Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.0.DR17
Affects Version/s: 7.1.0.DR15
Component/s: Security
Labels:
- eap7.1-rfe-failure

CDW blocker:
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA
Steps to Reproduce:
Hide

1) Add user:

./add-user.sh -u admin -p pass@123 -s

2) Setup authentication context for deployments:

/subsystem=elytron/authentication-configuration=config:add(authentication-name=admin,allow-sasl-mechanisms=[PLAIN],credential-reference={clear-text=pass@123}) /subsystem=elytron/authentication-context=ctx:add(match-rules=[{authentication-configuration=config}]) /subsystem=elytron:write-attribute(name=default-authentication-context,value=ctx) reload

3) Deploy application which calls :whoami operation see attachments and access http://127.0.0.1:8080/dep/directCall. It prints admin even if only PLAIN mechanism is allowed on client side.
Show
1) Add user: ./add-user.sh -u admin -p pass@123 -s 2) Setup authentication context for deployments: /subsystem=elytron/authentication-configuration=config:add(authentication-name=admin,allow-sasl-mechanisms=[PLAIN],credential-reference={clear-text=pass@123}) /subsystem=elytron/authentication-context=ctx:add(match-rules=[{authentication-configuration=config}]) /subsystem=elytron:write-attribute(name= default -authentication-context,value=ctx) reload 3) Deploy application which calls :whoami operation see attachments and access http://127.0.0.1:8080/dep/directCall . It prints admin even if only PLAIN mechanism is allowed on client side.

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

In case when attribute allow-sasl-mechanisms from Elytron Authentication Configuration includes some SASL mechanisms then this attribute (and mechanisms configured there) is not taken into account during choosing SASL mechanism. It means that client tries to use all of mechanisms allowed on server side even if client does not allow them. e.g. in case when server side allowed DIGEST-MD5 and JBOSS-LOCAL-USER and client side allows PLAIN, then it tries to use DIGEST-MD5 and JBOSS-LOCAL-USER mechanisms.

See log from wireshark in attachments. This is log for server configured through "Steps to Reproduce".

This happens also for using allow-sasl-mechanisms from wildfly config and also for programatically configured client.

We request blocker since this issue blocks RFE EAP7-567 and EAP7-568 and it allows to use some SASL mechanisms even if they are not allowed on client side.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

dep.war
4 kB
2017/04/03 7:31 AM
wireshark.pcapng
6 kB
2017/04/03 7:31 AM

is blocked by

JBEAP-10159 Sticky authentication is not working correctly

Closed

JBEAP-10664 Setting sasl-mechanism-selector with some name value in Elytron client configuration file causes NPE during parsing

Closed

is caused by

ELY-1090 SASL mechanism selection strings with ordering and filtering

Resolved

is cloned by

WFCORE-2615 Attribute allow-sasl-mechanisms is ignored in Elytron Authentication Configuration

Resolved

is incorporated by

JBEAP-10479 Upgrade WildFly Elytron to 1.1.0.Beta38

Closed

relates to

JBEAP-10698 Propagate sasl-mechanism-selector to elytron subsystem

Closed

(1 relates to)

Assignee:: David Lloyd

Reporter:: Ondrej Lukas (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2017/04/03 7:36 AM

Updated:: 2024/09/02 3:56 PM

Resolved:: 2017/04/21 7:30 AM

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates