Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-1105

Unable to configure security domain with DIGEST authentication

    XMLWordPrintable

Details

    • Hide
      1. Configure following security domain (and reconfigure logging) by using CLI:
        /subsystem=security/security-domain=web-tests:add
        /subsystem=security/security-domain=web-tests/authentication=classic:add {allow-resource-service-restart=true}
        /subsystem=security/security-domain=web-tests/authentication=classic/login-module=UsersRoles:add( \
          code=UsersRoles, flag=required, module-options=[ \
            ("hashAlgorithm"=>"MD5"), \
            ("hashEncoding"=>"RFC2617"), \
            ("hashUserPassword"=>"false"), \
            ("hashStorePassword"=>"true"), \
            ("passwordIsA1Hash"=>"false"), \
            ("storeDigestCallback"=>"org.jboss.security.auth.callback.RFC2617Digest") \
          ]) {allow-resource-service-restart=true}
        /subsystem=logging/logger=org.jboss.security:add(level=ALL)
        /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)
        
      2. Deploy attached secured-webapp.war application. It has the DIGEST configured in web.xml. The application references the security domain created in the first step.
      3. Open http://127.0.0.1:8080/secured-webapp/ in a browser and login with admin/admin credentials

      User will not be logged into the app (in EAP 7) and the exception occurs in the server log.

      Show
      Configure following security domain (and reconfigure logging) by using CLI: /subsystem=security/security-domain=web-tests:add /subsystem=security/security-domain=web-tests/authentication=classic:add {allow-resource-service-restart= true } /subsystem=security/security-domain=web-tests/authentication=classic/login-module=UsersRoles:add( \ code=UsersRoles, flag=required, module-options=[ \ ( "hashAlgorithm" => "MD5" ), \ ( "hashEncoding" => "RFC2617" ), \ ( "hashUserPassword" => " false " ), \ ( "hashStorePassword" => " true " ), \ ( "passwordIsA1Hash" => " false " ), \ ( "storeDigestCallback" => "org.jboss.security.auth.callback.RFC2617Digest" ) \ ]) {allow-resource-service-restart= true } /subsystem=logging/logger=org.jboss.security:add(level=ALL) /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) Deploy attached secured-webapp.war application. It has the DIGEST configured in web.xml . The application references the security domain created in the first step. Open http://127.0.0.1:8080/secured-webapp/ in a browser and login with admin/admin credentials User will not be logged into the app (in EAP 7) and the exception occurs in the server log.

    Description

      The callback org.jboss.security.auth.callback.RFC2617Digest is used as a login module option in security domain if the user uses DIGEST authentication method. It's not working in EAP 7 - an exception is thrown during authentication from the login module(s) when this callback is used.

      09:56:06,141 DEBUG [org.jboss.security] (default task-2) PBOX00206: Login failure: javax.security.auth.login.LoginException: PBOX00055: Failed to invoke CallbackHandler
      	at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:446)
      	at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:282)
      	at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:171)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:483)
      	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
      	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
      	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
      	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      	at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
      	at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
      	at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
      	at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)
      	at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
      	at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:111)
      	at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:77)
      	at io.undertow.security.impl.DigestAuthenticationMechanism.handleDigestHeader(DigestAuthenticationMechanism.java:278)
      	at io.undertow.security.impl.DigestAuthenticationMechanism.authenticate(DigestAuthenticationMechanism.java:162)
      	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
      	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
      	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
      	at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
      	at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
      	at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
      	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
      	at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
      	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
      	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
      	at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
      	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
      	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
      	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
      	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
      	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
      	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
      	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
      	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
      	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:198)
      	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:784)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: javax.security.auth.callback.UnsupportedCallbackException: PBOX00014: org.jboss.security.auth.callback.JBossCallbackHandler does not handle a callback of type org.jboss.security.auth.callback.MapCallback
      	at org.jboss.security.auth.callback.JBossCallbackHandler.handleCallBack(JBossCallbackHandler.java:138)
      	at org.jboss.security.auth.callback.JBossCallbackHandler.handle(JBossCallbackHandler.java:87)
      	at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:939)
      	at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:936)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:936)
      	at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:436)
      	... 51 more
      

      Attachments

        Issue Links

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              josef.cacek@gmail.com Josef Cacek
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: