Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10544

Attribute protocol in authentication-configuration of Elytron subsystem is not used

XMLWordPrintable

    • Hide

      1) Add user:

      ./add-user.sh -u admin -p pass@123 -s
      

      2) setup http-interface:

      <http-interface http-authentication-factory="management-http-authentication">
          <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
          <socket-binding http="management-http"/>
      </http-interface>
      

      3) setup authentication-client:

      <authentication-client>
          <authentication-configuration name="authConfig" authentication-name="admin" host="localhost" protocol="remote+http" port="9990">
              <credential-reference clear-text="pass@123"/>
          </authentication-configuration>
          <authentication-context name="authCtx">
              <match-rule authentication-configuration="authConfig"/>
          </authentication-context>
      </authentication-client>
      

      4) setup authCtx as default-authentication-context:

      <subsystem xmlns="urn:wildfly:elytron:1.0" default-authentication-context="authCtx" final-providers="combined-providers">
      

      5) deploy application which try to runs :whoami operation through ModelControllerClient (see attachments)

      6) Access:

      7) Optional: you can try to access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=remote%2Bhttp&hostname=wrongAddress&port=1234 which set wrongAddress as host and 1234 as port on ModelControllerClient, but use correctly localhost and 9990 because it is configured in default-authentication-context.

      Show
      1) Add user: ./add-user.sh -u admin -p pass@123 -s 2) setup http-interface: <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" /> </http- interface > 3) setup authentication-client: <authentication-client> <authentication-configuration name= "authConfig" authentication-name= "admin" host= "localhost" protocol= "remote+http" port= "9990" > <credential-reference clear-text= "pass@123" /> </authentication-configuration> <authentication-context name= "authCtx" > <match-rule authentication-configuration= "authConfig" /> </authentication-context> </authentication-client> 4) setup authCtx as default-authentication-context: <subsystem xmlns= "urn:wildfly:elytron:1.0" default -authentication-context= "authCtx" final -providers= "combined-providers" > 5) deploy application which try to runs :whoami operation through ModelControllerClient (see attachments) 6) Access: http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 - it will failed ( execution failed is printed). http://127.0.0.1:8080/direct-call-dep/directCall?protocol=remote%2Bhttp&hostname=localhost&port=9990 - it will passed ( admin is printed). It means that protocol configured on ModelControllerClient has been used instead of protocol configured in default-authentication-context (in correct behavior, it should be independent on paramater protocol because protocol is configured in default-authentication-context. 7) Optional: you can try to access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=remote%2Bhttp&hostname=wrongAddress&port=1234 which set wrongAddress as host and 1234 as port on ModelControllerClient, but use correctly localhost and 9990 because it is configured in default-authentication-context.

      When authentication-configuration in Elytron subsystem uses attribute protocol then value of this attribute is not used for outgoing connection. Attributes host and port are used correctly.

      Following authentication-configuration of Elytron subsystem should use URL remote+http://localhost:9990 for outgoing connection, but protocol remote+http from protocol is not used:

      <authentication-configuration name="authConfig" authentication-name="admin" protocol="remote+http" host="localhost" port="9990">
          <credential-reference clear-text="pass@123"/>
      </authentication-configuration>
      

      We request blocker because this issue blocks feature for RFE EAP7-568. Due to issue incorrect protocol can be unexpectedly used for outgoing connection, e.g. http can be used instead of https.

      This issue is blocker for GA, not for testing.

            thofman Tomas Hofman
            olukas Ondrej Lukas (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: