Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12561

Use "remote+http" as the default protocol for an Elytron remote outbound connection if no protocol is specified in the resolved AuthenticationConfiguration

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Verified (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 7.1.0.CR1
    • Component/s: Security
    • Labels:
      None

      Description

      Here's a description of the problem from Stefan Guilhen:

      Farah Juma Not sure if this is relevant but do you remember a quick chat we had about a month ago when I was converting this QS and I was getting a $local identity when IntermediateEJB attempted to invoke the SecuredEJB? No matter what I did in terms of configuration I was getting $local even if I used a sasl-mech-selector that explicitly defined DIGEST-MD5 as the only mech.
      I found another sample app that was working correctly and the only difference was that the intermediate EJB was injecting the reference to the remote EJB instead of doing a lookup. So I've changed the QS to inject the reference to the SecuredEJB in the IntermediateEJB and it started working. I don't know if this has anything to do with the current issue but I was also getting the $local identity when running this QS.

      The problem occurs for EJB invocations from a remote server when doing a lookup using a PROVIDER_URL when no protocol is set on the AuthenticationConfiguration that should be used for the remote EJB invocation. In particular, in RemoteOutboundConnectionService#start when an AuthenticationContext is specified for a remote outbound connection and no protocol is set on the resolved AuthenticationConfiguration, we currently use "http-remoting" as the default protocol when constructing the destination URI. In EjbClientContextSetupProcessor.RegistrationService#transformOne, we create an AuthenticationContext with a rule that attempts to match on "http-remoting". However, because the InitialContext is created using "remote+http://localhost:8080" as the PROVIDER_URL, our rule doesn't match this PROVIDER_URL, so the desired AuthenticationConfiguration doesn't actually get used. We could update RemoteOutboundConnectionService#start so that "remote+http" is used as the default protocol instead of the "http-remoting" protocol when no protocol is set on AuthenticationConfiguration that is resolved for an Elytron remote outbound connection.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              fjuma Farah Juma
              Reporter:
              fjuma Farah Juma
              Tester:
              Michal Jurc Michal Jurc
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: