Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2954

Elytron sasl-authentication-factory does not offer mechanisms in configured order

    XMLWordPrintable

Details

    • Hide

      1) Configure http-interface to use Elytron:

      <http-interface http-authentication-factory="management-http-authentication">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http"/>
</http-interface>

      2) Change order in mechanisms list in management-sasl-authentication sasl-authentication-factory 

      <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
    <mechanism-configuration>
        <mechanism mechanism-name="DIGEST-MD5">
            <mechanism-realm realm-name="ManagementRealm"/>
        </mechanism>
        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
    </mechanism-configuration>
</sasl-authentication-factory>

      3) Add some user to AS and try access jboss CLI - JBOSS-LOCAL-USER is used before DIGEST-MD5

      Show
      1) Configure http-interface to use Elytron: <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" /> </http- interface > 2) Change order in mechanisms list in management-sasl-authentication sasl-authentication-factory <sasl-authentication-factory name= "management-sasl-authentication" sasl-server-factory= "configured" security-domain= "ManagementDomain" > <mechanism-configuration> <mechanism mechanism-name= "DIGEST-MD5" > <mechanism-realm realm-name= "ManagementRealm" /> </mechanism> <mechanism mechanism-name= "JBOSS-LOCAL-USER" realm-mapper= "local" /> </mechanism-configuration> </sasl-authentication-factory> 3) Add some user to AS and try access jboss CLI - JBOSS-LOCAL-USER is used before DIGEST-MD5

    Description

      Application server does not offer SASL mechanisms in order defined in Elytron sasl-authentication-factory. See Steps to Reproduce for more details.

      Screenshot from wireshark 'follow TCP stream' is attached. JBOSS-LOCAL-USER is offered before DIGEST-MD5.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11262 Elytron sasl-authentication-factory does not offer mechanisms in configured order

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              fjuma1@redhat.com Farah Juma
              fjuma1@redhat.com Farah Juma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: