Loading...

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.3.6.CR1, 7.3.6.GA
Affects Version/s: None
Component/s: Security
Labels:
- test_included

Blocked:
False
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
QE Test Coverage:
+
Release Note Text:
Undefined
Target Release:

7.3.z.GA
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/1471
Market:

SFDC Cases Counter:
SFDC Cases Links:

Trying to configure an ejb client with Sasl authentication using a credential store causes an "Invalid algorithm clear" error as follows:

Suppressed: javax.security.sasl.SaslException: ELY05053: Callback handler failed for unknown reason [Caused by java.io.IOException: ELY01030: Unable to read credential]
 at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:160)
 at org.wildfly.security.mechanism._private.MechanismUtil.getPasswordCredential(MechanismUtil.java:102)
 at org.wildfly.security.mechanism.scram.ScramClient.handleInitialChallenge(ScramClient.java:245)
 at org.wildfly.security.sasl.scram.ScramSaslClient.evaluateMessage(ScramSaslClient.java:75)
 at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:219)
 at org.wildfly.security.sasl.util.AbstractSaslClient.evaluateChallenge(AbstractSaslClient.java:98)
 at org.wildfly.security.sasl.util.AbstractDelegatingSaslClient.evaluateChallenge(AbstractDelegatingSaslClient.java:54)
 at org.wildfly.security.sasl.util.PrivilegedSaslClient.lambda$evaluateChallenge(PrivilegedSaslClient.java:55)
 at java.base/java.security.AccessController.doPrivileged(Native Method)
 at org.wildfly.security.sasl.util.PrivilegedSaslClient.evaluateChallenge(PrivilegedSaslClient.java:55)
 at org.jboss.remoting3.remote.ClientConnectionOpenListener$Authentication.lambda$handleEvent(ClientConnectionOpenListener.java:649)
 at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute(EndpointImpl.java:991)
 at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
 at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
 at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
 at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
 at java.base/java.lang.Thread.run(Thread.java:834)
 Caused by: java.io.IOException: ELY01030: Unable to read credential
 at org.wildfly.security.credential.source.impl.CredentialStoreCredentialSource.getCredential(CredentialStoreCredentialSource.java:92)
 at org.wildfly.security.credential.source.CredentialSource.getCredential(CredentialSource.java:207)
 at org.wildfly.security.auth.client.AuthenticationConfiguration$ClientCallbackHandler.handle(AuthenticationConfiguration.java:1841)
 at org.wildfly.security.sasl.util.LocalPrincipalSaslClientFactory$ClientPrincipalQueryCallbackHandler.handle(LocalPrincipalSaslClientFactory.java:93)
 at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:156)
 ... 16 more
 Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09504: Cannot acquire a credential from the credential store
 at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.retrieve(KeyStoreCredentialStore.java:683)
 at org.wildfly.security.credential.store.CredentialStore.retrieve(CredentialStore.java:303)
 at org.wildfly.security.credential.store.CredentialStore.retrieve(CredentialStore.java:287)
 at org.wildfly.security.credential.source.impl.CredentialStoreCredentialSource.getCredential(CredentialStoreCredentialSource.java:88)
 ... 20 more
 Caused by: java.security.NoSuchAlgorithmException: ELY08028: Invalid algorithm "clear"
 at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:122)
 at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:76)
 at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.retrieve(KeyStoreCredentialStore.java:679)
 ... 23 more

Here is my wildfly-config.xml where the credential-store-reference has been configured.

<configuration>
 <authentication-client xmlns="urn:elytron:client:1.5">
 <credential-stores>
 <credential-store name="mycredstore">
 <attributes>
 <attribute name="keyStoreType" value="JCEKS"/>
 <attribute name="location" value="/home/szcalles/Wildfly/wildfly/build/target/wildfly-20.0.0.Final-SNAPSHOT/standalone/configuration/mycredstore.cs"></attribute>
 </attributes>
 <protection-parameter-credentials>
 <clear-password password="StorePassword"/>
 </protection-parameter-credentials>
 </credential-store>
 </credential-stores>

<authentication-rules>
 <rule use-configuration="default-config"/>
 </authentication-rules>
 <authentication-configurations>
 <configuration name="default-config">
 <set-user-name name="quickstartUser"/>
 <credentials>
 <credential-store-reference store="mycredstore" alias="quickstartUser"/>
 </credentials>
 <sasl-mechanism-selector selector="SCRAM-SHA-512"/>
 <providers>
 <use-service-loader />
 </providers>
 </configuration>
 </authentication-configurations>
 </authentication-client>
</configuration>

The provider configuration in wildfly-config.xml is specified correctly:

<providers>
 <use-service-loader />
</providers>

The problem seems to be in PasswordFactory.getInstance() in KeyStoreCredentialStore where we aren't setting the providers we have configured. Instead, it seems to use INSTALLED_PROVIDERS which does not have the Elytron providers.

clones

ELY-1976 Elytron provider not being used with credential store and SASL authentication on the Client Side

Resolved

is incorporated by

JBEAP-20791 (7.3.z) Upgrade WildFly Elytron from 1.10.10.Final-redhat-00001 to 1.10.11.Final-redhat-00001

Closed

Details

Description

Attachments

Issue Links

Activity

People

Dates