Details
-
Feature Request
-
Resolution: Done
-
Major
-
None
-
None
Description
Trying to port the Gs2Test to use the CBH from ServerAuthenticationContext
javax.security.sasl.SaslException: ELY05053: [GS2-KRB5] Callback handler failed for unknown reason [Caused by java.lang.IllegalStateException: ELY01003: No authentication is in progress]
at org.wildfly.security.sasl.util.AbstractSaslParticipant.tryHandleCallbacks(AbstractSaslParticipant.java:102)
at org.wildfly.security.sasl.util.AbstractSaslParticipant.handleCallbacks(AbstractSaslParticipant.java:83)
at org.wildfly.security.sasl.gs2.Gs2SaslServer.checkAuthorizationID(Gs2SaslServer.java:291)
at org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:210)
at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:177)
at org.wildfly.security.sasl.util.AbstractSaslServer.evaluateResponse(AbstractSaslServer.java:52)
at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
at org.wildfly.security.sasl.gs2.Gs2Test$5.run(Gs2Test.java:564)
at org.wildfly.security.sasl.gs2.Gs2Test$5.run(Gs2Test.java:562)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.wildfly.security.sasl.gs2.Gs2Test.evaluateResponse(Gs2Test.java:562)
at org.wildfly.security.sasl.gs2.Gs2Test.testKrb5AuthenticationWithoutChannelBinding(Gs2Test.java:204)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
at org.junit.runner.JUnitCore.run(JUnitCore.java:160)
at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:68)
Caused by: java.lang.IllegalStateException: ELY01003: No authentication is in progress
at org.wildfly.security.auth.server.ServerAuthenticationContext.authorize(ServerAuthenticationContext.java:341)
at org.wildfly.security.auth.server.ServerAuthenticationContext$2.handleOne(ServerAuthenticationContext.java:542)
at org.wildfly.security.auth.server.ServerAuthenticationContext$2.handle(ServerAuthenticationContext.java:531)
at org.wildfly.security.sasl.util.AbstractSaslParticipant.tryHandleCallbacks(AbstractSaslParticipant.java:98)
... 36 more
Basically the authorize() call does not happen in the test CBH
and the state machine is in the wrong state
all that is passed in is an AuthorizeCallback
not sure what it should really be doing
so unless you know of the top of your head, I'll ask her
[12:48] Darran Lofthouse: Farah worked through the specs on that one - GSSAPI may also have a similar issue
[12:49] Darran Lofthouse: Off the top of my head - I think we are going to have to cope with just an AuthorizeCallback - if we receive that when no NameCallback has been provided then we need to pull the authentication name from the AuthorizeCallback
I don't think we can force mechanisms to pass in a NameCallback if they don't need it
[12:50] Kabir Khan: So the NameCallback is what would normally put it in the right state?
[12:50] Darran Lofthouse: yeah - but I don't think it is correct to force the mech to use that
I think this is just a case the CBH is going to have to handle
non Elytron mechanisms could be used and there is no guarantee they would pass in a NameCallback
[12:51] Kabir Khan: ok, so in ServerAuthenticationContext, if it is in the wrong state, do whatever NameCallback does to put it in the right state, and then try again?
[12:52] Darran Lofthouse: essentially yeah I think that is the best approach - the name you want is the authentication ID from the callback - that is the same as the one in the NameCallback generally anyway
