Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Blocker
Fix Version/s: None
Affects Version/s: 1.1.0.Beta26
Component/s: HTTP
Labels:
- authentication
- eap71_alpha
- http
- ssl

It is not possible to set up authentication based on certificates. Following the community documentation [1,2] to set up 2-way SSL for apps and certificates based auth. Everything works as expected until a client with client certificate tries to access protected resource that should be accessible. Such resource returns 403 Forbidden instead of 200 OK. Trace log:

13:31:15,565 TRACE [org.wildfly.security] (default task-33) Evidence verification: evidence = org.wildfly.security.evidence.X509PeerCertificateChainEvidence@42d7e114  evidencePrincipal = CN=client
13:31:15,566 TRACE [org.wildfly.security] (default task-33) X500 principal [CN=client] decoded as name [client] (attribute values: [client])
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Principal assigning: [CN=client], pre-realm rewritten: [client], realm name: [ksRealm], post realm rewritten: [client], realm rewritten: [client]
13:31:15,566 TRACE [org.wildfly.security] (default task-33) X500 principal [CN=client] decoded as name [client] (attribute values: [client])
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Evidence verification succeed for alias [client]
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Role mapping: principal [client] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles [Guest, Admin]
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authorizing principal client.
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authorizing against the following attributes: [] => []
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Permission mapping: identity [client] with roles [Guest, Admin] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authorization succeed
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authentication succeed for principal [CN=client]
13:31:15,573 TRACE [org.wildfly.security] (default task-34) Handling MechanismInformationCallback
13:31:15,574 TRACE [org.wildfly.security] (default task-34) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='CLIENT_CERT', hostName='localhost', protocol='https'.

The last message comes from ServerAuthenticationContext [3].

[1] https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem#UsingtheElytronSubsystem-EnableTwoWaySSL%2FTLSinWildFlyforApplications
[2] https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem#UsingtheElytronSubsystem-ConfigureAuthenticationwithCertificates
[3] https://github.com/wildfly-security/wildfly-elytron/blob/6e4dad322ab0421522979448ea18801c2832791c/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java#L904

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

deployment.war
4 kB
2017/02/23 8:33 AM
standalone.xml
30 kB
2017/02/23 8:33 AM

clones

JBEAP-9073 MechanismInformationCallback blocks certificate based authn (Undertow with Elytron)

Closed

relates to

ELY-905 Authentication based on certificates does not work in Elytron with Undertow

Resolved

Assignee:: Unassigned

Reporter:: Ondrej Kotek

Tester:: Ondrej Kotek

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2017/02/23 8:30 AM

Updated:: 2022/09/09 7:08 AM

Resolved:: 2017/03/01 9:04 AM

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates