Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-23971

[GSS](7.4.z) ELYWEB-155 - Don't override the deployment's authentication mechanisms when overrideDeploymentConfig is false and the loginConfig is null

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.4.9.CR1, 7.4.9.GA
    • 7.4.6.GA, 7.4.7.GA
    • Security
    • None
    • False
    • False
    • ?
    • Workaround Exists
    • Hide

      -Disabling proactive-authentication
      -Or disabling the elytron security domain use in undertow
      -Or configuring a <login-config> for the application in its WEB-INF/web.xml. This can even be an empty login-config on the app:

      <web-app>
      <login-config>
      </login-config>
      </web-app>

      Show
      -Disabling proactive-authentication -Or disabling the elytron security domain use in undertow -Or configuring a <login-config> for the application in its WEB-INF/web.xml. This can even be an empty login-config on the app: <web-app> <login-config> </login-config> </web-app>
    • Hide

      1. Run with the attached standalone.xml. Run with '-Djavax.net.debug=ssl,handshake' to see cert requests
      2. make any HTTPS request via HTTP/1.1. Note from the logs unexpected auth and client cert activity:

      2022-09-14 16:41:18,421 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@34c83030] for mechanism [BASIC]
2022-09-14 16:41:18,422 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@8507f0a] for mechanism [CLIENT_CERT]
2022-09-14 16:41:18,423 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@3410ffbe] for mechanism [DIGEST]
2022-09-14 16:41:18,424 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@576ec223] for mechanism [FORM]
2022-09-14 16:41:18,426 TRACE [org.wildfly.security] (default task-1) Handling AvailableRealmsCallback: realms = []
2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] (default task-1) loading from cache: null
2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] (default task-1) loading from cache: null
2022-09-14 16:41:18,429 TRACE [org.wildfly.security] (default task-1) Handling CachedIdentityAuthorizeCallback: principal = null  authorizedIdentity = null
2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] (default task-1) clearing identity cache
2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] (default task-1) Identity was authorized by CachedIdentityAuthorizeCallback handler: false
2022-09-14 16:41:18,431 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A8|default task-1|2022-09-14 16:41:18.431 EDT|HelloRequest.java:105|Produced HelloRequest handshake message (
...
2022-09-14 16:41:18,469 ERROR [stderr] (default task-2) javax.net.ssl|DEBUG|A9|default task-2|2022-09-14 16:41:18.468 EDT|CertificateRequest.java:630|Produced CertificateRequest handshake message (
2022-09-14 16:41:18,470 ERROR [stderr] (default task-2) "CertificateRequest": {
...
2022-09-14 16:41:18,472 ERROR [stderr] (default task-2) }
2022-09-14 16:41:18,472 ERROR [stderr] (default task-2) )
2022-09-14 16:41:18,473 ERROR [stderr] (default task-2) javax.net.ssl|DEBUG|A9|default task-2|2022-09-14 16:41:18.472 EDT|ServerHelloDone.java:97|Produced ServerHelloDone handshake message (
2022-09-14 16:41:18,473 ERROR [stderr] (default task-2) <empty>
2022-09-14 16:41:18,473 ERROR [stderr] (default task-2) )
2022-09-14 16:41:18,479 ERROR [stderr] (default task-2) javax.net.ssl|DEBUG|A9|default task-2|2022-09-14 16:41:18.479 EDT|CertificateMessage.java:372|Consuming client Certificate handshake message (
2022-09-14 16:41:18,479 ERROR [stderr] (default task-2) "Certificates": <empty list>
2022-09-14 16:41:18,479 ERROR [stderr] (default task-2) )
      Show
      1. Run with the attached standalone.xml. Run with '-Djavax.net.debug=ssl,handshake' to see cert requests 2. make any HTTPS request via HTTP/1.1. Note from the logs unexpected auth and client cert activity: 2022-09-14 16:41:18,421 TRACE [org.wildfly.security] ( default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@34c83030] for mechanism [BASIC] 2022-09-14 16:41:18,422 TRACE [org.wildfly.security] ( default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@8507f0a] for mechanism [CLIENT_CERT] 2022-09-14 16:41:18,423 TRACE [org.wildfly.security] ( default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@3410ffbe] for mechanism [DIGEST] 2022-09-14 16:41:18,424 TRACE [org.wildfly.security] ( default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@576ec223] for mechanism [FORM] 2022-09-14 16:41:18,426 TRACE [org.wildfly.security] ( default task-1) Handling AvailableRealmsCallback: realms = [] 2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] ( default task-1) loading from cache: null 2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] ( default task-1) loading from cache: null 2022-09-14 16:41:18,429 TRACE [org.wildfly.security] ( default task-1) Handling CachedIdentityAuthorizeCallback: principal = null authorizedIdentity = null 2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] ( default task-1) clearing identity cache 2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] ( default task-1) Identity was authorized by CachedIdentityAuthorizeCallback handler: false 2022-09-14 16:41:18,431 ERROR [stderr] ( default task-1) javax.net.ssl|DEBUG|A8| default task-1|2022-09-14 16:41:18.431 EDT|HelloRequest.java:105|Produced HelloRequest handshake message ( ... 2022-09-14 16:41:18,469 ERROR [stderr] ( default task-2) javax.net.ssl|DEBUG|A9| default task-2|2022-09-14 16:41:18.468 EDT|CertificateRequest.java:630|Produced CertificateRequest handshake message ( 2022-09-14 16:41:18,470 ERROR [stderr] ( default task-2) "CertificateRequest" : { ... 2022-09-14 16:41:18,472 ERROR [stderr] ( default task-2) } 2022-09-14 16:41:18,472 ERROR [stderr] ( default task-2) ) 2022-09-14 16:41:18,473 ERROR [stderr] ( default task-2) javax.net.ssl|DEBUG|A9| default task-2|2022-09-14 16:41:18.472 EDT|ServerHelloDone.java:97|Produced ServerHelloDone handshake message ( 2022-09-14 16:41:18,473 ERROR [stderr] ( default task-2) <empty> 2022-09-14 16:41:18,473 ERROR [stderr] ( default task-2) ) 2022-09-14 16:41:18,479 ERROR [stderr] ( default task-2) javax.net.ssl|DEBUG|A9| default task-2|2022-09-14 16:41:18.479 EDT|CertificateMessage.java:372|Consuming client Certificate handshake message ( 2022-09-14 16:41:18,479 ERROR [stderr] ( default task-2) "Certificates" : <empty list> 2022-09-14 16:41:18,479 ERROR [stderr] ( default task-2) )

      When an app does not have the login-config element defined, we currently override the app's configuration and enable all the mechanisms from the HttpAuthenticationFactory. The app's authentication mechanisms should only be overridden if overrideDeploymentConfig has been set to true.

        1. standalone.xml
          30 kB

              thofman Tomas Hofman
              rhn-support-aogburn Aaron Ogburn
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: