Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-18426

[GSS](7.2.z) WFLY-13161 - CLIENT-CERT login does not work in intermediate elytron setup

XMLWordPrintable

    • +
    • Hide

      1. Configure https in the server.

      2. Create the certificate old security-domain and join to elytron intermediate config (users.jks is the keystore for valid client certs).

      /subsystem=security/security-domain=cert-security-domain:add(cache-type=default)
      /subsystem=security/security-domain=cert-security-domain/jsse=classic:add(keystore={url="${jboss.server.config.dir}/users.jks", password="XXXX"})
      /subsystem=security/security-domain=cert-security-domain/authentication=classic:add(login-modules=[{code=Certificate, flag=required, module-options={password-stacking=useFirstPass, securityDomain=cert-security-domain}}])
      /subsystem=security/elytron-realm=legacy-cert-realm:add(legacy-jaas-config=cert-security-domain)
      

      3. Create the elytron domain and http factory using the legacy cert realm:

      /subsystem=elytron/security-domain=legacy-cert-domain:add(realms=[{realm=legacy-cert-realm}], default-realm=legacy-cert-realm, permission-mapper=default-permission-mapper)
      /subsystem=elytron/http-authentication-factory=legacy-cert-http:add(http-server-mechanism-factory=global, security-domain=legacy-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT}])
      

      4. Create the undertow domain:

      /subsystem=undertow/application-security-domain=legacy-cert-domain:add(http-authentication-factory=legacy-cert-http)
      

      5. Set TRACE to org.jboss.security.

      /subsystem=logging/logger=org.jboss.security:add(category=org.jboss.security, level=TRACE)
      

      6. Deploy an application with CLIENT-CERT login authorization and configure the jboss-web.xml to use the legacy-cert-domain. Check the error PBOX00054: Unable to obtain a X509Certificate from class org.wildfly.security.evidence.X509PeerCertificateChainEvidence.

      Show
      1. Configure https in the server. 2. Create the certificate old security-domain and join to elytron intermediate config (users.jks is the keystore for valid client certs). /subsystem=security/security-domain=cert-security-domain:add(cache-type= default ) /subsystem=security/security-domain=cert-security-domain/jsse=classic:add(keystore={url= "${jboss.server.config.dir}/users.jks" , password= "XXXX" }) /subsystem=security/security-domain=cert-security-domain/authentication=classic:add(login-modules=[{code=Certificate, flag=required, module-options={password-stacking=useFirstPass, securityDomain=cert-security-domain}}]) /subsystem=security/elytron-realm=legacy-cert-realm:add(legacy-jaas-config=cert-security-domain) 3. Create the elytron domain and http factory using the legacy cert realm: /subsystem=elytron/security-domain=legacy-cert-domain:add(realms=[{realm=legacy-cert-realm}], default -realm=legacy-cert-realm, permission-mapper= default -permission-mapper) /subsystem=elytron/http-authentication-factory=legacy-cert-http:add(http-server-mechanism-factory=global, security-domain=legacy-cert-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT}]) 4. Create the undertow domain: /subsystem=undertow/application-security-domain=legacy-cert-domain:add(http-authentication-factory=legacy-cert-http) 5. Set TRACE to org.jboss.security. /subsystem=logging/logger=org.jboss.security:add(category=org.jboss.security, level=TRACE) 6. Deploy an application with CLIENT-CERT login authorization and configure the jboss-web.xml to use the legacy-cert-domain . Check the error PBOX00054: Unable to obtain a X509Certificate from class org.wildfly.security.evidence.X509PeerCertificateChainEvidence .

      Authentication does not uses cache when use Picketbox by Elytron.

      With Picketbox only:

      2020-01-02 10:39:48,215 TRACE [org.jboss.security] (default task-1) PBOX00208: Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@8ea6c5a
      2020-01-02 10:39:48,215 TRACE [org.jboss.security] (default task-1) PBOX00201: End isValid, result = true
      2020-01-02 10:39:48,401 TRACE [org.jboss.security] (default task-1) PBOX00354: Setting security roles ThreadLocal: null
      2020-01-02 10:39:56,034 TRACE [org.jboss.security] (default task-1) PBOX00200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@a518beed, cache entry: 
      

      With Picketbox by Elytron:

      /2020-01-02 10:42:11,325 TRACE [org.jboss.security] (default task-1) PBOX00205: End validateCache, result = false
      2020-01-02 10:42:11,325 TRACE [org.jboss.security] (default task-1) PBOX00209: defaultLogin, principal: MP VIU1
      2020-01-02 10:42:11,325 TRACE [org.jboss.security] (default task-1) PBOX00221: Begin getAppConfigurationEntry(isone-jaas-cert), size: 4
      2020-01-02 10:42:11,325 TRACE [org.jboss.security] (default task-1) PBOX00224: End getAppConfigurationEntry(isone-jaas-cert), AuthInfo: AppConfigurationEntry[]:
      

      I'm attaching the configurations used and the application to test.

              rhn-support-rmartinc Ricardo Martin Camarero
              rhn-support-rhsilva Rhuan Rocha (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: