-
Bug
-
Resolution: Done
-
Blocker
-
7.1.0.DR9
-
-
-
-
-
-
- ./standalone.sh -c standalone-elytron.xml
- deploy secured-webapp.war
- access localhost:8080/secured-webapp/index.jsp
- User can't get in and keep getting 401 http status code
To make DIGEST authentication work in deployment it must be configured same realm name in:
- web.xml realm-name element
web.xml
<login-config> <auth-method>DIGEST</auth-method> <realm-name>ApplicationRealm</realm-name> </login-config>
- mechanism configuration
standalone-elytron.xml
<http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain"> <mechanism-configuration> <mechanism mechanism-name="DIGEST"> <mechanism-realm realm-name="ApplicationRealm"/> </mechanism> </mechanism-configuration> </http-authentication-factory>
- name of realm resource
standalone-elytron.xml
<properties-realm name="ApplicationRealm" plain-text="true"> <users-properties path="application-users.properties" relative-to="jboss.server.config.dir"/> <groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> </properties-realm>
If any of this differs to others DIGEST authentication will break. Could this kind of misconfiguration be handled somehow?
- For example by failing during application deployment as application requirement could not be satisfied?
- Validate in subsystem mechanism-realm realm-name is same as resource name.
- It seems to me mechanism-realm realm-name was introduced as logical realm-name, but there is apparently still relation to real resource realm name
server.log
11:47:52,188 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback 11:47:52,193 TRACE [org.wildfly.security] (default task-1) Nonce AAAAAQAACdkaMyJ9WY+3Q6hSLMedD2vwP/3br3NpIQfFvMy7AfxB24U0ikk= rejected due to age 3275114055938 (ns) being less than 0 or greater than the validity period 60000000000 (ns) 11:47:52,194 TRACE [org.wildfly.security] (default task-1) Handling AvailableRealmsCallback: realms = [ApplicationRealm] 11:47:52,195 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [ApplicationRealm] 11:47:52,195 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = mchoma 11:47:52,195 TRACE [org.wildfly.security] (default task-1) Name assigning: [mchoma], pre-realm rewritten: [mchoma], realm name: [ApplicationRealm], post realm rewritten: [mchoma], realm rewritten: [mchoma] 11:47:52,203 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: obtained successfully 11:47:52,205 TRACE [org.wildfly.security] (default task-1) New nonce generated AAAAAQAADNOm6QyrQhaMKqCYnVqKKW5eF8UdwDpU9cPoj41zsEXmC/qsg2A=, using seed ApplicationRealm 11:47:52,216 TRACE [org.wildfly.security] (default task-2) Handling MechanismInformationCallback 11:47:52,218 TRACE [org.wildfly.security] (default task-2) Handling AvailableRealmsCallback: realms = [ApplicationRealm] 11:47:52,219 TRACE [org.wildfly.security] (default task-2) Handling RealmCallback: selected = [ApplicationRealm] 11:47:52,219 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = mchoma 11:47:52,219 TRACE [org.wildfly.security] (default task-2) Name assigning: [mchoma], pre-realm rewritten: [mchoma], realm name: [ApplicationRealm], post realm rewritten: [mchoma], realm rewritten: [mchoma] 11:47:52,219 TRACE [org.wildfly.security] (default task-2) Handling CredentialCallback: obtained successfully 11:47:52,221 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [mchoma] -> decoded roles [Admin] -> realm mapped roles [Admin] -> domain mapped roles [Admin] 11:47:52,222 TRACE [org.wildfly.security] (default task-2) Permission mapping: identity [mchoma] with roles [Admin] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true 11:47:52,222 TRACE [org.wildfly.security] (default task-2) Authorization succeed 11:47:52,223 TRACE [org.wildfly.security] (default task-2) RunAs authorization succeed - the same identity 11:47:52,223 TRACE [org.wildfly.security] (default task-2) Handling AuthorizeCallback: authenticationID = mchoma authorizationID = mchoma authorized = true 11:47:52,223 TRACE [org.wildfly.security] (default task-2) Handling AuthenticationCompleteCallback: succeed 11:47:52,224 TRACE [org.wildfly.security] (default task-2) Handling SecurityIdentityCallback: identity = org.wildfly.security.auth.server.SecurityIdentity@b3518a9 11:47:52,224 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [mchoma] -> decoded roles [Admin] -> realm mapped roles [Admin] -> domain mapped roles [Admin]
- is cloned by
-
WFCORE-2373 Elytron DIGEST misconfiguration not handled
- Resolved
- is incorporated by
-
ELY-1114 Check for realm availability when selecting a DIGEST mechanism realm
- Resolved
-
JBEAP-11068 Upgrade WildFly Elytron to 1.1.0.Beta45
- Closed
- relates to
-
JBEAP-7563 Elytron auth method misconfiguration not handled
- Closed