Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10544

Attribute protocol in authentication-configuration of Elytron subsystem is not used

    XMLWordPrintable

Details

    • Hide

      1) Add user:

      ./add-user.sh -u admin -p pass@123 -s

      2) setup http-interface:

      <http-interface http-authentication-factory="management-http-authentication">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http"/>
</http-interface>

      3) setup authentication-client:

      <authentication-client>
    <authentication-configuration name="authConfig" authentication-name="admin" host="localhost" protocol="remote+http" port="9990">
        <credential-reference clear-text="pass@123"/>
    </authentication-configuration>
    <authentication-context name="authCtx">
        <match-rule authentication-configuration="authConfig"/>
    </authentication-context>
</authentication-client>

      4) setup authCtx as default-authentication-context:

      <subsystem xmlns="urn:wildfly:elytron:1.0" default-authentication-context="authCtx" final-providers="combined-providers">

      5) deploy application which try to runs :whoami operation through ModelControllerClient (see attachments)

      6) Access:

      7) Optional: you can try to access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=remote%2Bhttp&hostname=wrongAddress&port=1234 which set wrongAddress as host and 1234 as port on ModelControllerClient, but use correctly localhost and 9990 because it is configured in default-authentication-context.

      Show
      1) Add user: ./add-user.sh -u admin -p pass@123 -s 2) setup http-interface: <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" /> </http- interface > 3) setup authentication-client: <authentication-client> <authentication-configuration name= "authConfig" authentication-name= "admin" host= "localhost" protocol= "remote+http" port= "9990" > <credential-reference clear-text= "pass@123" /> </authentication-configuration> <authentication-context name= "authCtx" > <match-rule authentication-configuration= "authConfig" /> </authentication-context> </authentication-client> 4) setup authCtx as default-authentication-context: <subsystem xmlns= "urn:wildfly:elytron:1.0" default -authentication-context= "authCtx" final -providers= "combined-providers" > 5) deploy application which try to runs :whoami operation through ModelControllerClient (see attachments) 6) Access: http://127.0.0.1:8080/direct-call-dep/directCall?protocol=https&hostname=localhost&port=9990 - it will failed ( execution failed is printed). http://127.0.0.1:8080/direct-call-dep/directCall?protocol=remote%2Bhttp&hostname=localhost&port=9990 - it will passed ( admin is printed). It means that protocol configured on ModelControllerClient has been used instead of protocol configured in default-authentication-context (in correct behavior, it should be independent on paramater protocol because protocol is configured in default-authentication-context. 7) Optional: you can try to access http://127.0.0.1:8080/direct-call-dep/directCall?protocol=remote%2Bhttp&hostname=wrongAddress&port=1234 which set wrongAddress as host and 1234 as port on ModelControllerClient, but use correctly localhost and 9990 because it is configured in default-authentication-context.

    Description

      When authentication-configuration in Elytron subsystem uses attribute protocol then value of this attribute is not used for outgoing connection. Attributes host and port are used correctly.

      Following authentication-configuration of Elytron subsystem should use URL remote+http://localhost:9990 for outgoing connection, but protocol remote+http from protocol is not used:

      <authentication-configuration name="authConfig" authentication-name="admin" protocol="remote+http" host="localhost" port="9990">
    <credential-reference clear-text="pass@123"/>
</authentication-configuration>

      We request blocker because this issue blocks feature for RFE EAP7-568. Due to issue incorrect protocol can be unexpectedly used for outgoing connection, e.g. http can be used instead of https.

      This issue is blocker for GA, not for testing.

      Attachments

        Issue Links

          is blocked by

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) ELY-1102 Provide accessors in AuthenticationContextConfigurationClient to read the configured protocol

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is caused by

          Bug - A problem that impairs or prevents the functions of the product. REM3-270 AuthenticationConfiguration protocol is not being used

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-2724 Attribute protocol in authentication-configuration of Elytron subsystem is not used

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-10543 Configured set-protocol in Elytron Client configuration file is not used

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-10845 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta23

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-11280 Upgrade remoting to 5.0.0.Beta25

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              thofman Tomas Hofman
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: