Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-8855

Programatically set Elytron AuthenticationContext does not work in application server modules

XMLWordPrintable

    • Hide

      1) setup authentication-context:

      /subsystem=elytron/authentication-configuration=auth-config:add(authentication-name=user1,realm=ManagementRealm,allow-sasl-mechanisms=[DIGEST-MD5],credential-reference={clear-text=pass@123})
      /subsystem=elytron/subsystem=elytron:write-attribute(name=default-authentication-context,value=auth-context)/authentication-context=auth-context:add(match-rules=[{match-host=localhost,authentication-configuration=auth-config}])
      /subsystem=elytron:write-attribute(name=default-authentication-context,value=auth-context)
      

      2) setup logging:

      /subsystem=logging/logger=org.wildfly.security:add(level=TRACE)
      

      3) add module module-without-wildfly-config-xml.jar (see attachments):

      module add --name=module-without-wildfly-config-xml --resources=/PATH/TO/module-without-wildfly-config-xml.jar --dependencies=org.jboss.dmr,org.jboss.as.controller-client,org.wildfly.client.config,org.wildfly.security.elytron
      

      4) add users:

      ./bin/add-user.sh -u user1 -p pass@123 -r ManagementRealm
      ./bin/add-user.sh -u user2 -p pass@123 -r ManagementRealm
      

      5) use following http-interface:

      <http-interface http-authentication-factory="management-http-authentication">
          <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
          <socket-binding http="management-http"/>
      </http-interface>
      

      6) deploy application which calls module (see attachments)

      7) access http://127.0.0.1:8080/module-without-wildfly-config-xml-dep/directCall?method=callProgramatically&hostname=localhost&captureCurrent=false&useName=user2&usePassword=pass@123&useRealm=ManagementRealm which print user1 (from authentication-context on application server)
      and see server log - user2 has been authenticated correctly, but another authentication happens for user1

      Show
      1) setup authentication-context: /subsystem=elytron/authentication-configuration=auth-config:add(authentication-name=user1,realm=ManagementRealm,allow-sasl-mechanisms=[DIGEST-MD5],credential-reference={clear-text=pass@123}) /subsystem=elytron/subsystem=elytron:write-attribute(name= default -authentication-context,value=auth-context)/authentication-context=auth-context:add(match-rules=[{match-host=localhost,authentication-configuration=auth-config}]) /subsystem=elytron:write-attribute(name= default -authentication-context,value=auth-context) 2) setup logging: /subsystem=logging/logger=org.wildfly.security:add(level=TRACE) 3) add module module-without-wildfly-config-xml.jar (see attachments): module add --name=module-without-wildfly-config-xml --resources=/PATH/TO/module-without-wildfly-config-xml.jar --dependencies=org.jboss.dmr,org.jboss.as.controller-client,org.wildfly.client.config,org.wildfly.security.elytron 4) add users: ./bin/add-user.sh -u user1 -p pass@123 -r ManagementRealm ./bin/add-user.sh -u user2 -p pass@123 -r ManagementRealm 5) use following http-interface: <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" /> </http- interface > 6) deploy application which calls module (see attachments) 7) access http://127.0.0.1:8080/module-without-wildfly-config-xml-dep/directCall?method=callProgramatically&hostname=localhost&captureCurrent=false&useName=user2&usePassword=pass@123&useRealm=ManagementRealm which print user1 (from authentication-context on application server) and see server log - user2 has been authenticated correctly, but another authentication happens for user1

      In case when code inside of any module in aplication server executes management operation through programatically configured AuthenticationContext then it is not work correctly.

      According to server log it seems that for some reason it at the first authenticate correctly through programatically configured AuthenticationContext, but then it try to reauthenticate through AuthenticationContext obtained from application server (if default-authentication-context is set then it is used; otherwise reauthenticate fails completetly).

      The same type of behavior occurs also when wildfly.config.url property is used.

      Request blocker flag because this issue breaks RFE.

      Server log (when default-authentication-context is set, see Steps to Reproduce):

      2017-02-15 13:43:30,584 TRACE [org.wildfly.security] (default task-2) getAuthenticationConfiguration uri=remote+http://localhost:9990, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, purpose=null, MatchRule=[no user,host=localhost], AuthenticationConfiguration=[TrustManager,NamePrincipal=user2,Credentials,realm=ManagementRealm,host=localhost,port=9990]
      2017-02-15 13:43:30,585 TRACE [org.wildfly.security] (default task-2) getAuthenticationConfiguration uri=remote+http://localhost:9990, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, purpose=connect, MatchRule=[no user], AuthenticationConfiguration=[TrustManager,NamePrincipal=user2,Credentials,realm=ManagementRealm,host=localhost,port=9990]
      2017-02-15 13:43:30,596 TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback
      2017-02-15 13:43:30,597 TRACE [org.wildfly.security] (management I/O-2) Handling MechanismInformationCallback
      2017-02-15 13:43:30,598 TRACE [org.wildfly.security] (management I/O-2) Handling AvailableRealmsCallback: realms = [ManagementRealm]
      2017-02-15 13:43:30,607 TRACE [org.wildfly.security] (management task-10) Handling RealmCallback: selected = [ManagementRealm]
      2017-02-15 13:43:30,608 TRACE [org.wildfly.security] (management task-10) Handling NameCallback: authenticationName = user2
      2017-02-15 13:43:30,610 TRACE [org.wildfly.security] (management task-10) Principal assigning: [user2], pre-realm rewritten: [user2], realm name: [ManagementRealm], post realm rewritten: [user2], realm rewritten: [user2]
      2017-02-15 13:43:30,614 TRACE [org.wildfly.security] (management task-10) Handling CredentialCallback: obtained successfully
      2017-02-15 13:43:30,615 TRACE [org.wildfly.security] (management task-10) Role mapping: principal [user2] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
      2017-02-15 13:43:30,616 TRACE [org.wildfly.security] (management task-10) Authorizing principal user2.
      2017-02-15 13:43:30,616 TRACE [org.wildfly.security] (management task-10) Authorizing against the following attributes: [groups] => []
      2017-02-15 13:43:30,617 TRACE [org.wildfly.security] (management task-10) Permission mapping: identity [user2] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
      2017-02-15 13:43:30,617 TRACE [org.wildfly.security] (management task-10) Authorization succeed
      2017-02-15 13:43:30,617 TRACE [org.wildfly.security] (management task-10) RunAs authorization succeed - the same identity
      2017-02-15 13:43:30,617 TRACE [org.wildfly.security] (management task-10) Handling AuthorizeCallback: authenticationID = user2  authorizationID = user2  authorized = true
      2017-02-15 13:43:30,618 TRACE [org.wildfly.security] (management task-10) Handling AuthenticationCompleteCallback: succeed
      2017-02-15 13:43:30,618 TRACE [org.wildfly.security] (management task-10) Handling SecurityIdentityCallback: identity = org.wildfly.security.auth.server.SecurityIdentity@9b7d11
      2017-02-15 13:43:30,640 TRACE [org.wildfly.security] (default task-2) getAuthenticationConfiguration uri=remote+http://localhost:9990, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, purpose=null, MatchRule=[no user,host=localhost], AuthenticationConfiguration=[TrustManager,NamePrincipal=user1,realm=ManagementRealm,FilterSaslMechanism allow=true,name=[ DIGEST-MD5 ],Credentials,host=localhost,port=9990]
      2017-02-15 13:43:30,641 TRACE [org.wildfly.security] (default task-2) getAuthenticationConfiguration uri=remote+http://localhost:9990, protocolDefaultPort=-1, abstractType=null, abstractTypeAuthority=null, purpose=connect, MatchRule=[no user], AuthenticationConfiguration=[TrustManager,NamePrincipal=user1,realm=ManagementRealm,FilterSaslMechanism allow=true,name=[ DIGEST-MD5 ],Credentials,host=localhost,port=9990]
      2017-02-15 13:43:30,652 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback
      2017-02-15 13:43:30,653 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback
      2017-02-15 13:43:30,653 TRACE [org.wildfly.security] (management I/O-1) Handling AvailableRealmsCallback: realms = [ManagementRealm]
      2017-02-15 13:43:30,656 TRACE [org.wildfly.security] (management task-6) Handling RealmCallback: selected = [ManagementRealm]
      2017-02-15 13:43:30,656 TRACE [org.wildfly.security] (management task-6) Handling NameCallback: authenticationName = user1
      2017-02-15 13:43:30,656 TRACE [org.wildfly.security] (management task-6) Principal assigning: [user1], pre-realm rewritten: [user1], realm name: [ManagementRealm], post realm rewritten: [user1], realm rewritten: [user1]
      2017-02-15 13:43:30,656 TRACE [org.wildfly.security] (management task-6) Handling CredentialCallback: obtained successfully
      2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) Role mapping: principal [user1] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
      2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) Authorizing principal user1.
      2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) Authorizing against the following attributes: [groups] => []
      2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) Permission mapping: identity [user1] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
      2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) Authorization succeed
      2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) RunAs authorization succeed - the same identity
      2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) Handling AuthorizeCallback: authenticationID = user1  authorizationID = user1  authorized = true
      2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) Handling AuthenticationCompleteCallback: succeed
      2017-02-15 13:43:30,658 TRACE [org.wildfly.security] (management task-6) Handling SecurityIdentityCallback: identity = org.wildfly.security.auth.server.SecurityIdentity@53367941
      

              dlloyd@redhat.com David Lloyd
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: