Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-668

Deployment fails when unreachable LDAP is used for Elytron LDAP authentication

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • None
    • None
    • Realms
    • None
    • Hide

      1) start server with standalone-elytron.xml
      2) use following CLI commands for setting LDAP authentication for application

      /subsystem=elytron/dir-context=local-ldap:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credential="secret")
      /subsystem=elytron/ldap-realm=ldap-auth:add(dir-context=local-ldap,identity-mapping={rdn-identifier=uid,search-base-dn="ou=People,dc=jboss,dc=org",user-password-mapper={from="userPassword",writable=true,verifiable=true},attribute-mapping=[{from=cn,to=myRole,filter="(member={0})",filter-base-dn="ou=Roles,dc=jboss,dc=org"}]})
      /subsystem=elytron/simple-role-decoder=myRole-to-role:add(attribute=myRole)
      /subsystem=elytron/security-domain=LdapAuth:add(default-realm=ldap-auth,permission-mapper=login-permission-mapper,role-mapper=combined-role-mapper,realms=[{realm=ldap-auth,role-decoder=myRole-to-role}])
      /subsystem=elytron/http-authentication-factory=ldap-http-authentication:add(http-server-mechanism-factory=global,security-domain=LdapAuth,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Ldap Realm"}]}])
      /subsystem=undertow/application-security-domain=ldap:add(http-authentication-factory=ldap-http-authentication)
      

      3) start LDAP server (it must be same server as was added to dir-context) with following ldif:

      dn: ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: People
      
      dn: uid=jduke,ou=People,dc=jboss,dc=org
      objectclass: top
      objectclass: person
      objectclass: inetOrgPerson
      uid: jduke
      cn: Java Duke
      sn: Duke
      userPassword: Password
      
      dn: ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: organizationalUnit
      ou: Roles
      
      dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org
      objectclass: top
      objectclass: groupOfNames
      cn: JBossAdmin
      member: uid=jduke,ou=People,dc=jboss,dc=org
      description: the JBossAdmin group
      

      4) deploy testing application print-roles.war (see Jira attachments) -> deployment succeed (optionally you can try to login to http://127.0.0.1:8080/print-roles/protected/printRoles?role=JBossAdmin, use jduke/Password credentials)
      5) stop LDAP server
      6) reload server -> exception is thrown to server log and deployment failed

      Show
      1) start server with standalone-elytron.xml 2) use following CLI commands for setting LDAP authentication for application /subsystem=elytron/dir-context=local-ldap:add(url= "ldap: //127.0.0.1:10389" ,principal= "uid=admin,ou=system" ,credential= "secret" ) /subsystem=elytron/ldap-realm=ldap-auth:add(dir-context=local-ldap,identity-mapping={rdn-identifier=uid,search-base-dn= "ou=People,dc=jboss,dc=org" ,user-password-mapper={from= "userPassword" ,writable= true ,verifiable= true },attribute-mapping=[{from=cn,to=myRole,filter= "(member={0})" ,filter-base-dn= "ou=Roles,dc=jboss,dc=org" }]}) /subsystem=elytron/simple-role-decoder=myRole-to-role:add(attribute=myRole) /subsystem=elytron/security-domain=LdapAuth:add( default -realm=ldap-auth,permission-mapper=login-permission-mapper,role-mapper=combined-role-mapper,realms=[{realm=ldap-auth,role-decoder=myRole-to-role}]) /subsystem=elytron/http-authentication-factory=ldap-http-authentication:add(http-server-mechanism-factory=global,security-domain=LdapAuth,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Ldap Realm" }]}]) /subsystem=undertow/application-security-domain=ldap:add(http-authentication-factory=ldap-http-authentication) 3) start LDAP server (it must be same server as was added to dir-context) with following ldif: dn: ou=People,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: People dn: uid=jduke,ou=People,dc=jboss,dc=org objectclass: top objectclass: person objectclass: inetOrgPerson uid: jduke cn: Java Duke sn: Duke userPassword: Password dn: ou=Roles,dc=jboss,dc=org objectclass: top objectclass: organizationalUnit ou: Roles dn: cn=JBossAdmin,ou=Roles,dc=jboss,dc=org objectclass: top objectclass: groupOfNames cn: JBossAdmin member: uid=jduke,ou=People,dc=jboss,dc=org description: the JBossAdmin group 4) deploy testing application print-roles.war (see Jira attachments) -> deployment succeed (optionally you can try to login to http://127.0.0.1:8080/print-roles/protected/printRoles?role=JBossAdmin , use jduke / Password credentials) 5) stop LDAP server 6) reload server -> exception is thrown to server log and deployment failed

      In case when LDAP server used by Elytron dir-context is unreachable (e.g. LDAP is down or some network failures occur) or when dir-context is incorrectly set (e.g. used password is wrong) then application which uses this dir-context cannot be deployed. Deployment fails and confusing exception occurs in server log.

      We request blocker since it causes that deployments (which have already been successfully deployed) can unexpectedly fail when server is restarted/reloaded in time when LDAP server is unreachable.

      Deployment fails with following exception in server log:

      ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 61) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./print-roles: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./print-roles: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory.
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      	at org.jboss.threads.JBossThread.run(JBossThread.java:320)
      Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory.
      	at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:236)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
      	... 6 more
      Caused by: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory.
      	at org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService.lambda$initialSecurityHandler$4(ApplicationSecurityDomainDefinition.java:349)
      	at java.lang.Iterable.forEach(Iterable.java:75)
      	at org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService.initialSecurityHandler(ApplicationSecurityDomainDefinition.java:346)
      	at org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService.lambda$applyElytronSecurity$0(ApplicationSecurityDomainDefinition.java:294)
      	at io.undertow.servlet.core.DeploymentManagerImpl.setupSecurityHandlers(DeploymentManagerImpl.java:402)
      	at io.undertow.servlet.core.DeploymentManagerImpl.access$600(DeploymentManagerImpl.java:119)
      	at io.undertow.servlet.core.DeploymentManagerImpl$1.call(DeploymentManagerImpl.java:206)
      	at io.undertow.servlet.core.DeploymentManagerImpl$1.call(DeploymentManagerImpl.java:171)
      	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
      	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1671)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1671)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1671)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1671)
      	at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:234)
      	... 8 more
      
      ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "print-roles.war")]) - failure description: {
          "WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./print-roles" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./print-roles: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory.
          Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory.
          Caused by: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory."},
          "WFLYCTL0412: Required services that are not installed:" => ["jboss.undertow.deployment.default-server.default-host./print-roles"],
          "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined
      }
      

              jkalina@redhat.com Jan Kalina (Inactive)
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: