Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12341

ElytronAuthenticator fails with InvalidKeySpecException

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.CR1
    • 7.1.0.ER2
    • Security
    • None
    • Hide

      Shared reproducer with JBEAP-12340. The two test methods whose names end with `*WithWorkaround` shows the problem described in this issue.

      Reproducer test code is available here: https://github.com/kwart/wildfly/blob/JBEAP-12340-reproducer/testsuite/integration/manualmode/src/test/java/org/wildfly/test/manual/elytron/seccontext/SecurityContextPropagationTestCase.java

      Full steps to reproduce the issue:

      git clone -b JBEAP-12340-reproducer https://github.com/kwart/wildfly.git
cd wildfly
mvn clean install -DskipTests -Dcheckstyle.skip -Denforcer.skip
cd testsuite/integration/manualmode
mvn clean test -Dcheckstyle.skip -Dcheckstyle.skip -Denforcer.skip -DtestLogToFile=false -Dtest=SecurityContextPropagationTestCase
      Show
      Shared reproducer with JBEAP-12340 . The two test methods whose names end with `*WithWorkaround` shows the problem described in this issue. Reproducer test code is available here: https://github.com/kwart/wildfly/blob/JBEAP-12340-reproducer/testsuite/integration/manualmode/src/test/java/org/wildfly/test/manual/elytron/seccontext/SecurityContextPropagationTestCase.java Full steps to reproduce the issue: git clone -b JBEAP-12340-reproducer https: //github.com/kwart/wildfly.git cd wildfly mvn clean install -DskipTests -Dcheckstyle.skip -Denforcer.skip cd testsuite/integration/manualmode mvn clean test -Dcheckstyle.skip -Dcheckstyle.skip -Denforcer.skip -DtestLogToFile= false -Dtest=SecurityContextPropagationTestCase

      One of the scenarios which are expected to work in Elytron is a Security context propagation from a protected EJB to a protected Servlet using HttpUrlConnection (details in RFE EAP7-284).

      The scenario doesn't work for me. My configuration:

      EJB client ->  protected EJB on server-1 -> protected Servlet on server-2 (BASIC authn)

      The EJB contains following code:

      // this is a hack/workaround for another related issue JBEAP-12340
Authenticator.setDefault(new ElytronAuthenticator());

final Callable<String> callable = () -> {
    URLConnection conn = url.openConnection();
    conn.connect();
    try (InputStream is = conn.getInputStream()) {
        return IOUtils.toString(is, StandardCharsets.UTF_8);
    }
};

AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.empty()
    .useForwardedIdentity(SecurityDomain.getCurrent())
    .setSaslMechanismSelector(SaslMechanismSelector.ALL))
    .runCallable(callable);

      the authentication fails with

      java.security.spec.InvalidKeySpecException
        at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineGetKeySpec(PasswordFactorySpiImpl.java:493)
        at org.wildfly.security.password.PasswordFactory.getKeySpec(PasswordFactory.java:163)
        at org.wildfly.security.auth.util.ElytronAuthenticator.getPasswordAuthentication(ElytronAuthenticator.java:95)
        at java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317)
        at sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453)
        at sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447)
        at sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2421)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1719)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
        at org.wildfly.test.manual.elytron.seccontext.EntryBean.lambda$readUrl$1(EntryBean.java:71)
        at org.wildfly.common.context.Contextual.runCallable(Contextual.java:127)
        at org.wildfly.test.manual.elytron.seccontext.SeccontextUtil.switchIdentity(SeccontextUtil.java:32)
        at org.wildfly.test.manual.elytron.seccontext.EntryBean.readUrl(EntryBean.java:78)
...

      The problem seems to be in the method PasswordFactorySpiImpl.engineKeySpec(), which checks the password type:

      if (password instanceof AbstractPasswordImpl) {
...

      this condition fails for the provided password, which is of type org.wildfly.security.password.interfaces.RawClearPassword.

              psilva@redhat.com Pedro Igor Craveiro
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: