Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10976

Remoting connection sharing causes authentication failures - DIGEST SASL mechanism

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.DR19
    • 7.1.0.DR18
    • Remoting, Security
    • None
    • Hide

      Reproducer is attached (test class to be placed into the testsuite/integration/basic) or you can find it in this branch: https://github.com/kwart/wildfly/blob/WFLY-8799-reproducer/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/remote/security/ConnectionSharingTestCase.java

      The testcase contains 2 test methods executed in the predefined order (using @InSequence).

      cd testsuite/integration/basic
      mvn clean test -Dtest=ConnectionSharingTestCase
      

      It finishes with

      Tests in error: 
        ConnectionSharingTestCase.testRemoteConnection:100->assertBeanCallWithContextProperties:109 » RequestSendFailed
      

      If you run the failing method alone or if you change execution order of the methods, then the test case passes.

      mvn clean test -Dtest=ConnectionSharingTestCase#testRemoteConnection
      

      The problem occurs not only for methods in single class but the remoting calls influence each other across the JVM.

      Show
      Reproducer is attached (test class to be placed into the testsuite/integration/basic ) or you can find it in this branch: https://github.com/kwart/wildfly/blob/WFLY-8799-reproducer/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/ejb/remote/security/ConnectionSharingTestCase.java The testcase contains 2 test methods executed in the predefined order (using @InSequence). cd testsuite/integration/basic mvn clean test -Dtest=ConnectionSharingTestCase It finishes with Tests in error: ConnectionSharingTestCase.testRemoteConnection:100->assertBeanCallWithContextProperties:109 » RequestSendFailed If you run the failing method alone or if you change execution order of the methods, then the test case passes. mvn clean test -Dtest=ConnectionSharingTestCase#testRemoteConnection The problem occurs not only for methods in single class but the remoting calls influence each other across the JVM.

      Server rejects DIGEST SASL authentication in some cases when an existing remoting connection is reused. It seems the protocol name is not updated or matched correctly. The root cause of the problem is moreover hidden due to JBEAP-10953.
      Clients just get:

      Caused by: org.wildfly.security.auth.AuthenticationException: JBREM000304: Server rejected authentication
      	at org.jboss.remoting3.ConnectionPeerIdentityContext.doAuthenticate(ConnectionPeerIdentityContext.java:340)
      	at org.jboss.remoting3.ConnectionPeerIdentityContext.authenticate(ConnectionPeerIdentityContext.java:178)
      	at org.jboss.remoting3.EndpointImpl$3.handleDone(EndpointImpl.java:478)
      	at org.jboss.remoting3.EndpointImpl$3.handleDone(EndpointImpl.java:467)
              ...
      

      The hidden exception stack trace is:

      javax.security.sasl.SaslException: ELY05088: [DIGEST-MD5] digest-uri "remote+http/doma" not accepted
      	at org.wildfly.security.sasl.digest.DigestSaslServer.validateDigestResponse(DigestSaslServer.java:239)
      	at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateMessage(DigestSaslServer.java:355)
      	at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
      	at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateResponse(DigestSaslServer.java:328)
      	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
      	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
      	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
      	at org.jboss.remoting3.ConnectionImpl.lambda$receiveAuthResponse$3(ConnectionImpl.java:273)
      	at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:897)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:748)
      

      We hit this problem as an intermittent failure in the AS testsuite.

              dlloyd@redhat.com David Lloyd
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: