Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10544

Attribute protocol in authentication-configuration of Elytron subsystem is not used

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide

      1) Add user:

      ./add-user.sh -u admin -p pass@123 -s
      

      2) setup http-interface:

      <http-interface http-authentication-factory="management-http-authentication">
          <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
          <socket-binding http="management-http"/>
      </http-interface>
      

      3) setup authentication-client:

      <authentication-client>
          <authentication-configuration name="authConfig" authentication-name="admin" host="localhost" protocol="remote+http" port="9990">
              <credential-reference clear-text="pass@123"/>
          </authentication-configuration>
          <authentication-context name="authCtx">
              <match-rule authentication-configuration="authConfig"/>
          </authentication-context>
      </authentication-client>
      

      4) setup authCtx as default-authentication-context:

      <subsystem xmlns="urn:wildfly:elytron:1.0" default-authentication-context="authCtx" final-providers="combined-providers">
      

      5) deploy application which try to runs :whoami operation through ModelControllerClient (see attachments)

      6) Access:

      7) Optional: you can try to access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=remote%2Bhttp&hostname=wrongAddress&port=1234 which set wrongAddress as host and 1234 as port on ModelControllerClient, but use correctly localhost and 9990 because it is configured in default-authentication-context.

      Show
      1) Add user: ./add-user.sh -u admin -p pass@123 -s 2) setup http-interface: <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" /> </http- interface > 3) setup authentication-client: <authentication-client> <authentication-configuration name= "authConfig" authentication-name= "admin" host= "localhost" protocol= "remote+http" port= "9990" > <credential-reference clear-text= "pass@123" /> </authentication-configuration> <authentication-context name= "authCtx" > <match-rule authentication-configuration= "authConfig" /> </authentication-context> </authentication-client> 4) setup authCtx as default-authentication-context: <subsystem xmlns= "urn:wildfly:elytron:1.0" default -authentication-context= "authCtx" final -providers= "combined-providers" > 5) deploy application which try to runs :whoami operation through ModelControllerClient (see attachments) 6) Access: http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 - it will failed ( execution failed is printed). http://127.0.0.1:8080/direct-call-dep/directCall?protocol=remote%2Bhttp&hostname=localhost&port=9990 - it will passed ( admin is printed). It means that protocol configured on ModelControllerClient has been used instead of protocol configured in default-authentication-context (in correct behavior, it should be independent on paramater protocol because protocol is configured in default-authentication-context. 7) Optional: you can try to access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=remote%2Bhttp&hostname=wrongAddress&port=1234 which set wrongAddress as host and 1234 as port on ModelControllerClient, but use correctly localhost and 9990 because it is configured in default-authentication-context.

      Description

      When authentication-configuration in Elytron subsystem uses attribute protocol then value of this attribute is not used for outgoing connection. Attributes host and port are used correctly.

      Following authentication-configuration of Elytron subsystem should use URL remote+http://localhost:9990 for outgoing connection, but protocol remote+http from protocol is not used:

      <authentication-configuration name="authConfig" authentication-name="admin" protocol="remote+http" host="localhost" port="9990">
          <credential-reference clear-text="pass@123"/>
      </authentication-configuration>
      

      We request blocker because this issue blocks feature for RFE EAP7-568. Due to issue incorrect protocol can be unexpectedly used for outgoing connection, e.g. http can be used instead of https.

      This issue is blocker for GA, not for testing.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  thofman Tomas Hofman
                  Reporter:
                  olukas Ondrej Lukas
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: