Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.4.9.CR1, 7.4.9.GA
Affects Version/s: 7.4.6.GA, 7.4.7.GA
Component/s: Security
Labels:
None

Blocked:
False
Ready:
False
QE Test Coverage:
?
Target Release:

7.4.z.GA
Workaround:

Workaround Exists
Workaround Description:

Hide

-Disabling proactive-authentication
-Or disabling the elytron security domain use in undertow
-Or configuring a <login-config> for the application in its WEB-INF/web.xml. This can even be an empty login-config on the app:

<web-app>
<login-config>
</login-config>
</web-app>

Show
-Disabling proactive-authentication -Or disabling the elytron security domain use in undertow -Or configuring a <login-config> for the application in its WEB-INF/web.xml. This can even be an empty login-config on the app: <web-app> <login-config> </login-config> </web-app>
Git Pull Request:
https://github.com/wildfly-security/elytron-web/pull/227
Steps to Reproduce:
Hide

1. Run with the attached standalone.xml. Run with '-Djavax.net.debug=ssl,handshake' to see cert requests
2. make any HTTPS request via HTTP/1.1. Note from the logs unexpected auth and client cert activity:

2022-09-14 16:41:18,421 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@34c83030] for mechanism [BASIC] 2022-09-14 16:41:18,422 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@8507f0a] for mechanism [CLIENT_CERT] 2022-09-14 16:41:18,423 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@3410ffbe] for mechanism [DIGEST] 2022-09-14 16:41:18,424 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@576ec223] for mechanism [FORM] 2022-09-14 16:41:18,426 TRACE [org.wildfly.security] (default task-1) Handling AvailableRealmsCallback: realms = [] 2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] (default task-1) loading from cache: null 2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] (default task-1) loading from cache: null 2022-09-14 16:41:18,429 TRACE [org.wildfly.security] (default task-1) Handling CachedIdentityAuthorizeCallback: principal = null authorizedIdentity = null 2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] (default task-1) clearing identity cache 2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] (default task-1) Identity was authorized by CachedIdentityAuthorizeCallback handler: false 2022-09-14 16:41:18,431 ERROR [stderr] (default task-1) javax.net.ssl|DEBUG|A8|default task-1|2022-09-14 16:41:18.431 EDT|HelloRequest.java:105|Produced HelloRequest handshake message ( ... 2022-09-14 16:41:18,469 ERROR [stderr] (default task-2) javax.net.ssl|DEBUG|A9|default task-2|2022-09-14 16:41:18.468 EDT|CertificateRequest.java:630|Produced CertificateRequest handshake message ( 2022-09-14 16:41:18,470 ERROR [stderr] (default task-2) "CertificateRequest": { ... 2022-09-14 16:41:18,472 ERROR [stderr] (default task-2) } 2022-09-14 16:41:18,472 ERROR [stderr] (default task-2) ) 2022-09-14 16:41:18,473 ERROR [stderr] (default task-2) javax.net.ssl|DEBUG|A9|default task-2|2022-09-14 16:41:18.472 EDT|ServerHelloDone.java:97|Produced ServerHelloDone handshake message ( 2022-09-14 16:41:18,473 ERROR [stderr] (default task-2) <empty> 2022-09-14 16:41:18,473 ERROR [stderr] (default task-2) ) 2022-09-14 16:41:18,479 ERROR [stderr] (default task-2) javax.net.ssl|DEBUG|A9|default task-2|2022-09-14 16:41:18.479 EDT|CertificateMessage.java:372|Consuming client Certificate handshake message ( 2022-09-14 16:41:18,479 ERROR [stderr] (default task-2) "Certificates": <empty list> 2022-09-14 16:41:18,479 ERROR [stderr] (default task-2) )
Show
1. Run with the attached standalone.xml. Run with '-Djavax.net.debug=ssl,handshake' to see cert requests 2. make any HTTPS request via HTTP/1.1. Note from the logs unexpected auth and client cert activity: 2022-09-14 16:41:18,421 TRACE [org.wildfly.security] ( default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@34c83030] for mechanism [BASIC] 2022-09-14 16:41:18,422 TRACE [org.wildfly.security] ( default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@8507f0a] for mechanism [CLIENT_CERT] 2022-09-14 16:41:18,423 TRACE [org.wildfly.security] ( default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@3410ffbe] for mechanism [DIGEST] 2022-09-14 16:41:18,424 TRACE [org.wildfly.security] ( default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory@576ec223] for mechanism [FORM] 2022-09-14 16:41:18,426 TRACE [org.wildfly.security] ( default task-1) Handling AvailableRealmsCallback: realms = [] 2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] ( default task-1) loading from cache: null 2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] ( default task-1) loading from cache: null 2022-09-14 16:41:18,429 TRACE [org.wildfly.security] ( default task-1) Handling CachedIdentityAuthorizeCallback: principal = null authorizedIdentity = null 2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] ( default task-1) clearing identity cache 2022-09-14 16:41:18,429 TRACE [org.wildfly.security.http.cert] ( default task-1) Identity was authorized by CachedIdentityAuthorizeCallback handler: false 2022-09-14 16:41:18,431 ERROR [stderr] ( default task-1) javax.net.ssl|DEBUG|A8| default task-1|2022-09-14 16:41:18.431 EDT|HelloRequest.java:105|Produced HelloRequest handshake message ( ... 2022-09-14 16:41:18,469 ERROR [stderr] ( default task-2) javax.net.ssl|DEBUG|A9| default task-2|2022-09-14 16:41:18.468 EDT|CertificateRequest.java:630|Produced CertificateRequest handshake message ( 2022-09-14 16:41:18,470 ERROR [stderr] ( default task-2) "CertificateRequest" : { ... 2022-09-14 16:41:18,472 ERROR [stderr] ( default task-2) } 2022-09-14 16:41:18,472 ERROR [stderr] ( default task-2) ) 2022-09-14 16:41:18,473 ERROR [stderr] ( default task-2) javax.net.ssl|DEBUG|A9| default task-2|2022-09-14 16:41:18.472 EDT|ServerHelloDone.java:97|Produced ServerHelloDone handshake message ( 2022-09-14 16:41:18,473 ERROR [stderr] ( default task-2) <empty> 2022-09-14 16:41:18,473 ERROR [stderr] ( default task-2) ) 2022-09-14 16:41:18,479 ERROR [stderr] ( default task-2) javax.net.ssl|DEBUG|A9| default task-2|2022-09-14 16:41:18.479 EDT|CertificateMessage.java:372|Consuming client Certificate handshake message ( 2022-09-14 16:41:18,479 ERROR [stderr] ( default task-2) "Certificates" : <empty list> 2022-09-14 16:41:18,479 ERROR [stderr] ( default task-2) )

SFDC Cases Counter:
SFDC Cases Links:

Description

When an app does not have the login-config element defined, we currently override the app's configuration and enable all the mechanisms from the HttpAuthenticationFactory. The app's authentication mechanisms should only be overridden if overrideDeploymentConfig has been set to true.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

standalone.xml
30 kB
2022/09/14 9:16 PM

Issue Links

clones

ELYWEB-155 Don't override the deployment's authentication mechanisms when overrideDeploymentConfig is false and the loginConfig is null

Resolved

is incorporated by

JBEAP-24095 (7.4.z) Upgrade elytron-web from 1.9.2.Final-redhat-00001 to 1.9.3.Final-redhat-00001

Closed

Activity

People

Assignee:: Tomas Hofman

Reporter:: Aaron Ogburn

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2022/09/14 8:54 PM

Updated:: 2023/01/04 11:34 AM

Resolved:: 2022/12/06 9:07 PM