Loading...

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.0.DR19
Affects Version/s: 7.1.0.DR9
Component/s: Security, User Experience
Labels:

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA
Steps to Reproduce:
1. ./standalone.sh -c standalone-elytron.xml
2. deploy secured-webapp.war
3. access localhost:8080/secured-webapp/index.jsp
4. User can't get in and keep getting 401 http status code

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

To make DIGEST authentication work in deployment it must be configured same realm name in:

web.xml realm-name element

web.xml

  <login-config>
      <auth-method>DIGEST</auth-method>
      <realm-name>ApplicationRealm</realm-name>
  </login-config>

mechanism configuration

standalone-elytron.xml

<http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain">
    <mechanism-configuration>
        <mechanism mechanism-name="DIGEST">
            <mechanism-realm realm-name="ApplicationRealm"/>
        </mechanism>
    </mechanism-configuration>
</http-authentication-factory>

name of realm resource

standalone-elytron.xml

<properties-realm name="ApplicationRealm" plain-text="true">
    <users-properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
    <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</properties-realm>

If any of this differs to others DIGEST authentication will break. Could this kind of misconfiguration be handled somehow?

For example by failing during application deployment as application requirement could not be satisfied?
Validate in subsystem mechanism-realm realm-name is same as resource name.
It seems to me mechanism-realm realm-name was introduced as logical realm-name, but there is apparently still relation to real resource realm name

server.log

11:47:52,188 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback
11:47:52,193 TRACE [org.wildfly.security] (default task-1) Nonce AAAAAQAACdkaMyJ9WY+3Q6hSLMedD2vwP/3br3NpIQfFvMy7AfxB24U0ikk= rejected due to age 3275114055938 (ns) being less than 0 or greater than the validity period 60000000000 (ns)
11:47:52,194 TRACE [org.wildfly.security] (default task-1) Handling AvailableRealmsCallback: realms = [ApplicationRealm]
11:47:52,195 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [ApplicationRealm]
11:47:52,195 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = mchoma
11:47:52,195 TRACE [org.wildfly.security] (default task-1) Name assigning: [mchoma], pre-realm rewritten: [mchoma], realm name: [ApplicationRealm], post realm rewritten: [mchoma], realm rewritten: [mchoma]
11:47:52,203 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: obtained successfully
11:47:52,205 TRACE [org.wildfly.security] (default task-1) New nonce generated AAAAAQAADNOm6QyrQhaMKqCYnVqKKW5eF8UdwDpU9cPoj41zsEXmC/qsg2A=, using seed ApplicationRealm
11:47:52,216 TRACE [org.wildfly.security] (default task-2) Handling MechanismInformationCallback
11:47:52,218 TRACE [org.wildfly.security] (default task-2) Handling AvailableRealmsCallback: realms = [ApplicationRealm]
11:47:52,219 TRACE [org.wildfly.security] (default task-2) Handling RealmCallback: selected = [ApplicationRealm]
11:47:52,219 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = mchoma
11:47:52,219 TRACE [org.wildfly.security] (default task-2) Name assigning: [mchoma], pre-realm rewritten: [mchoma], realm name: [ApplicationRealm], post realm rewritten: [mchoma], realm rewritten: [mchoma]
11:47:52,219 TRACE [org.wildfly.security] (default task-2) Handling CredentialCallback: obtained successfully
11:47:52,221 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [mchoma] -> decoded roles [Admin] -> realm mapped roles [Admin] -> domain mapped roles [Admin]
11:47:52,222 TRACE [org.wildfly.security] (default task-2) Permission mapping: identity [mchoma] with roles [Admin] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
11:47:52,222 TRACE [org.wildfly.security] (default task-2) Authorization succeed
11:47:52,223 TRACE [org.wildfly.security] (default task-2) RunAs authorization succeed - the same identity
11:47:52,223 TRACE [org.wildfly.security] (default task-2) Handling AuthorizeCallback: authenticationID = mchoma  authorizationID = mchoma  authorized = true
11:47:52,223 TRACE [org.wildfly.security] (default task-2) Handling AuthenticationCompleteCallback: succeed
11:47:52,224 TRACE [org.wildfly.security] (default task-2) Handling SecurityIdentityCallback: identity = org.wildfly.security.auth.server.SecurityIdentity@b3518a9
11:47:52,224 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [mchoma] -> decoded roles [Admin] -> realm mapped roles [Admin] -> domain mapped roles [Admin]

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

secured-webapp.war.zip
1 kB
2016/11/29 11:10 AM

is cloned by

WFCORE-2373 Elytron DIGEST misconfiguration not handled

Resolved

is incorporated by

ELY-1114 Check for realm availability when selecting a DIGEST mechanism realm

Resolved

JBEAP-11068 Upgrade WildFly Elytron to 1.1.0.Beta45

Closed

relates to

JBEAP-7563 Elytron auth method misconfiguration not handled

Closed

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates