Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11237

Authentication with context defined in outbound connection with non-http-remoting protocol always fails unless it is Elytron default

XMLWordPrintable

    • Hide

      This uses https://github.com/jmartisk/mock-artifacts/tree/master/ejb-server-to-server/ejb-server-to-server-elytron .

      1. Start server-side EAP, add user and deploy server side deployment:

      {$SERVER_SIDE}/bin/add-user.sh -a -g users -u admin -p admin123+

      2. Configure server-side EAP:

      /socket-binding-group=standard-sockets/socket-binding=remoting:add(port=4447)
      /subsystem=remoting/connector=remoting-connector:add(socket-binding=remoting, sasl-authentication-factory=application-sasl-authentication)
      

      3. Start client-side EAP bound to different loopback address with system property:

      {$CLIENT_SIDE}/bin/standalone.sh -b 127.0.0.8 -bmanagement 127.0.0.8 -Dremote.ejb.host=127.0.0.1

      4. Set up the outbound connection referenced from deployment, then access http://127.0.0.8:8080/client-side/ :

      Authentication context defined in remote outbound connection, no Elytron default
      /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=4447)
      /subsystem=elytron/authentication-configuration=admin-cfg:add(sasl-mechanism-selector=(!JBOSS-LOCAL-USER && DIGEST-MD5), credential-reference={clear-text="admin123+"}, authentication-name=admin, protocol=remote)
      /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}])
      /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=admin-ctx, outbound-socket-binding-ref=remote-ejb)
      reload
      deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war

      5. If the aforementioned authentication context is defined as Elytron default (even if not defined for the connection, but exclusively as default), the authentication will pass.

      Show
      This uses https://github.com/jmartisk/mock-artifacts/tree/master/ejb-server-to-server/ejb-server-to-server-elytron . 1. Start server-side EAP, add user and deploy server side deployment: {$SERVER_SIDE}/bin/add-user.sh -a -g users -u admin -p admin123+ 2. Configure server-side EAP: /socket-binding-group=standard-sockets/socket-binding=remoting:add(port=4447) /subsystem=remoting/connector=remoting-connector:add(socket-binding=remoting, sasl-authentication-factory=application-sasl-authentication) 3. Start client-side EAP bound to different loopback address with system property: {$CLIENT_SIDE}/bin/standalone.sh -b 127.0.0.8 -bmanagement 127.0.0.8 -Dremote.ejb.host=127.0.0.1 4. Set up the outbound connection referenced from deployment, then access http://127.0.0.8:8080/client-side/ : Authentication context defined in remote outbound connection, no Elytron default /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=4447) /subsystem=elytron/authentication-configuration=admin-cfg:add(sasl-mechanism-selector=(!JBOSS-LOCAL-USER && DIGEST-MD5), credential-reference={clear-text= "admin123+" }, authentication-name=admin, protocol=remote) /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}]) /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=admin-ctx, outbound-socket-binding-ref=remote-ejb) reload deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war 5. If the aforementioned authentication context is defined as Elytron default (even if not defined for the connection, but exclusively as default), the authentication will pass.

      Attempting to authenticate with authentication context defined in remote outbound connection will always fail unless a correct Elytron default context is defined with following security output on client side server:

      13:10:45,693 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=http-remoting://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[scheme=http-remoting,host=127.0.0.1,port=4447], AuthenticationConfiguration=[AuthenticationConfiguration:principal=admin,set-host=127.0.0.1,set-protocol=remote,set-port=4447,credentials-present,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,sasl-mechanism-selector=((!JBOSS-LOCAL-USER&&DIGEST-MD5)),mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
      13:10:45,729 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[null], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=127.0.0.1,set-port=4447,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
      13:10:45,756 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=http-remoting://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[scheme=http-remoting,host=127.0.0.1,port=4447], AuthenticationConfiguration=[AuthenticationConfiguration:principal=admin,set-host=127.0.0.1,set-protocol=remote,set-port=4447,credentials-present,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,sasl-mechanism-selector=((!JBOSS-LOCAL-USER&&DIGEST-MD5)),mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
      13:10:45,758 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[null], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=127.0.0.1,set-port=4447,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
      

      When a correct Elytron default context is defined, security output on client side server is the following:

      13:14:10,571 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=http-remoting://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[scheme=http-remoting,host=127.0.0.1,port=4447], AuthenticationConfiguration=[AuthenticationConfiguration:principal=admin,set-host=127.0.0.1,set-protocol=remote,set-port=4447,credentials-present,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,sasl-mechanism-selector=((!JBOSS-LOCAL-USER&&DIGEST-MD5)),mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
      13:14:10,602 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[], AuthenticationConfiguration=[AuthenticationConfiguration:principal=admin,set-host=127.0.0.1,set-protocol=remote,set-port=4447,credentials-present,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,sasl-mechanism-selector=((!JBOSS-LOCAL-USER&&DIGEST-MD5)),mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
      13:14:10,612 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=http-remoting://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[scheme=http-remoting,host=127.0.0.1,port=4447], AuthenticationConfiguration=[AuthenticationConfiguration:principal=admin,set-host=127.0.0.1,set-protocol=remote,set-port=4447,credentials-present,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,sasl-mechanism-selector=((!JBOSS-LOCAL-USER&&DIGEST-MD5)),mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
      13:14:10,613 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[], AuthenticationConfiguration=[AuthenticationConfiguration:principal=admin,set-host=127.0.0.1,set-protocol=remote,set-port=4447,credentials-present,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,sasl-mechanism-selector=((!JBOSS-LOCAL-USER&&DIGEST-MD5)),mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
      

              fjuma1@redhat.com Farah Juma
              mjurc@redhat.com Michal Jurc
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: