Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-255

Mechanisms using only AuthorizeCallback give an IllegalStateException

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Major Major
    • 1.1.0.Alpha1
    • None
    • SASL
    • None

      Trying to port the Gs2Test to use the CBH from ServerAuthenticationContext

      		javax.security.sasl.SaslException: ELY05053: [GS2-KRB5] Callback handler failed for unknown reason [Caused by java.lang.IllegalStateException: ELY01003: No authentication is in progress]
		at org.wildfly.security.sasl.util.AbstractSaslParticipant.tryHandleCallbacks(AbstractSaslParticipant.java:102)
		at org.wildfly.security.sasl.util.AbstractSaslParticipant.handleCallbacks(AbstractSaslParticipant.java:83)
		at org.wildfly.security.sasl.gs2.Gs2SaslServer.checkAuthorizationID(Gs2SaslServer.java:291)
		at org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:210)
		at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:177)
		at org.wildfly.security.sasl.util.AbstractSaslServer.evaluateResponse(AbstractSaslServer.java:52)
		at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
		at org.wildfly.security.sasl.gs2.Gs2Test$5.run(Gs2Test.java:564)
		at org.wildfly.security.sasl.gs2.Gs2Test$5.run(Gs2Test.java:562)
		at java.security.AccessController.doPrivileged(Native Method)
		at javax.security.auth.Subject.doAs(Subject.java:422)
		at org.wildfly.security.sasl.gs2.Gs2Test.evaluateResponse(Gs2Test.java:562)
		at org.wildfly.security.sasl.gs2.Gs2Test.testKrb5AuthenticationWithoutChannelBinding(Gs2Test.java:204)
		at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
		at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
		at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
		at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
		at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
		at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
		at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
		at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
		at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
		at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
		at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
		at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
		at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
		at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
		at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
		at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
		at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
		at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
		at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
		at org.junit.runner.JUnitCore.run(JUnitCore.java:160)
		at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:68)
		Caused by: java.lang.IllegalStateException: ELY01003: No authentication is in progress
		at org.wildfly.security.auth.server.ServerAuthenticationContext.authorize(ServerAuthenticationContext.java:341)
		at org.wildfly.security.auth.server.ServerAuthenticationContext$2.handleOne(ServerAuthenticationContext.java:542)
		at org.wildfly.security.auth.server.ServerAuthenticationContext$2.handle(ServerAuthenticationContext.java:531)
		at org.wildfly.security.sasl.util.AbstractSaslParticipant.tryHandleCallbacks(AbstractSaslParticipant.java:98)
		... 36 more

      Basically the authorize() call does not happen in the test CBH
      and the state machine is in the wrong state
      all that is passed in is an AuthorizeCallback
      not sure what it should really be doing
      so unless you know of the top of your head, I'll ask her
      [12:48] Darran Lofthouse: Farah worked through the specs on that one - GSSAPI may also have a similar issue
      [12:49] Darran Lofthouse: Off the top of my head - I think we are going to have to cope with just an AuthorizeCallback - if we receive that when no NameCallback has been provided then we need to pull the authentication name from the AuthorizeCallback
      I don't think we can force mechanisms to pass in a NameCallback if they don't need it
      [12:50] Kabir Khan: So the NameCallback is what would normally put it in the right state?
      [12:50] Darran Lofthouse: yeah - but I don't think it is correct to force the mech to use that
      I think this is just a case the CBH is going to have to handle
      non Elytron mechanisms could be used and there is no guarantee they would pass in a NameCallback
      [12:51] Kabir Khan: ok, so in ServerAuthenticationContext, if it is in the wrong state, do whatever NameCallback does to put it in the right state, and then try again?
      [12:52] Darran Lofthouse: essentially yeah I think that is the best approach - the name you want is the authentication ID from the callback - that is the same as the one in the NameCallback generally anyway

              kkhan1@redhat.com Kabir Khan
              kkhan1@redhat.com Kabir Khan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: