Loading...

Details

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 8.0.0.GA-CR1, 8.0.0.GA
Affects Version/s: 8.0.0.Alpha
Component/s: Clustering, Security, Undertow
Labels:
None

Blocked:
False
Ready:
False
Target Release:

8.0.0.GA
Steps to Reproduce:
Hide

Both version run under standalone-full-ha.xml and both testing package is Attachment

Only when add default-host sso

On clean eap 7.4

/subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add()

deploy package (root-app1.war, root-app2.war) by webconsole

package is successful deployed

On clean eap 8

/subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add()

deploy package (root-app1.war, root-app2.war) by webconsole

while deployment error occur and package isn't deploy

When setup the elytron sso

On both version

1) create keystore in JBOSS_HOME/standalone/configuration

keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore keystore.jks -dname "CN=localhost" -keypass secret -storepass secret

On clean eap 7.4

2) go through setting mention in wildfly setup (I mention these steps under)

/subsystem=elytron/filesystem-realm=example-realm:add(path=/tmp/example-realm) /subsystem=elytron/security-domain=example-domain:add(default-realm=example-realm, permission-mapper=default-permission-mapper,realms=[\{realm=example-realm, role-decoder=groups-to-roles}] /subsystem=elytron/filesystem-realm=example-realm:add-identity(identity=testUser1) /subsystem=elytron/filesystem-realm=example-realm:add-identity-attribute(identity=testUser1, name=groups, value=["user"]) /subsystem=elytron/filesystem-realm=example-realm:set-password(identity=testUser1, clear=\{password=testUser1}) /subsystem=elytron/http-authentication-factory=example-http-authentication:add(security-domain=example-domain, http-server-mechanism-factory=global, mechanism-configurations=[\{mechanism-name=FORM}] /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=example-http-authentication) /subsystem=elytron/key-store=example-keystore:add(path=keystore.jks, relative-to=jboss.server.config.dir, credential-reference=\{clear-text=secret}, type=JKS) /subsystem=undertow/application-security-domain=other/setting=single-sign-on:add(key-store=example-keystore, key-alias=localhost, domain=localhost, credential-reference=\{clear-text=secret}) reload

3) change http-invoker from security-realm to http-authentication-factory

batch /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:undefine-attribute(name=security-realm) /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:write-attribute(name=http-authentication-factory, value=example-http-authentication) run-batch reload

4) still possible to deploy
5) /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add()
6) after adding default-host sso the same package is unable to deploy and error appear

On clean eap 8
2) go through same setting

/subsystem=elytron/filesystem-realm=example-realm:add(path=/tmp/example-realm) /subsystem=elytron/security-domain=example-domain:add(default-realm=example-realm, permission-mapper=default-permission-mapper,realms=[\{realm=example-realm, role-decoder=groups-to-roles}] /subsystem=elytron/filesystem-realm=example-realm:add-identity(identity=testUser1) /subsystem=elytron/filesystem-realm=example-realm:add-identity-attribute(identity=testUser1, name=groups, value=["user"]) /subsystem=elytron/filesystem-realm=example-realm:set-password(identity=testUser1, clear=\{password=testUser1}) /subsystem=elytron/http-authentication-factory=example-http-authentication:add(security-domain=example-domain, http-server-mechanism-factory=global, mechanism-configurations=[\{mechanism-name=FORM}] batch /subsystem=undertow/application-security-domain=other:undefine-attribute(name=security-domain) /subsystem=undertow/application-security-domain=other:write-attribute(name=http-authentication-factory, value=example-http-authentication) run-batch reload /subsystem=elytron/key-store=example-keystore:add(path=keystore.jks, relative-to=jboss.server.config.dir, credential-reference=\{clear-text=secret}, type=JKS) /subsystem=undertow/application-security-domain=other/setting=single-sign-on:add(key-store=example-keystore, key-alias=localhost, domain=localhost, credential-reference=\{clear-text=secret}) reload

3) change http-authentication-factory in http-invoker

/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:write-attribute(name=http-authentication-factory, value=example-http-authentication) reload

4) still possible to deploy
5)

/subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add()

6) after adding default-host sso the same package is unable to deploy and error appear
Show
Both version run under standalone-full-ha.xml and both testing package is Attachment Only when add default-host sso On clean eap 7.4 /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add() deploy package (root-app1.war, root-app2.war) by webconsole package is successful deployed On clean eap 8 /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add() deploy package (root-app1.war, root-app2.war) by webconsole while deployment error occur and package isn't deploy When setup the elytron sso On both version 1) create keystore in JBOSS_HOME/standalone/configuration keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore keystore.jks -dname "CN=localhost" -keypass secret -storepass secret On clean eap 7.4 2) go through setting mention in wildfly setup (I mention these steps under) /subsystem=elytron/filesystem-realm=example-realm:add(path=/tmp/example-realm) /subsystem=elytron/security-domain=example-domain:add(default-realm=example-realm, permission-mapper=default-permission-mapper,realms=[\{realm=example-realm, role-decoder=groups-to-roles}] /subsystem=elytron/filesystem-realm=example-realm:add-identity(identity=testUser1) /subsystem=elytron/filesystem-realm=example-realm:add-identity-attribute(identity=testUser1, name=groups, value=["user"]) /subsystem=elytron/filesystem-realm=example-realm:set-password(identity=testUser1, clear=\{password=testUser1}) /subsystem=elytron/http-authentication-factory=example-http-authentication:add(security-domain=example-domain, http-server-mechanism-factory=global, mechanism-configurations=[\{mechanism-name=FORM}] /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=example-http-authentication) /subsystem=elytron/key-store=example-keystore:add(path=keystore.jks, relative-to=jboss.server.config.dir, credential-reference=\{clear-text=secret}, type=JKS) /subsystem=undertow/application-security-domain=other/setting=single-sign-on:add(key-store=example-keystore, key-alias=localhost, domain=localhost, credential-reference=\{clear-text=secret}) reload 3) change http-invoker from security-realm to http-authentication-factory batch /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:undefine-attribute(name=security-realm) /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:write-attribute(name=http-authentication-factory, value=example-http-authentication) run-batch reload 4) still possible to deploy 5) /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add() 6) after adding default-host sso the same package is unable to deploy and error appear On clean eap 8 2) go through same setting /subsystem=elytron/filesystem-realm=example-realm:add(path=/tmp/example-realm) /subsystem=elytron/security-domain=example-domain:add(default-realm=example-realm, permission-mapper=default-permission-mapper,realms=[\{realm=example-realm, role-decoder=groups-to-roles}] /subsystem=elytron/filesystem-realm=example-realm:add-identity(identity=testUser1) /subsystem=elytron/filesystem-realm=example-realm:add-identity-attribute(identity=testUser1, name=groups, value=["user"]) /subsystem=elytron/filesystem-realm=example-realm:set-password(identity=testUser1, clear=\{password=testUser1}) /subsystem=elytron/http-authentication-factory=example-http-authentication:add(security-domain=example-domain, http-server-mechanism-factory=global, mechanism-configurations=[\{mechanism-name=FORM}] batch /subsystem=undertow/application-security-domain=other:undefine-attribute(name=security-domain) /subsystem=undertow/application-security-domain=other:write-attribute(name=http-authentication-factory, value=example-http-authentication) run-batch reload /subsystem=elytron/key-store=example-keystore:add(path=keystore.jks, relative-to=jboss.server.config.dir, credential-reference=\{clear-text=secret}, type=JKS) /subsystem=undertow/application-security-domain=other/setting=single-sign-on:add(key-store=example-keystore, key-alias=localhost, domain=localhost, credential-reference=\{clear-text=secret}) reload 3) change http-authentication-factory in http-invoker /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:write-attribute(name=http-authentication-factory, value=example-http-authentication) reload 4) still possible to deploy 5) /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add() 6) after adding default-host sso the same package is unable to deploy and error appear

SFDC Cases Counter:
SFDC Cases Links:

Description

When migrating from legacy security to elytron the error appear[1]. The error appear when the /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on is added. When the same thing was tried with setting by [2]the error appear even on EAP 7.4.
I tested it EAP 8 alpha and eap 7.4.0 with same http-authentication-factory (which was for both management-http-authentication on eap 8 I tried it even with application-http-authentication) but the result was always the same error. So from this I assume the /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on with elytron is somehow bugged. I didn't find any documentation where is this specific function used.

In our case we just deploy simple .war which contain web.xml and index.jsp and trying to confirm that the value which are set in sso attribute is correct (testing that sso function attributes). The .war was build by shirinkwrap Archive.

Also for testing I try deploy the sso form which is mention in [2] and the result was same when was single-sign-on in default-host added the error appeared and when the single-sign-on was removed the deployment was working fine.

[1]

{"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"_DEFAULT__root-app.war_root-app.war\".undertow-deployment" => "java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'SSO' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'SSO' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.IllegalStateException: The required mechanism 'SSO' is not available in mechanisms [BASIC, CLIENT_CERT, [2]DIGEST, FORM] from the HttpAuthenticationFactory."}}

[2] https://docs.jboss.org/author/display/WFLY/Web%20Single%20Sign-On.html

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

root-app1.war
0.5 kB
2021/12/08 1:40 PM
root-app2.war
0.9 kB
2021/12/08 1:40 PM

Issue Links

is cloned by

WFLY-17898 Deploy fail when /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on is activated

Closed

Deploy fail when /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on is activated

Details

Only when add default-host sso

When setup the elytron sso

Description

Attachments

Attachments

Issue Links

Activity

People

Dates