Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-7569

Elytron DIGEST misconfiguration not handled

XMLWordPrintable

      1. ./standalone.sh -c standalone-elytron.xml
      2. deploy secured-webapp.war
      3. access localhost:8080/secured-webapp/index.jsp
      4. User can't get in and keep getting 401 http status code

      To make DIGEST authentication work in deployment it must be configured same realm name in:

      • web.xml realm-name element
        web.xml
          <login-config>
              <auth-method>DIGEST</auth-method>
              <realm-name>ApplicationRealm</realm-name>
          </login-config>
        
      • mechanism configuration
        standalone-elytron.xml
        <http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain">
            <mechanism-configuration>
                <mechanism mechanism-name="DIGEST">
                    <mechanism-realm realm-name="ApplicationRealm"/>
                </mechanism>
            </mechanism-configuration>
        </http-authentication-factory>
        
      • name of realm resource
        standalone-elytron.xml
        <properties-realm name="ApplicationRealm" plain-text="true">
            <users-properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
            <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
        </properties-realm>
        

      If any of this differs to others DIGEST authentication will break. Could this kind of misconfiguration be handled somehow?

      • For example by failing during application deployment as application requirement could not be satisfied?
      • Validate in subsystem mechanism-realm realm-name is same as resource name.
      • It seems to me mechanism-realm realm-name was introduced as logical realm-name, but there is apparently still relation to real resource realm name
      server.log
      11:47:52,188 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback
      11:47:52,193 TRACE [org.wildfly.security] (default task-1) Nonce AAAAAQAACdkaMyJ9WY+3Q6hSLMedD2vwP/3br3NpIQfFvMy7AfxB24U0ikk= rejected due to age 3275114055938 (ns) being less than 0 or greater than the validity period 60000000000 (ns)
      11:47:52,194 TRACE [org.wildfly.security] (default task-1) Handling AvailableRealmsCallback: realms = [ApplicationRealm]
      11:47:52,195 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [ApplicationRealm]
      11:47:52,195 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = mchoma
      11:47:52,195 TRACE [org.wildfly.security] (default task-1) Name assigning: [mchoma], pre-realm rewritten: [mchoma], realm name: [ApplicationRealm], post realm rewritten: [mchoma], realm rewritten: [mchoma]
      11:47:52,203 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: obtained successfully
      11:47:52,205 TRACE [org.wildfly.security] (default task-1) New nonce generated AAAAAQAADNOm6QyrQhaMKqCYnVqKKW5eF8UdwDpU9cPoj41zsEXmC/qsg2A=, using seed ApplicationRealm
      11:47:52,216 TRACE [org.wildfly.security] (default task-2) Handling MechanismInformationCallback
      11:47:52,218 TRACE [org.wildfly.security] (default task-2) Handling AvailableRealmsCallback: realms = [ApplicationRealm]
      11:47:52,219 TRACE [org.wildfly.security] (default task-2) Handling RealmCallback: selected = [ApplicationRealm]
      11:47:52,219 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = mchoma
      11:47:52,219 TRACE [org.wildfly.security] (default task-2) Name assigning: [mchoma], pre-realm rewritten: [mchoma], realm name: [ApplicationRealm], post realm rewritten: [mchoma], realm rewritten: [mchoma]
      11:47:52,219 TRACE [org.wildfly.security] (default task-2) Handling CredentialCallback: obtained successfully
      11:47:52,221 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [mchoma] -> decoded roles [Admin] -> realm mapped roles [Admin] -> domain mapped roles [Admin]
      11:47:52,222 TRACE [org.wildfly.security] (default task-2) Permission mapping: identity [mchoma] with roles [Admin] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
      11:47:52,222 TRACE [org.wildfly.security] (default task-2) Authorization succeed
      11:47:52,223 TRACE [org.wildfly.security] (default task-2) RunAs authorization succeed - the same identity
      11:47:52,223 TRACE [org.wildfly.security] (default task-2) Handling AuthorizeCallback: authenticationID = mchoma  authorizationID = mchoma  authorized = true
      11:47:52,223 TRACE [org.wildfly.security] (default task-2) Handling AuthenticationCompleteCallback: succeed
      11:47:52,224 TRACE [org.wildfly.security] (default task-2) Handling SecurityIdentityCallback: identity = org.wildfly.security.auth.server.SecurityIdentity@b3518a9
      11:47:52,224 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [mchoma] -> decoded roles [Admin] -> realm mapped roles [Admin] -> domain mapped roles [Admin]
      

            psilva@redhat.com Pedro Igor Craveiro
            mchoma@redhat.com Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: