Loading...

Details

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: None
Affects Version/s: None
Component/s: Realms
Labels:
None

Steps to Reproduce:
Hide

1) start server with standalone-elytron.xml
2) use following CLI commands for setting LDAP authentication for application

/subsystem=elytron/dir-context=local-ldap:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credential="secret") /subsystem=elytron/ldap-realm=ldap-auth:add(dir-context=local-ldap,identity-mapping={rdn-identifier=uid,search-base-dn="ou=People,dc=jboss,dc=org",user-password-mapper={from="userPassword",writable=true,verifiable=true},attribute-mapping=[{from=cn,to=myRole,filter="(member={0})",filter-base-dn="ou=Roles,dc=jboss,dc=org"}]}) /subsystem=elytron/simple-role-decoder=myRole-to-role:add(attribute=myRole) /subsystem=elytron/security-domain=LdapAuth:add(default-realm=ldap-auth,permission-mapper=login-permission-mapper,role-mapper=combined-role-mapper,realms=[{realm=ldap-auth,role-decoder=myRole-to-role}]) /subsystem=elytron/http-authentication-factory=ldap-http-authentication:add(http-server-mechanism-factory=global,security-domain=LdapAuth,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Ldap Realm"}]}]) /subsystem=undertow/application-security-domain=ldap:add(http-authentication-factory=ldap-http-authentication)

3) start LDAP server (it must be same server as was added to dir-context) with following ldif:

dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectclass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: JBossAdmin member: uid=jduke,ou=People,dc=jboss,dc=org description: the JBossAdmin group

4) deploy testing application print-roles.war (see Jira attachments) -> deployment succeed (optionally you can try to login to http://127.0.0.1:8080/print-roles/protected/printRoles?role=JBossAdmin, use jduke/Password credentials)
5) stop LDAP server
6) reload server -> exception is thrown to server log and deployment failed
Show
1) start server with standalone-elytron.xml 2) use following CLI commands for setting LDAP authentication for application /subsystem=elytron/dir-context=local-ldap:add(url= "ldap: //127.0.0.1:10389" ,principal= "uid=admin,ou=system" ,credential= "secret" ) /subsystem=elytron/ldap-realm=ldap-auth:add(dir-context=local-ldap,identity-mapping={rdn-identifier=uid,search-base-dn= "ou=People,dc=jboss,dc=org" ,user-password-mapper={from= "userPassword" ,writable= true ,verifiable= true },attribute-mapping=[{from=cn,to=myRole,filter= "(member={0})" ,filter-base-dn= "ou=Roles,dc=jboss,dc=org" }]}) /subsystem=elytron/simple-role-decoder=myRole-to-role:add(attribute=myRole) /subsystem=elytron/security-domain=LdapAuth:add( default -realm=ldap-auth,permission-mapper=login-permission-mapper,role-mapper=combined-role-mapper,realms=[{realm=ldap-auth,role-decoder=myRole-to-role}]) /subsystem=elytron/http-authentication-factory=ldap-http-authentication:add(http-server-mechanism-factory=global,security-domain=LdapAuth,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Ldap Realm" }]}]) /subsystem=undertow/application-security-domain=ldap:add(http-authentication-factory=ldap-http-authentication) 3) start LDAP server (it must be same server as was added to dir-context) with following ldif: dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectclass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: JBossAdmin member: uid=jduke,ou=People,dc=jboss,dc=org description: the JBossAdmin group 4) deploy testing application print-roles.war (see Jira attachments) -> deployment succeed (optionally you can try to login to http://127.0.0.1:8080/print-roles/protected/printRoles?role=JBossAdmin , use jduke / Password credentials) 5) stop LDAP server 6) reload server -> exception is thrown to server log and deployment failed
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/512

Description

In case when LDAP server used by Elytron dir-context is unreachable (e.g. LDAP is down or some network failures occur) or when dir-context is incorrectly set (e.g. used password is wrong) then application which uses this dir-context cannot be deployed. Deployment fails and confusing exception occurs in server log.

We request blocker since it causes that deployments (which have already been successfully deployed) can unexpectedly fail when server is restarted/reloaded in time when LDAP server is unreachable.

Deployment fails with following exception in server log:

ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 61) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./print-roles: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./print-roles: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory.
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
	at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory.
	at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:236)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
	... 6 more
Caused by: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory.
	at org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService.lambda$initialSecurityHandler$4(ApplicationSecurityDomainDefinition.java:349)
	at java.lang.Iterable.forEach(Iterable.java:75)
	at org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService.initialSecurityHandler(ApplicationSecurityDomainDefinition.java:346)
	at org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService.lambda$applyElytronSecurity$0(ApplicationSecurityDomainDefinition.java:294)
	at io.undertow.servlet.core.DeploymentManagerImpl.setupSecurityHandlers(DeploymentManagerImpl.java:402)
	at io.undertow.servlet.core.DeploymentManagerImpl.access$600(DeploymentManagerImpl.java:119)
	at io.undertow.servlet.core.DeploymentManagerImpl$1.call(DeploymentManagerImpl.java:206)
	at io.undertow.servlet.core.DeploymentManagerImpl$1.call(DeploymentManagerImpl.java:171)
	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1671)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1671)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1671)
	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1671)
	at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:234)
	... 8 more

ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "print-roles.war")]) - failure description: {
    "WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./print-roles" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./print-roles: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory.
    Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory.
    Caused by: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory."},
    "WFLYCTL0412: Required services that are not installed:" => ["jboss.undertow.deployment.default-server.default-host./print-roles"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined
}

Attachments

Issue Links

clones

JBEAP-6401 Deployment fails when unreachable LDAP is used for Elytron LDAP authentication

Verified

Deployment fails when unreachable LDAP is used for Elytron LDAP authentication

Details

Description

Attachments

Issue Links

Activity

People

Dates