Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2615

Attribute allow-sasl-mechanisms is ignored in Elytron Authentication Configuration

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Blocker Blocker
    • 3.0.0.Beta29
    • 3.0.0.Beta10
    • Security
    • None
    • Hide

      1) Add user:

      ./add-user.sh -u admin -p pass@123 -s
      

      2) Setup authentication context for deployments:

      /subsystem=elytron/authentication-configuration=config:add(authentication-name=admin,allow-sasl-mechanisms=[PLAIN],credential-reference={clear-text=pass@123})
      /subsystem=elytron/authentication-context=ctx:add(match-rules=[{authentication-configuration=config}])
      /subsystem=elytron:write-attribute(name=default-authentication-context,value=ctx)
      reload
      

      3) Deploy application which calls :whoami operation see attachments and access http://127.0.0.1:8080/dep/directCall. It prints admin even if only PLAIN mechanism is allowed on client side.

      Show
      1) Add user: ./add-user.sh -u admin -p pass@123 -s 2) Setup authentication context for deployments: /subsystem=elytron/authentication-configuration=config:add(authentication-name=admin,allow-sasl-mechanisms=[PLAIN],credential-reference={clear-text=pass@123}) /subsystem=elytron/authentication-context=ctx:add(match-rules=[{authentication-configuration=config}]) /subsystem=elytron:write-attribute(name= default -authentication-context,value=ctx) reload 3) Deploy application which calls :whoami operation see attachments and access http://127.0.0.1:8080/dep/directCall . It prints admin even if only PLAIN mechanism is allowed on client side.

      In case when attribute allow-sasl-mechanisms from Elytron Authentication Configuration includes some SASL mechanisms then this attribute (and mechanisms configured there) is not taken into account during choosing SASL mechanism. It means that client tries to use all of mechanisms allowed on server side even if client does not allow them. e.g. in case when server side allowed DIGEST-MD5 and JBOSS-LOCAL-USER and client side allows PLAIN, then it tries to use DIGEST-MD5 and JBOSS-LOCAL-USER mechanisms.

      See log from wireshark in attachments. This is log for server configured through "Steps to Reproduce".

      This happens also for using allow-sasl-mechanisms from wildfly config and also for programatically configured client.

      We request blocker since it allows to use some SASL mechanisms even if they are not allowed on client side.

        1. wireshark.pcapng
          6 kB
        2. dep.war
          4 kB

              darran.lofthouse@redhat.com Darran Lofthouse
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: