Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-879

HTTP Digest mechanism not checking length of username causing IllegalArgument Exception

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 1.1.0.Beta20
    • None
    • HTTP
    • None
    • Hide
      1. Use add-user script to add some user to ManagementRealm
      2. Start server with standalone.xml
      3. Go to http://localhost:9990 and try to authenticate with empty username -> exception will occur in server log and Internal Server Error (status 500) is returned
      Show
      Use add-user script to add some user to ManagementRealm Start server with standalone.xml Go to http://localhost:9990 and try to authenticate with empty username -> exception will occur in server log and Internal Server Error (status 500) is returned

    Description

      In case when empty username is passed during authentication to Management Console then exception is thrown to server log and Internal Server Error (status 500) is returned to user (which leads to displaying "Connect to Management Interface" page. User is not able to try to login again.

      In WildFly 10.1.0 this scenario works fine - after passing empty username during authentication, authentication failed and login window is displayed again. I request blocker due to regression.

      Exception thrown to server log:

      ERROR [io.undertow.request] (management task-3) UT005071: Undertow request failed HttpServerExchange{ GET /management request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8], Accept-Language=[en-US,en;q=0.5], Accept-Encoding=[gzip, deflate], User-Agent=[Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0], Connection=[keep-alive], Authorization=[Digest username="", realm="ManagementRealm", nonce="AAAAAwAAAlzTPVPLC0qPi6CaEhTCHZa+QjsuAjn3OsQXcuDYAxrOtc+rRMs=", uri="/management", algorithm=MD5, response="cbd764e6c09577625476340f7bcfc84d", opaque="00000000000000000000000000000000"], Content-Type=[text/plain; charset=utf-8], Cookie=[__utma=111872281.1874867570.1477040206.1479886566.1479982414.11; __utmz=111872281.1477040206.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=111872281.5.10.1479982414; __utmt=1; __utmc=111872281], Referer=[http://localhost:9990/console/App.html], Host=[localhost:9990]} response {X-Frame-Options=[SAMEORIGIN]}}: java.lang.IllegalArgumentException
	at javax.security.auth.callback.NameCallback.<init>(NameCallback.java:90)
	at org.wildfly.security.http.impl.DigestAuthenticationMechanism.getH_A1(DigestAuthenticationMechanism.java:233)
	at org.wildfly.security.http.impl.DigestAuthenticationMechanism.validateResponse(DigestAuthenticationMechanism.java:189)
	at org.wildfly.security.http.impl.DigestAuthenticationMechanism.evaluateRequest(DigestAuthenticationMechanism.java:121)
	at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115)
	at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:106)
	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:90)
	at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:74)
	at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:82)
	at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:207)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-7490 Authentication against HTTP management interface with empty username causes Internal Server Error (status 500)

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: