Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11177

Unable to define realm-mapping for TrustManager based auth

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.ER1
    • 7.1.0.DR19
    • Security
    • None
    • Hide
      • clone wildfly-elytron project (key material from it is used)
      • download attached standalone.xml, and edit path element referencing the wildfly-elytron project: 
        <path name="elytron.project" path="/home/kwart/projects/wildfly-security/wildfly-elytron"/>
      • start the server
      • clone elytron-client-demo - used as the reproducer 
        git clone -b SASL-EXTERNAL-server-stuck https://github.com/jboss-security-qe/elytron-client-demo.git
      • edit path to key material in the reproducer method SimpleClient.loadKeyStore too
      • run the reproducer: 
        mvn package exec:java

      It should pass and print "Dung" as username, but it fails.

      Show
      clone wildfly-elytron project (key material from it is used) download attached standalone.xml , and edit path element referencing the wildfly-elytron project: <path name= "elytron.project" path= "/home/kwart/projects/wildfly-security/wildfly-elytron" /> start the server clone elytron-client-demo - used as the reproducer git clone -b SASL-EXTERNAL-server-stuck https: //github.com/jboss-security-qe/elytron-client-demo.git edit path to key material in the reproducer method SimpleClient.loadKeyStore too run the reproducer: mvn package exec:java It should pass and print "Dung" as username, but it fails.

      For SASL and HTTP mechanisms it is possible to define realm-mapping as part of *-authentication-factory. But this cannot be used for EXTERNAL/CLIENT_CERT mechanism, because ServerAuthenticationContext is not constructed by mechanism but by SecurityDomainTrustManager - without relation to any *-authentication-factory.

      It can be misleading for user, that EXTERNAL mechanism is present in sasl-authentication-factory, but if realm-mapper is defined here, it is ignored: (because SSL authentication finish before any SASL is initiated)

      <sasl-authentication-factory name="client-cert-digest" sasl-server-factory="configured" security-domain="client-cert-domain">
    <mechanism-configuration>
        <mechanism mechanism-name="EXTERNAL" realm-mapper="key-store-realm"/>
    </mechanism-configuration>
</sasl-authentication-factory>

      Should be considered adding way how to pass realm-mapper into SSL authentication - maybe add realm-mapper attribute into server-ssl-context definition?

        1. server.log
          67 kB
        2. standalone.xml
          34 kB

              jkalina@redhat.com Jan Kalina (Inactive)
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Ondrej Kotek Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: