For a web application making use of the HTTP FORM based authentication mechanism in combination with SSO the following error is reported on a subsequent submission to j_security_check:
12:02:10,835 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /simple-webapp/j_security_check: java.lang.IllegalStateException: ELY01003: No authentication is in progress
at org.wildfly.security.elytron-base@2.6.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$State.importIdentity(ServerAuthenticationContext.java:1299)
at org.wildfly.security.elytron-base@2.6.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext.importIdentity(ServerAuthenticationContext.java:826)
at org.wildfly.security.elytron-base@2.6.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1127)
at org.wildfly.security.elytron-base@2.6.0.Final//org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:873)
at org.wildfly.security.elytron-base@2.6.0.Final//org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:126)
at org.wildfly.security.elytron-base@2.6.0.Final//org.wildfly.security.http.util.sso.SingleSignOnServerMechanismFactory.lambda$createCallbackHandler$0(SingleSignOnServerMechanismFactory.java:296)
In ServerAuthenticationContext the handling is as:
CachedIdentityAuthorizeCallback authorizeCallback = (CachedIdentityAuthorizeCallback) callback;
authorizeCallback.setSecurityDomain(stateRef.get().getSecurityDomain());
SecurityIdentity authorizedIdentity = null;
Principal principal = null;
SecurityIdentity identity = authorizeCallback.getIdentity();
if (identity != null && importIdentity(identity)) {
authorizedIdentity = getAuthorizedIdentity();
} else {
principal = authorizeCallback.getPrincipal();
if (principal == null) {
principal = authorizeCallback.getAuthorizationPrincipal();
}
if (principal != null) {
setAuthenticationPrincipal(principal);
if (authorize()) {
authorizedIdentity = getAuthorizedIdentity();
}
}
}
log.tracef("Handling CachedIdentityAuthorizeCallback: principal = %s authorizedIdentity = %s", principal, authorizedIdentity);
authorizeCallback.setAuthorized(authorizedIdentity);
handleOne(callbacks, idx + 1);
The call to authorizeCallback.getIdentity() leads to the cached identity being returned despite the form authentication mechanism being in the middle of a new authentication attempt - the error is reported as we are in an inconsistent state.
Across all authentication mechanisms where we use a CachedIdentityAuthorizeCallback which takes a name or Principal the mechanism is actually in the process of handling a new authentication attempt so we should use this as a flag that we are not restoring from the cache.
public CachedIdentityAuthorizeCallback(String name, IdentityCache identityCache) public CachedIdentityAuthorizeCallback(Principal principal, IdentityCache identityCache, boolean localCache) public CachedIdentityAuthorizeCallback(Principal principal, IdentityCache identityCache) public CachedIdentityAuthorizeCallback(Principal principal, Function<SecurityDomain, IdentityCache> identityCache, boolean localCache)
In the handling of the the two calls to consider are:
authorizeCallback.getIdentity(); authorizeCallback.getPrincipal();
- is cloned by
-
JBEAP-28675 When handling CachedIdentityAuthorizeCallback current authentication not prioritised
-
- Coding In Progress
-
- is triggering
-
ELYWEB-244 Add tests that confirm re-authentication is possible for FORM auth
-
- Coding In Progress
-
-
-
- Pull Request Sent
-
