Uploaded image for project: 'WildFly EJB HTTP Client'
  1. WildFly EJB HTTP Client
  2. WEJBHTTP-80

Digest authentication creates URI with port -1 when using standard ports

    XMLWordPrintable

Details

    • Hide

      Just deploy a EJB app application and configure the server to run instandard http (80) or https (443) port. Use the URL without any port to call the EJB using the http client:

          private static RemoteCounter lookupRemoteStatefulCounter(String protocol) throws NamingException {
        AuthenticationConfiguration config = AuthenticationConfiguration.empty().useName("user").usePassword("password");
        AuthenticationContext authenticationContext = AuthenticationContext.empty().with(MatchRule.ALL, config);
        AuthenticationContext.getContextManager().setGlobalDefault(authenticationContext);
        final Hashtable<String, String> jndiProperties = new Hashtable<>();
        jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory");
        jndiProperties.put(Context.PROVIDER_URL,  "http://localhost/wildfly-services");
        final Context context = new InitialContext(jndiProperties);
        return (RemoteCounter) context.lookup("ejb:/ROOT/CounterBean!"
                + RemoteCounter.class.getName() + "?stateful");
    }

      In my tests I have configured HAProxy as reverse proxy (using standard http port 80) in front of EAP installation (port 8080).

      A sample application is in related JBEAP-23622 but any EJB client/server app can be used.

      Show
      Just deploy a EJB app application and configure the server to run instandard http (80) or https (443) port. Use the URL without any port to call the EJB using the http client: private static RemoteCounter lookupRemoteStatefulCounter( String protocol) throws NamingException { AuthenticationConfiguration config = AuthenticationConfiguration.empty().useName( "user" ).usePassword( "password" ); AuthenticationContext authenticationContext = AuthenticationContext.empty().with(MatchRule.ALL, config); AuthenticationContext.getContextManager().setGlobalDefault(authenticationContext); final Hashtable< String , String > jndiProperties = new Hashtable<>(); jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory" ); jndiProperties.put(Context.PROVIDER_URL, "http: //localhost/wildfly-services" ); final Context context = new InitialContext(jndiProperties); return (RemoteCounter) context.lookup( "ejb:/ROOT/CounterBean!" + RemoteCounter. class. getName() + "?stateful" ); } In my tests I have configured HAProxy as reverse proxy (using standard http port 80) in front of EAP installation (port 8080). A sample application is in related JBEAP-23622 but any EJB client/server app can be used.
    • Hide

      In my tests you can make it work configuring the client specifying the default port in the URL. For example:

      jndiProperties.put(Context.PROVIDER_URL,  "http://localhost:80/wildfly-services");
      Show
      In my tests you can make it work configuring the client specifying the default port in the URL. For example: jndiProperties.put(Context.PROVIDER_URL, "http: //localhost:80/wildfly-services" );

    Description

      When the EJB server is running in standard http (80) or https (443) port the digest uri used for authentication is generated with port -1 if the port is not specified. This triggers error in the subsequent authentication as the URI seen by the server is different to the one in the request (this check is done in the server inside elytron code). Generating this error at server side:

      TRACE [org.wildfly.security] (default task-2) Handling AuthenticationCompleteCallback: fail
DEBUG [io.undertow.request.security] (default task-2) Authentication failed with message ELY05169: [DIGEST] Clients response token does not match expected token and mechanism DIGEST for HttpServerExchange{ POST /wildfly-services/ejb/v1/open/-/ROOT/-/CounterBean}

      In the client side the request just fails with error 400 (bad request):

      java.io.IOException: WFHTTP000005: Invalid response code 400 (full response ClientResponse{responseHeaders={content-length=[76], content-type=[text/html], date=[Fri, 27 May 2022 07:04:15 GMT]}, responseCode=400, status='', protocol=HTTP/2.0})
	at org.wildfly.httpclient.common.HttpTargetContext$2$1.lambda$completed$4(HttpTargetContext.java:247)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
	at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280)
	at java.base/java.lang.Thread.run(Thread.java:829)

      In my EJB example the URI sent by the client in the digest auth is: http://localhost:-1/wildfly-services/ejb/v1/open/-/ROOT/-/CounterBean. Note the -1 instead of none (80).

      Attachments

        Issue Links

          is caused by

          Bug - A problem that impairs or prevents the functions of the product. WEJBHTTP-65 PoolAuthenticationContext incompatible with Elytron Web 1.9.2.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is incorporated by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-23622 [QE](7.4.z) WEJBHTTP-80 - Ejb over http and picketbox stop working with ejb client bom 7.4.3.GA on port 80

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-16440 Upgrade wildfly-http-ejb-client to 1.1.12.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          mentioned on

          GitLab Merge request - [WEJBHTTP-80] Digest authentication creates URI with port -1 when using standard ports

          GitLab Merge request - [WEJBHTTP-80] Digest authentication creates URI with port -1 when using standard ports

          Activity

            People

              rhn-support-rmartinc Ricardo Martin Camarero
              rhn-support-rmartinc Ricardo Martin Camarero
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: