-
Bug
-
Resolution: Done
-
Critical
-
7.1.0.ER1
When ldap-realm with x509-credential-mapper is used in security-domain which is referenced from server-ssl-context then authorization fails. It seems it is caused by using ServerAuthenticationContext.NameAssignedState in [1] which fails in [2] due to [3]. This issue causes that x509-credential-mapper cannot work in server-ssl-context.
Server log:
2017-06-30 15:01:22,019 TRACE [org.wildfly.security] (default task-2) X500 principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as name [clientSubjectDn] (attribute values: [clientSubjectDn]) 2017-06-30 15:01:22,022 TRACE [org.wildfly.security] (default task-2) Principal assigning: [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ], pre-realm rewritten: [clientSubjectDn], realm name: [ldap-realm-subject-dn], post-realm rewritten: [clientSubjectDn], realm rewritten: [clientSubjectDn] 2017-06-30 15:01:22,023 DEBUG [org.wildfly.security] (default task-2) Obtaining lock for identity [clientSubjectDn]... 2017-06-30 15:01:22,028 DEBUG [org.wildfly.security] (default task-2) Obtained lock for identity [clientSubjectDn]. 2017-06-30 15:01:22,044 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment: 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]] 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple] 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://localhost:10389] 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000] 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false] 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000] 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [uid=admin,ou=system] 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore] 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory] 2017-06-30 15:01:22,081 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@6ca3ef32] successfully created. Connection established to LDAP server. 2017-06-30 15:01:22,084 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn]. 2017-06-30 15:01:22,086 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [null]. Binary attributes are [null]. 2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. 2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@6ca3ef32] was closed. Connection closed or just returned to the pool. 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment: 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]] 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple] 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://localhost:10389] 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000] 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false] 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000] 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [uid=admin,ou=system] 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore] 2017-06-30 15:01:22,154 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory] 2017-06-30 15:01:22,179 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@75395ba6] successfully created. Connection established to LDAP server. 2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn]. 2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary attributes are []. 2017-06-30 15:01:22,195 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. 2017-06-30 15:01:22,197 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. 2017-06-30 15:01:22,198 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@75395ba6] was closed. Connection closed or just returned to the pool. 2017-06-30 15:01:22,200 TRACE [org.wildfly.security] (default task-2) X500 principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as name [clientSubjectDn] (attribute values: [clientSubjectDn]) 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment: 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://localhost:10389] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [uid=admin,ou=system] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory] 2017-06-30 15:01:22,212 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@22d42495] successfully created. Connection established to LDAP server. 2017-06-30 15:01:22,213 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn]. 2017-06-30 15:01:22,214 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary attributes are []. 2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. 2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. 2017-06-30 15:01:22,227 TRACE [org.wildfly.security] (default task-2) X509 client certificate accepted by X509EvidenceVerifier 2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@22d42495] was closed. Connection closed or just returned to the pool. 2017-06-30 15:01:22,228 TRACE [org.wildfly.security] (default task-2) Authentication succeed for principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] 2017-06-30 15:01:22,240 ERROR [org.xnio.nio] (default I/O-4) XNIO000011: Task io.undertow.protocols.ssl.SslConduit$5$1@46b65284 failed with an exception: java.lang.RuntimeException: ELY01112: Authentication cannot succeed; not authorized at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:265) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.unwrap(ALPNLimitingSSLEngine.java:73) at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:749) at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:646) at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1046) at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:592) at org.xnio.nio.WorkerThread.run(WorkerThread.java:472) Caused by: java.lang.IllegalStateException: ELY01112: Authentication cannot succeed; not authorized at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.succeed(ServerAuthenticationContext.java:1947) at org.wildfly.security.auth.server.ServerAuthenticationContext.succeed(ServerAuthenticationContext.java:492) at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:123) at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72) at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
Since there is no documentation for this scenario it is possible that this is just a configuration issue - in that case please provide valid configuration for this scenario.
[1] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/ssl/SecurityDomainTrustManager.java#L120
[2] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/ssl/SecurityDomainTrustManager.java#L122
[3] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java#L1943
- is cloned by
-
ELY-1275 x509-credential-mapper in ldap-realm does not work correctly with server-ssl-context
- Resolved
- is incorporated by
-
JBEAP-12265 Upgrade WildFly Elytron to 1.1.0.CR3
- Closed