.wildfly.security] (default task-1) Role mapping: principal [alice] -> decoded roles [Users, user] -> domain decoded roles [] -> realm mapped roles [Users, user] -> domain mapped roles [Users, user]

       

      Where the web application is not distributed the following is logged instead:

      2021-01-26 11:26:14,189 INFO  [org.infinispan.CLUSTER] (thread-10,ejb,nodea) ISPN100001: Node nodeb left the cluster
2021-01-26 11:26:59,400 TRACE [org.wildfly.security.http.servlet] (default task-1) Created ServletSecurityContextImpl enableJapi=true, integratedJaspi=true, applicationContext=default-host /simple-webapp
2021-01-26 11:26:59,400 TRACE [org.wildfly.security.http.servlet] (default task-1) No AuthConfigProvider for layer=HttpServlet, appContext=default-host /simple-webapp
2021-01-26 11:26:59,400 TRACE [org.wildfly.security.http.servlet] (default task-1) JASPIC Unavailable, using HTTP authentication.
2021-01-26 11:26:59,402 TRACE [org.wildfly.security] (default task-1) No CachedIdentity to restore.
2021-01-26 11:26:59,402 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1@71dc2149] for mechanism [FORM]
2021-01-26 11:26:59,404 TRACE [org.wildfly.security] (default task-1) Handling SocketAddressCallback
2021-01-26 11:26:59,404 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='FORM' host-name='localhost' protocol='http'
2021-01-26 11:26:59,404 TRACE [org.wildfly.security.http.form] (default task-1) Trying to re-authenticate. There is no session attached to the following request. Request URI: [http://localhost:8080/simple-webapp/secured], Context path: [/simple-webapp]
2021-01-26 11:26:59,404 TRACE [org.wildfly.security] (default task-1) Handling CachedIdentityAuthorizeCallback: principal = null  authorizedIdentity = null

       

      Attachments

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. ELY-1626 Programmatic web authentication (HttpServletRequest.login()) does not trigger sso

          • Critical - To be worked on immediately following BLOCKER issues.
          • Resolved

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              darran.lofthouse@redhat.com Darran Lofthouse
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: