Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9073

MechanismInformationCallback blocks certificate based authn (Undertow with Elytron)

    XMLWordPrintable

Details

    Description

      It is not possible to set up authentication based on certificates. Following the community documentation [1,2] to set up 2-way SSL for apps and certificates based auth. Everything works as expected until a client with client certificate tries to access protected resource that should be accessible. Such resource returns 403 Forbidden instead of 200 OK. Trace log:

      13:31:15,565 TRACE [org.wildfly.security] (default task-33) Evidence verification: evidence = org.wildfly.security.evidence.X509PeerCertificateChainEvidence@42d7e114  evidencePrincipal = CN=client
13:31:15,566 TRACE [org.wildfly.security] (default task-33) X500 principal [CN=client] decoded as name [client] (attribute values: [client])
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Principal assigning: [CN=client], pre-realm rewritten: [client], realm name: [ksRealm], post realm rewritten: [client], realm rewritten: [client]
13:31:15,566 TRACE [org.wildfly.security] (default task-33) X500 principal [CN=client] decoded as name [client] (attribute values: [client])
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Evidence verification succeed for alias [client]
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Role mapping: principal [client] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles [Guest, Admin]
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authorizing principal client.
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authorizing against the following attributes: [] => []
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Permission mapping: identity [client] with roles [Guest, Admin] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authorization succeed
13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authentication succeed for principal [CN=client]
13:31:15,573 TRACE [org.wildfly.security] (default task-34) Handling MechanismInformationCallback
13:31:15,574 TRACE [org.wildfly.security] (default task-34) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='CLIENT_CERT', hostName='localhost', protocol='https'.

      The last message comes from ServerAuthenticationContext [3].

      [1] https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem#UsingtheElytronSubsystem-EnableTwoWaySSL%2FTLSinWildFlyforApplications
      [2] https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem#UsingtheElytronSubsystem-ConfigureAuthenticationwithCertificates
      [3] https://github.com/wildfly-security/wildfly-elytron/blob/6e4dad322ab0421522979448ea18801c2832791c/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java#L904

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ELY-978 MechanismInformationCallback blocks certificate based authn (Undertow with Elytron)

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-9221 CLIENT_CERT mechanism name has to be used in Elytron http-authentication-factory

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-7534 Authentication based on certificates does not work in Elytron with Undertow

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              Unassigned Unassigned
              okotek@redhat.com Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: