Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2954

Elytron sasl-authentication-factory does not offer mechanisms in configured order

XMLWordPrintable

    • Hide

      1) Configure http-interface to use Elytron:

      <http-interface http-authentication-factory="management-http-authentication">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http"/>
</http-interface>

      2) Change order in mechanisms list in management-sasl-authentication sasl-authentication-factory 

      <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain">
    <mechanism-configuration>
        <mechanism mechanism-name="DIGEST-MD5">
            <mechanism-realm realm-name="ManagementRealm"/>
        </mechanism>
        <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
    </mechanism-configuration>
</sasl-authentication-factory>

      3) Add some user to AS and try access jboss CLI - JBOSS-LOCAL-USER is used before DIGEST-MD5

      Show
      1) Configure http-interface to use Elytron: <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" /> </http- interface > 2) Change order in mechanisms list in management-sasl-authentication sasl-authentication-factory <sasl-authentication-factory name= "management-sasl-authentication" sasl-server-factory= "configured" security-domain= "ManagementDomain" > <mechanism-configuration> <mechanism mechanism-name= "DIGEST-MD5" > <mechanism-realm realm-name= "ManagementRealm" /> </mechanism> <mechanism mechanism-name= "JBOSS-LOCAL-USER" realm-mapper= "local" /> </mechanism-configuration> </sasl-authentication-factory> 3) Add some user to AS and try access jboss CLI - JBOSS-LOCAL-USER is used before DIGEST-MD5

      Application server does not offer SASL mechanisms in order defined in Elytron sasl-authentication-factory. See Steps to Reproduce for more details.

      Screenshot from wireshark 'follow TCP stream' is attached. JBOSS-LOCAL-USER is offered before DIGEST-MD5.

            fjuma1@redhat.com Farah Juma
            fjuma1@redhat.com Farah Juma
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: