Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.0.DR19
Affects Version/s: 7.1.0.DR17
Component/s: Remoting, Security
Labels:

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA
Git Pull Request:
https://github.com/wildfly-security-incubator/wildfly/pull/203, https://github.com/wildfly-security-incubator/wildfly-core/pull/161, https://github.com/wildfly-security/wildfly-elytron/pull/816
Steps to Reproduce:
Hide

This uses https://github.com/jmartisk/mock-artifacts/tree/master/ejb-server-to-server/ejb-server-to-server-elytron .

1. Start server-side EAP, add user and deploy server side deployment:

{$SERVER_SIDE}/bin/add-user.sh -a -g users -u admin -p admin123+

2. Start client-side EAP bound to different loopback address with system property:

{$CLIENT_SIDE}/bin/standalone.sh -b 127.0.0.8 -bmanagement 127.0.0.8 -Dremote.ejb.host=127.0.0.1

3. Use the following setups to reproduce the three configuration scenarios mentioned in description, then access http://127.0.0.8:8080/client-side/ :

Authentication context defined in remote outbound connection, no Elytron default

/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080) /subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text="admin123+"}, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}]) /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=admin-ctx, outbound-socket-binding-ref=remote-ejb) reload deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war

Authentication context defined only in Elytron default

/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080) /subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text="admin123+"}, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}]) /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(outbound-socket-binding-ref=remote-ejb) /subsystem=elytron:write-attribute(name=default-authentication-context,value=admin-ctx) reload deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war

Correct authentication context defined in remote outbound connection, wrong in Elytron default

/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080) /subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text="admin123+"}, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}]) /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=admin-ctx, outbound-socket-binding-ref=remote-ejb) /subsystem=elytron/authentication-configuration=default-wrong-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text="badPwd"}, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context=default-wrong-ctx:add(match-rules=[{authentication-configuration=default-wrong-cfg}]) /subsystem=elytron:write-attribute(name=default-authentication-context,value=default-wrong-ctx) reload deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war

4. The only working setup would look like this:

/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080) /subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text="admin123+"}, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}]) /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=admin-ctx, outbound-socket-binding-ref=remote-ejb) /subsystem=elytron:write-attribute(name=default-authentication-context,value=admin-ctx) reload deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war
Show
This uses https://github.com/jmartisk/mock-artifacts/tree/master/ejb-server-to-server/ejb-server-to-server-elytron . 1. Start server-side EAP, add user and deploy server side deployment: {$SERVER_SIDE}/bin/add-user.sh -a -g users -u admin -p admin123+ 2. Start client-side EAP bound to different loopback address with system property: {$CLIENT_SIDE}/bin/standalone.sh -b 127.0.0.8 -bmanagement 127.0.0.8 -Dremote.ejb.host=127.0.0.1 3. Use the following setups to reproduce the three configuration scenarios mentioned in description, then access http://127.0.0.8:8080/client-side/ : Authentication context defined in remote outbound connection, no Elytron default /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080) /subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text= "admin123+" }, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}]) /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=admin-ctx, outbound-socket-binding-ref=remote-ejb) reload deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war Authentication context defined only in Elytron default /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080) /subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text= "admin123+" }, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}]) /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(outbound-socket-binding-ref=remote-ejb) /subsystem=elytron:write-attribute(name= default -authentication-context,value=admin-ctx) reload deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war Correct authentication context defined in remote outbound connection, wrong in Elytron default /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080) /subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text= "admin123+" }, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}]) /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=admin-ctx, outbound-socket-binding-ref=remote-ejb) /subsystem=elytron/authentication-configuration= default -wrong-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text= "badPwd" }, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context= default -wrong-ctx:add(match-rules=[{authentication-configuration= default -wrong-cfg}]) /subsystem=elytron:write-attribute(name= default -authentication-context,value= default -wrong-ctx) reload deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war 4. The only working setup would look like this: /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080) /subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text= "admin123+" }, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}]) /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=admin-ctx, outbound-socket-binding-ref=remote-ejb) /subsystem=elytron:write-attribute(name= default -authentication-context,value=admin-ctx) reload deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Analysis document for EAP7-551 states the following:

This RFE is to add a reference to the new authentication-context capability to the remote-outbound-connection resource and make use of it satisfy the security requirements for the outbound connections being established.

The AuthenticationContext will be used to access both information required for authentication and also for any SSLContext required for the connection.

A newly referenced authentication-context will be used to provide all security configuration for outbound connections.

However, currently the remoting outbound connections will only use Elytron default authentication context and ignore authentication context defined in remoting outbound connection resource:

If no default authentication context is defined in Elytron subsystem but remote outbound connection has defined one, no authentication context is associated with remote outbound connection.
If the default authentication context is defined in Elytron subsystem but no authentication context is defined in remote outbound connection, remoting assumes that outbound connection uses legacy security.
If the default authentication context is defined in Elytron subsystem and different authentication context is defined in remote outbound connection, the remote outbound connection will use the Elytron subsystem default none the less.
The authentication context defined in outbound remote connection will only work if it is the same as default authentication context in Elytron subsystem.

is cloned by

WFLY-8772 Deployments referencing outbound connection with authentication context always use Elytron default-authentication-context

Closed

is related to

JBEAP-10913 Fix parsing and handling of the legacy username attribute specified for a remote-outbound-connection

Closed

JBEAP-11237 Authentication with context defined in outbound connection with non-http-remoting protocol always fails unless it is Elytron default

Closed

relates to

JBEAP-9713 Remote outbound connection with authentication-context cannot be used for remote EJB calls

Closed

Assignee:: David Lloyd

Reporter:: Michal Jurc

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2017/04/28 4:19 AM

Updated:: 2024/09/02 4:10 PM

Resolved:: 2017/05/18 10:50 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates