Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.3.5.GA, 7.3.5.CR1
Affects Version/s: 7.2.9.GA, 7.3.2.GA
Component/s: Security
Labels:
- test_included

Blocked:
False
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
QE Test Coverage:
+
Release Note Text:
Undefined
Target Release:

7.3.z.GA
Git Pull Request:
https://github.com/jbossas/jboss-eap7/pull/3742, https://github.com/wildfly-security/wildfly-elytron/pull/1442
Steps to Reproduce:
Hide

Configure HTTPS in the EAP.

Configure HTTPS in an apache and forward to the EAP using mod_proxy_http:

<Location /app> ProxyPass https://jboss.sample.com:8443/app ProxyPassReverse https://jboss.sample.com:8443/app Order deny,allow Deny from all Allow from all </Location>

Configure the EAP to receive forwarding data in the headers:

/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=certificate-forwarding, value=true) /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=proxy-address-forwarding, value=true)

Configure an elytron certificate realm in the EAP:

/subsystem=elytron/key-store=users:add(type=jks, relative-to=jboss.server.config.dir, path=users.jks, credential-reference={clear-text=XXXXX}) /subsystem=elytron/key-store-realm=users-realm:add(key-store=users) /subsystem=elytron/constant-role-mapper=users-roles:add(roles=[Users]) /subsystem=elytron/security-domain=certificate-domain:add(role-mapper=users-roles, realms=[{realm=users-realm}], default-realm=users-realm, permission-mapper=default-permission-mapper) /subsystem=elytron/http-authentication-factory=certificate-auth-fact:add(http-server-mechanism-factory=global, security-domain=certificate-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT,mechanism-realm-configurations=[{realm-name=certificate-sec-domain}]}]) /subsystem=undertow/application-security-domain=certificate-sec-domain:add(http-authentication-factory=certificate-auth-fact)

Deploy an app that uses CLIENT-CERT login (anyone is valid) with the certificate-sec-domain previously configured.
Show
Configure HTTPS in the EAP. Configure HTTPS in an apache and forward to the EAP using mod_proxy_http: <Location /app> ProxyPass https://jboss.sample.com:8443/app ProxyPassReverse https://jboss.sample.com:8443/app Order deny,allow Deny from all Allow from all </Location> Configure the EAP to receive forwarding data in the headers: /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=certificate-forwarding, value=true) /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=proxy-address-forwarding, value=true) Configure an elytron certificate realm in the EAP: /subsystem=elytron/key-store=users:add(type=jks, relative-to=jboss.server.config.dir, path=users.jks, credential-reference={clear-text=XXXXX}) /subsystem=elytron/key-store-realm=users-realm:add(key-store=users) /subsystem=elytron/constant-role-mapper=users-roles:add(roles=[Users]) /subsystem=elytron/security-domain=certificate-domain:add(role-mapper=users-roles, realms=[{realm=users-realm}], default-realm=users-realm, permission-mapper=default-permission-mapper) /subsystem=elytron/http-authentication-factory=certificate-auth-fact:add(http-server-mechanism-factory=global, security-domain=certificate-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT,mechanism-realm-configurations=[{realm-name=certificate-sec-domain}]}]) /subsystem=undertow/application-security-domain=certificate-sec-domain:add(http-authentication-factory=certificate-auth-fact) Deploy an app that uses CLIENT-CERT login (anyone is valid) with the certificate-sec-domain previously configured.
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

When configuring a certificate login setup with elytron it doesn't work if the certificate is sent using the certificate-forwarding and proxy-address-forwarding. When there is an web proxy in front of the EAP server and forwarding is activated the following exception is received:

2020-09-14 16:46:37,998 TRACE [org.wildfly.security] (default task-1) CLIENT_CERT: org.wildfly.security.http.HttpAuthenticationException: ELY05053: Callback handler failed for unknown reason
        at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:160)
        at org.wildfly.security.http.cert.ClientCertAuthenticationMechanism.attemptAuthentication(ClientCertAuthenticationMechanism.java:151)
        at org.wildfly.security.http.cert.ClientCertAuthenticationMechanism.evaluateRequest(ClientCertAuthenticationMechanism.java:94)
        at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:119)
        at org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:85)
        at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:270)
        at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$800(HttpAuthenticator.java:249)
        at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:97)
        at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:96)
       ...
Caused by: java.lang.IllegalStateException: ELY01000: Authentication name was already set on this context
        at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.setPrincipal(ServerAuthenticationContext.java:2025)
        at org.wildfly.security.auth.server.ServerAuthenticationContext.setAuthenticationPrincipal(ServerAuthenticationContext.java:409)
        at org.wildfly.security.auth.server.ServerAuthenticationContext.setAuthenticationName(ServerAuthenticationContext.java:383)
        at org.wildfly.security.auth.server.ServerAuthenticationContext.setAuthenticationName(ServerAuthenticationContext.java:367)
        at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:870)
        at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:851)
        at org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:121)
        at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:156)
        ... 44 more

clones

WFLY-13876 Test for key-store certificate realm login (test for ELY-2023)

Closed

incorporates

ELY-2023 Elytron ClientCertAuthenticationMechanism does not work when using a web proxy

Resolved

is caused by

ELY-2023 Elytron ClientCertAuthenticationMechanism does not work when using a web proxy

Resolved

is incorporated by

JBEAP-20376 (7.3.z) Upgrade WildFly Elytron from 1.10.9.Final-redhat-00001 to 1.10.10.Final-redhat

Closed

Assignee:: Ricardo Martin Camarero

Reporter:: Ricardo Martin Camarero

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2020/09/15 3:29 AM

Updated:: 2024/08/27 1:50 PM

Resolved:: 2020/12/11 4:31 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates