Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9943

Confusing exception during deployment when ldap-realm does not include password reference

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide

      Run following CLI commands and then use some deployment which uses configured-security-domain security domain:

      /subsystem=elytron/dir-context=dir-context-localhost:add(url="ldap://127.0.0.1:10389",principal="uid=admin,ou=system",credential-reference={clear-text=secret})
      /subsystem=elytron/ldap-realm=ldap-realm-localhost:add(dir-context=dir-context-localhost,direct-verification=false,identity-mapping={rdn-identifier=uid})
      /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm-localhost,role-decoder=groups-to-roles}],default-realm=ldap-realm-localhost,permission-mapper=default-permission-mapper)
      /subsystem=elytron/http-authentication-factory=ldap-localhost-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Ldap Elytron"}]}])
      /subsystem=undertow/application-security-domain=configured-security-domain:add(http-authentication-factory=ldap-localhost-http-authentication-factory)
      
      Show
      Run following CLI commands and then use some deployment which uses configured-security-domain security domain: /subsystem=elytron/dir-context=dir-context-localhost:add(url= "ldap: //127.0.0.1:10389" ,principal= "uid=admin,ou=system" ,credential-reference={clear-text=secret}) /subsystem=elytron/ldap-realm=ldap-realm-localhost:add(dir-context=dir-context-localhost,direct-verification= false ,identity-mapping={rdn-identifier=uid}) /subsystem=elytron/security-domain=ldap-security-domain:add(realms=[{realm=ldap-realm-localhost,role-decoder=groups-to-roles}], default -realm=ldap-realm-localhost,permission-mapper= default -permission-mapper) /subsystem=elytron/http-authentication-factory=ldap-localhost-http-authentication-factory:add(http-server-mechanism-factory=global,security-domain=ldap-security-domain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name= "Ldap Elytron" }]}]) /subsystem=undertow/application-security-domain=configured-security-domain:add(http-authentication-factory=ldap-localhost-http-authentication-factory)

      Description

      In case when ldap-realm is configured with direct-verification=false and no identity-mapping.user-password-mapper is provided then deployment which using this realm fails with Exception:

      ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 62) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./print-roles: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./print-roles: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory.
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84)
      	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      	at org.jboss.threads.JBossThread.run(JBossThread.java:320)
      Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory.
      	at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:241)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:99)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
      	... 6 more
      Caused by: java.lang.IllegalStateException: WFLYUT0085: The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory.
      	at org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService.lambda$initialSecurityHandler$6(ApplicationSecurityDomainDefinition.java:492)
      	at java.lang.Iterable.forEach(Iterable.java:75)
      	at org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService.initialSecurityHandler(ApplicationSecurityDomainDefinition.java:489)
      	at org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService.lambda$applyElytronSecurity$2(ApplicationSecurityDomainDefinition.java:425)
      	at io.undertow.servlet.core.DeploymentManagerImpl.setupSecurityHandlers(DeploymentManagerImpl.java:415)
      	at io.undertow.servlet.core.DeploymentManagerImpl.access$600(DeploymentManagerImpl.java:119)
      	at io.undertow.servlet.core.DeploymentManagerImpl$1.call(DeploymentManagerImpl.java:211)
      	at io.undertow.servlet.core.DeploymentManagerImpl$1.call(DeploymentManagerImpl.java:174)
      	at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
      	at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      	at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
      	at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:239)
      	... 8 more
      

      Throwing exception is correct since deployment has no possibility how to verify a password through given ldap-realm. However message given to user is confusing, it says "The required mechanism 'BASIC' is not available from the HttpAuthenticationFactory.". Information that ldap-realm is insufficiently configured for given deployment should be propagated to the user.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  soul2zimate Chao Wang
                  Reporter:
                  olukas Ondrej Lukas
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: