Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-7569

Elytron DIGEST misconfiguration not handled

    XMLWordPrintable

Details

      1. ./standalone.sh -c standalone-elytron.xml
      2. deploy secured-webapp.war
      3. access localhost:8080/secured-webapp/index.jsp
      4. User can't get in and keep getting 401 http status code

    Description

      To make DIGEST authentication work in deployment it must be configured same realm name in:

      • web.xml realm-name element
        web.xml
          <login-config>
      <auth-method>DIGEST</auth-method>
      <realm-name>ApplicationRealm</realm-name>
  </login-config>
      • mechanism configuration
        standalone-elytron.xml
        <http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain">
    <mechanism-configuration>
        <mechanism mechanism-name="DIGEST">
            <mechanism-realm realm-name="ApplicationRealm"/>
        </mechanism>
    </mechanism-configuration>
</http-authentication-factory>
      • name of realm resource
        standalone-elytron.xml
        <properties-realm name="ApplicationRealm" plain-text="true">
    <users-properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
    <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</properties-realm>

      If any of this differs to others DIGEST authentication will break. Could this kind of misconfiguration be handled somehow?

      • For example by failing during application deployment as application requirement could not be satisfied?
      • Validate in subsystem mechanism-realm realm-name is same as resource name.
      • It seems to me mechanism-realm realm-name was introduced as logical realm-name, but there is apparently still relation to real resource realm name
      server.log
      11:47:52,188 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback
11:47:52,193 TRACE [org.wildfly.security] (default task-1) Nonce AAAAAQAACdkaMyJ9WY+3Q6hSLMedD2vwP/3br3NpIQfFvMy7AfxB24U0ikk= rejected due to age 3275114055938 (ns) being less than 0 or greater than the validity period 60000000000 (ns)
11:47:52,194 TRACE [org.wildfly.security] (default task-1) Handling AvailableRealmsCallback: realms = [ApplicationRealm]
11:47:52,195 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [ApplicationRealm]
11:47:52,195 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = mchoma
11:47:52,195 TRACE [org.wildfly.security] (default task-1) Name assigning: [mchoma], pre-realm rewritten: [mchoma], realm name: [ApplicationRealm], post realm rewritten: [mchoma], realm rewritten: [mchoma]
11:47:52,203 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: obtained successfully
11:47:52,205 TRACE [org.wildfly.security] (default task-1) New nonce generated AAAAAQAADNOm6QyrQhaMKqCYnVqKKW5eF8UdwDpU9cPoj41zsEXmC/qsg2A=, using seed ApplicationRealm
11:47:52,216 TRACE [org.wildfly.security] (default task-2) Handling MechanismInformationCallback
11:47:52,218 TRACE [org.wildfly.security] (default task-2) Handling AvailableRealmsCallback: realms = [ApplicationRealm]
11:47:52,219 TRACE [org.wildfly.security] (default task-2) Handling RealmCallback: selected = [ApplicationRealm]
11:47:52,219 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = mchoma
11:47:52,219 TRACE [org.wildfly.security] (default task-2) Name assigning: [mchoma], pre-realm rewritten: [mchoma], realm name: [ApplicationRealm], post realm rewritten: [mchoma], realm rewritten: [mchoma]
11:47:52,219 TRACE [org.wildfly.security] (default task-2) Handling CredentialCallback: obtained successfully
11:47:52,221 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [mchoma] -> decoded roles [Admin] -> realm mapped roles [Admin] -> domain mapped roles [Admin]
11:47:52,222 TRACE [org.wildfly.security] (default task-2) Permission mapping: identity [mchoma] with roles [Admin] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
11:47:52,222 TRACE [org.wildfly.security] (default task-2) Authorization succeed
11:47:52,223 TRACE [org.wildfly.security] (default task-2) RunAs authorization succeed - the same identity
11:47:52,223 TRACE [org.wildfly.security] (default task-2) Handling AuthorizeCallback: authenticationID = mchoma  authorizationID = mchoma  authorized = true
11:47:52,223 TRACE [org.wildfly.security] (default task-2) Handling AuthenticationCompleteCallback: succeed
11:47:52,224 TRACE [org.wildfly.security] (default task-2) Handling SecurityIdentityCallback: identity = org.wildfly.security.auth.server.SecurityIdentity@b3518a9
11:47:52,224 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [mchoma] -> decoded roles [Admin] -> realm mapped roles [Admin] -> domain mapped roles [Admin]

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-2373 Elytron DIGEST misconfiguration not handled

          • Critical - To be worked on immediately following BLOCKER issues.
          • Resolved
          is incorporated by

          Task - Represents a small unit of work that is not end-user facing. ELY-1114 Check for realm availability when selecting a DIGEST mechanism realm

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-11068 Upgrade WildFly Elytron to 1.1.0.Beta45

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-7563 Elytron auth method misconfiguration not handled

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              psilva@redhat.com Pedro Igor Craveiro
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: