Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10047

Elytron properties-realm doesn't handle unicode sequences

    XMLWordPrintable

Details

    • Hide

      Store attached property files in standalone/configuration (replace existing ones). They contain 3 users mapped to JBossAdmin role. The usernames are the same as passwords:

      • user
      • admin
      • @!#?$%^&*()%+-{}用戶名اسمالمستخدمžščřžďťňäáéěëíýóůúüŽŠČŘŽĎŤŇÄÁÉĚËÍÝÓŮÚÜ

      Use following CLI to re-configure server to use plain-text credentials (legacy security way):

      /core-service=management/security-realm=ApplicationRealm/authentication=properties:write-attribute(name=plain-text, value=true)

      Deploy attached application and open it:

      Try to authenticate with all the usernames -> all 3 pass in this legacy configuration. Principal names are returned as response bodies.

      Reconfigure server to use Elytron:

      /subsystem=elytron/properties-realm=ApplicationRealm:write-attribute(name=users-properties.plain-text, value=true)
/subsystem=undertow/application-security-domain=other:add(http-authentication-factory=application-http-authentication)
reload

      Try again to authenticate with all the usernames -> only the "user" one passes because the 2 others has unicode escape sequences in it and Elytron is not able to handle them.

      Show
      Store attached property files in standalone/configuration (replace existing ones). They contain 3 users mapped to JBossAdmin role. The usernames are the same as passwords: user admin @!#?$%^&*()%+-{}用戶名اسمالمستخدمžščřžďťňäáéěëíýóůúüŽŠČŘŽĎŤŇÄÁÉĚËÍÝÓŮÚÜ Use following CLI to re-configure server to use plain-text credentials (legacy security way): /core-service=management/security-realm=ApplicationRealm/authentication=properties:write-attribute(name=plain-text, value= true ) Deploy attached application and open it: http://localhost:8080/secured/ Try to authenticate with all the usernames -> all 3 pass in this legacy configuration . Principal names are returned as response bodies. Reconfigure server to use Elytron: /subsystem=elytron/properties-realm=ApplicationRealm:write-attribute(name=users-properties.plain-text, value= true ) /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=application-http-authentication) reload Try again to authenticate with all the usernames -> only the "user" one passes because the 2 others has unicode escape sequences in it and Elytron is not able to handle them .

    Description

      Users who use property-file based authentication with plain passwords can't authenticate with Elytron if the property file contains Unicode escape sequences (e.g. file generated by using a classical java.util.Properties). The same authentication works with legacy solution (/core-service=management/security-realm=ApplicationRealm/authentication=properties(plain-text=true, ...)).

      The LegacyPropertiesSecurityRealm implementation has to be able to support properties files which were supported by legacy security realms.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ELY-1046 Elytron properties-realm doesn't handle unicode sequences

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-10376 Upgrade WildFly Elytron to 1.1.0.Beta37

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              rhn-cservice-bbaranow Bartosz Baranowski
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: