Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-3251

Elytron, misconfiguration of http-authentication-factory leads to 403 - should be 500

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 3.0.1.Final
    • None
    • Security
    • None
    • Hide
      • Replace creation of http-authentication-factory with this command specifying protocol HTTP 
        /subsystem=elytron/http-authentication-factory=example-krb-http-auth:add( \
  http-server-mechanism-factory=global, \
  security-domain=exampleFsSD, \
  mechanism-configurations=[ \
    { \
      mechanism-name=SPNEGO,\
      mechanism-realm-configurations= \
        [ \
          { \
            realm-name=exampleFsSD \
          } \
        ], \
      protocol=DOES_NOT_EXIST,\
      credential-security-factory=krbSF \
    } \
  ] \
)
      Show
      Follow steps for securing management interface with kerberos https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.alpha/html-single/how_to_set_up_sso_with_kerberos/#secure_mgmt_interface_krb_elytron Replace creation of http-authentication-factory with this command specifying protocol HTTP /subsystem=elytron/http-authentication-factory=example-krb-http-auth:add( \ http-server-mechanism-factory=global, \ security-domain=exampleFsSD, \ mechanism-configurations=[ \ { \ mechanism-name=SPNEGO,\ mechanism-realm-configurations= \ [ \ { \ realm-name=exampleFsSD \ } \ ], \ protocol=DOES_NOT_EXIST,\ credential-security-factory=krbSF \ } \ ] \ )

      When I misconfigured http-authentication-factory, e.g. with unreal protocol "DOES_NOT_EXIST" I get http status code 403.

      I think 500 would be more appropriate here, as server is misconfigured and can't authenticate.
      403 means user has not appropriate roles.

      In log there is

      10:08:06,309 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='SPNEGO', hostName='localhost.localdomain', protocol='http'.

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: