Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-20194

[GSS] (7.3.z) Elytron ClientCertAuthenticationMechanism does not work when using a web proxy

    Details

    • Type: Bug
    • Status: New (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 7.3.2.GA, 7.2.9.GA
    • Fix Version/s: 7.3.5.GA
    • Component/s: Security
    • Labels:
      None
    • Target Release:
    • Steps to Reproduce:
      Hide
      • Configure HTTPS in the EAP.
      • Configure HTTPS in an apache and forward to the EAP using mod_proxy_http:
      <Location /app>
      ProxyPass https://jboss.sample.com:8443/app
      ProxyPassReverse https://jboss.sample.com:8443/app
      Order deny,allow
      Deny from all
      Allow from all
      </Location>
      
      • Configure the EAP to receive forwarding data in the headers:
      /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=certificate-forwarding, value=true)
      /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=proxy-address-forwarding, value=true)
      
      • Configure an elytron certificate realm in the EAP:
      /subsystem=elytron/key-store=users:add(type=jks, relative-to=jboss.server.config.dir, path=users.jks, credential-reference={clear-text=XXXXX})
      /subsystem=elytron/key-store-realm=users-realm:add(key-store=users)
      /subsystem=elytron/constant-role-mapper=users-roles:add(roles=[Users])
      /subsystem=elytron/security-domain=certificate-domain:add(role-mapper=users-roles, realms=[{realm=users-realm}], default-realm=users-realm, permission-mapper=default-permission-mapper)
      /subsystem=elytron/http-authentication-factory=certificate-auth-fact:add(http-server-mechanism-factory=global, security-domain=certificate-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT,mechanism-realm-configurations=[{realm-name=certificate-sec-domain}]}])
      /subsystem=undertow/application-security-domain=certificate-sec-domain:add(http-authentication-factory=certificate-auth-fact)
      
      • Deploy an app that uses CLIENT-CERT login (anyone is valid) with the certificate-sec-domain previously configured.
      Show
      Configure HTTPS in the EAP. Configure HTTPS in an apache and forward to the EAP using mod_proxy_http: <Location /app> ProxyPass https://jboss.sample.com:8443/app ProxyPassReverse https://jboss.sample.com:8443/app Order deny,allow Deny from all Allow from all </Location> Configure the EAP to receive forwarding data in the headers: /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=certificate-forwarding, value=true) /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=proxy-address-forwarding, value=true) Configure an elytron certificate realm in the EAP: /subsystem=elytron/key-store=users:add(type=jks, relative-to=jboss.server.config.dir, path=users.jks, credential-reference={clear-text=XXXXX}) /subsystem=elytron/key-store-realm=users-realm:add(key-store=users) /subsystem=elytron/constant-role-mapper=users-roles:add(roles=[Users]) /subsystem=elytron/security-domain=certificate-domain:add(role-mapper=users-roles, realms=[{realm=users-realm}], default-realm=users-realm, permission-mapper=default-permission-mapper) /subsystem=elytron/http-authentication-factory=certificate-auth-fact:add(http-server-mechanism-factory=global, security-domain=certificate-domain, mechanism-configurations=[{mechanism-name=CLIENT_CERT,mechanism-realm-configurations=[{realm-name=certificate-sec-domain}]}]) /subsystem=undertow/application-security-domain=certificate-sec-domain:add(http-authentication-factory=certificate-auth-fact) Deploy an app that uses CLIENT-CERT login (anyone is valid) with the certificate-sec-domain previously configured.

      Description

      When configuring a certificate login setup with elytron it doesn't work if the certificate is sent using the certificate-forwarding and proxy-address-forwarding. When there is an web proxy in front of the EAP server and forwarding is activated the following exception is received:

      2020-09-14 16:46:37,998 TRACE [org.wildfly.security] (default task-1) CLIENT_CERT: org.wildfly.security.http.HttpAuthenticationException: ELY05053: Callback handler failed for unknown reason
              at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:160)
              at org.wildfly.security.http.cert.ClientCertAuthenticationMechanism.attemptAuthentication(ClientCertAuthenticationMechanism.java:151)
              at org.wildfly.security.http.cert.ClientCertAuthenticationMechanism.evaluateRequest(ClientCertAuthenticationMechanism.java:94)
              at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:119)
              at org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:85)
              at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:270)
              at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$800(HttpAuthenticator.java:249)
              at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:97)
              at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:96)
             ...
      Caused by: java.lang.IllegalStateException: ELY01000: Authentication name was already set on this context
              at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.setPrincipal(ServerAuthenticationContext.java:2025)
              at org.wildfly.security.auth.server.ServerAuthenticationContext.setAuthenticationPrincipal(ServerAuthenticationContext.java:409)
              at org.wildfly.security.auth.server.ServerAuthenticationContext.setAuthenticationName(ServerAuthenticationContext.java:383)
              at org.wildfly.security.auth.server.ServerAuthenticationContext.setAuthenticationName(ServerAuthenticationContext.java:367)
              at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:870)
              at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:851)
              at org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:121)
              at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:156)
              ... 44 more
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  rhn-support-rmartinc Ricardo Martin Camarero
                  Reporter:
                  rhn-support-rmartinc Ricardo Martin Camarero
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated: