Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 3.0.0.Beta29
Affects Version/s: None
Component/s: Remoting, Security
Labels:
None

Server rejects DIGEST SASL authentication in some cases when an existing remoting connection is reused. It seems the protocol name is not updated or matched correctly. The root cause of the problem is moreover hidden due to ~~JBEAP-10953~~.
Clients just get:

Caused by: org.wildfly.security.auth.AuthenticationException: JBREM000304: Server rejected authentication
	at org.jboss.remoting3.ConnectionPeerIdentityContext.doAuthenticate(ConnectionPeerIdentityContext.java:340)
	at org.jboss.remoting3.ConnectionPeerIdentityContext.authenticate(ConnectionPeerIdentityContext.java:178)
	at org.jboss.remoting3.EndpointImpl$3.handleDone(EndpointImpl.java:478)
	at org.jboss.remoting3.EndpointImpl$3.handleDone(EndpointImpl.java:467)
        ...

The hidden exception stack trace is:

javax.security.sasl.SaslException: ELY05088: [DIGEST-MD5] digest-uri "remote+http/doma" not accepted
	at org.wildfly.security.sasl.digest.DigestSaslServer.validateDigestResponse(DigestSaslServer.java:239)
	at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateMessage(DigestSaslServer.java:355)
	at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
	at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateResponse(DigestSaslServer.java:328)
	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
	at org.jboss.remoting3.ConnectionImpl.lambda$receiveAuthResponse$3(ConnectionImpl.java:273)
	at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:897)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:748)

We hit this problem as an intermittent failure in the AS testsuite.

clones

JBEAP-10976 Remoting connection sharing causes authentication failures - DIGEST SASL mechanism

Verified

is caused by

REM3-275 Digest auth does not use correct protocol when performing user switching

Resolved

Assignee:: David Lloyd

Reporter:: Josef Cacek (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2017/05/17 1:33 PM

Updated:: 2020/09/30 10:32 AM

Resolved:: 2017/07/07 12:30 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates