Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 28.0.0.Final
Affects Version/s: 28.0.0.Beta1
Component/s: Clustering, Security
Labels:
None

Steps to Reproduce:
Hide

Both version run under standalone-full-ha.xml and both testing package is Attachment

Only when add default-host sso

On clean WF23

/subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add()

deploy package (root-app1.war, root-app2.war) by webconsole

package is successful deployed

On clean WF28

/subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add()

deploy package (root-app1.war, root-app2.war) by webconsole

while deployment error occur and package isn't deploy

When setup the elytron sso

On both version

1) create keystore in WILDFLY_HOME/standalone/configuration

keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore keystore.jks -dname "CN=localhost" -keypass secret -storepass secret

On clean WF23

2) go through setting mention in wildfly setup (I mention these steps under)

/subsystem=elytron/filesystem-realm=example-realm:add(path=/tmp/example-realm) /subsystem=elytron/security-domain=example-domain:add(default-realm=example-realm, permission-mapper=default-permission-mapper,realms=[\{realm=example-realm, role-decoder=groups-to-roles}] /subsystem=elytron/filesystem-realm=example-realm:add-identity(identity=testUser1) /subsystem=elytron/filesystem-realm=example-realm:add-identity-attribute(identity=testUser1, name=groups, value=["user"]) /subsystem=elytron/filesystem-realm=example-realm:set-password(identity=testUser1, clear=\{password=testUser1}) /subsystem=elytron/http-authentication-factory=example-http-authentication:add(security-domain=example-domain, http-server-mechanism-factory=global, mechanism-configurations=[\{mechanism-name=FORM}] /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=example-http-authentication) /subsystem=elytron/key-store=example-keystore:add(path=keystore.jks, relative-to=jboss.server.config.dir, credential-reference=\{clear-text=secret}, type=JKS) /subsystem=undertow/application-security-domain=other/setting=single-sign-on:add(key-store=example-keystore, key-alias=localhost, domain=localhost, credential-reference=\{clear-text=secret}) reload

3) change http-invoker from security-realm to http-authentication-factory

batch /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:undefine-attribute(name=security-realm) /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:write-attribute(name=http-authentication-factory, value=example-http-authentication) run-batch reload

4) still possible to deploy
5) /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add()
6) after adding default-host sso the same package is unable to deploy and error appear

On clean WF28
2) go through same setting

/subsystem=elytron/filesystem-realm=example-realm:add(path=/tmp/example-realm) /subsystem=elytron/security-domain=example-domain:add(default-realm=example-realm, permission-mapper=default-permission-mapper,realms=[\{realm=example-realm, role-decoder=groups-to-roles}] /subsystem=elytron/filesystem-realm=example-realm:add-identity(identity=testUser1) /subsystem=elytron/filesystem-realm=example-realm:add-identity-attribute(identity=testUser1, name=groups, value=["user"]) /subsystem=elytron/filesystem-realm=example-realm:set-password(identity=testUser1, clear=\{password=testUser1}) /subsystem=elytron/http-authentication-factory=example-http-authentication:add(security-domain=example-domain, http-server-mechanism-factory=global, mechanism-configurations=[\{mechanism-name=FORM}] batch /subsystem=undertow/application-security-domain=other:undefine-attribute(name=security-domain) /subsystem=undertow/application-security-domain=other:write-attribute(name=http-authentication-factory, value=example-http-authentication) run-batch reload /subsystem=elytron/key-store=example-keystore:add(path=keystore.jks, relative-to=jboss.server.config.dir, credential-reference=\{clear-text=secret}, type=JKS) /subsystem=undertow/application-security-domain=other/setting=single-sign-on:add(key-store=example-keystore, key-alias=localhost, domain=localhost, credential-reference=\{clear-text=secret}) reload

3) change http-authentication-factory in http-invoker

/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:write-attribute(name=http-authentication-factory, value=example-http-authentication) reload

4) still possible to deploy
5)

/subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add()

6) after adding default-host sso the same package is unable to deploy and error appear
Show
Both version run under standalone-full-ha.xml and both testing package is Attachment Only when add default-host sso On clean WF23 /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add() deploy package (root-app1.war, root-app2.war) by webconsole package is successful deployed On clean WF28 /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add() deploy package (root-app1.war, root-app2.war) by webconsole while deployment error occur and package isn't deploy When setup the elytron sso On both version 1) create keystore in WILDFLY_HOME/standalone/configuration keytool -genkeypair -alias localhost -keyalg RSA -keysize 1024 -validity 365 -keystore keystore.jks -dname "CN=localhost" -keypass secret -storepass secret On clean WF23 2) go through setting mention in wildfly setup (I mention these steps under) /subsystem=elytron/filesystem-realm=example-realm:add(path=/tmp/example-realm) /subsystem=elytron/security-domain=example-domain:add(default-realm=example-realm, permission-mapper=default-permission-mapper,realms=[\{realm=example-realm, role-decoder=groups-to-roles}] /subsystem=elytron/filesystem-realm=example-realm:add-identity(identity=testUser1) /subsystem=elytron/filesystem-realm=example-realm:add-identity-attribute(identity=testUser1, name=groups, value=["user"]) /subsystem=elytron/filesystem-realm=example-realm:set-password(identity=testUser1, clear=\{password=testUser1}) /subsystem=elytron/http-authentication-factory=example-http-authentication:add(security-domain=example-domain, http-server-mechanism-factory=global, mechanism-configurations=[\{mechanism-name=FORM}] /subsystem=undertow/application-security-domain=other:add(http-authentication-factory=example-http-authentication) /subsystem=elytron/key-store=example-keystore:add(path=keystore.jks, relative-to=jboss.server.config.dir, credential-reference=\{clear-text=secret}, type=JKS) /subsystem=undertow/application-security-domain=other/setting=single-sign-on:add(key-store=example-keystore, key-alias=localhost, domain=localhost, credential-reference=\{clear-text=secret}) reload 3) change http-invoker from security-realm to http-authentication-factory batch /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:undefine-attribute(name=security-realm) /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:write-attribute(name=http-authentication-factory, value=example-http-authentication) run-batch reload 4) still possible to deploy 5) /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add() 6) after adding default-host sso the same package is unable to deploy and error appear On clean WF28 2) go through same setting /subsystem=elytron/filesystem-realm=example-realm:add(path=/tmp/example-realm) /subsystem=elytron/security-domain=example-domain:add(default-realm=example-realm, permission-mapper=default-permission-mapper,realms=[\{realm=example-realm, role-decoder=groups-to-roles}] /subsystem=elytron/filesystem-realm=example-realm:add-identity(identity=testUser1) /subsystem=elytron/filesystem-realm=example-realm:add-identity-attribute(identity=testUser1, name=groups, value=["user"]) /subsystem=elytron/filesystem-realm=example-realm:set-password(identity=testUser1, clear=\{password=testUser1}) /subsystem=elytron/http-authentication-factory=example-http-authentication:add(security-domain=example-domain, http-server-mechanism-factory=global, mechanism-configurations=[\{mechanism-name=FORM}] batch /subsystem=undertow/application-security-domain=other:undefine-attribute(name=security-domain) /subsystem=undertow/application-security-domain=other:write-attribute(name=http-authentication-factory, value=example-http-authentication) run-batch reload /subsystem=elytron/key-store=example-keystore:add(path=keystore.jks, relative-to=jboss.server.config.dir, credential-reference=\{clear-text=secret}, type=JKS) /subsystem=undertow/application-security-domain=other/setting=single-sign-on:add(key-store=example-keystore, key-alias=localhost, domain=localhost, credential-reference=\{clear-text=secret}) reload 3) change http-authentication-factory in http-invoker /subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:write-attribute(name=http-authentication-factory, value=example-http-authentication) reload 4) still possible to deploy 5) /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on:add() 6) after adding default-host sso the same package is unable to deploy and error appear
Git Pull Request:
https://github.com/wildfly/wildfly/pull/16736
[QE] How to address?:
---
[QE] Why QE missed?:
---

Description

When migrating from legacy security to elytron the error appear[1]. The error appear when the /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on is added. When the same thing was tried with setting by [2]the error appear even on WF23.
I tested it WF28 and WF23 with same http-authentication-factory (which was for both management-http-authentication on WF28 I tried it even with application-http-authentication) but the result was always the same error. So from this I assume the /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on with elytron is somehow bugged. I didn't find any documentation where is this specific function used.

In our case we just deploy simple .war which contain web.xml and index.jsp and trying to confirm that the value which are set in sso attribute is correct (testing that sso function attributes). The .war was build by shirinkwrap Archive.

Also for testing I try deploy the sso form which is mention in [2] and the result was same when was single-sign-on in default-host added the error appeared and when the single-sign-on was removed the deployment was working fine.

[1]

{"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"_DEFAULT__root-app.war_root-app.war\".undertow-deployment" => "java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'SSO' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'SSO' is not available in mechanisms [BASIC, CLIENT_CERT, DIGEST, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.IllegalStateException: The required mechanism 'SSO' is not available in mechanisms [BASIC, CLIENT_CERT, [2]DIGEST, FORM] from the HttpAuthenticationFactory."}}

[2] https://docs.jboss.org/author/display/WFLY/Web%20Single%20Sign-On.html

Attachments

Issue Links

clones

JBEAP-22898 Deploy fail when /subsystem=undertow/server=default-server/host=default-host/setting=single-sign-on is activated

Ready for QA

Activity

People

Assignee:: Paul Ferraro

Reporter:: Paul Ferraro

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2023/04/14 4:06 PM

Updated:: 2023/07/31 6:52 PM

Resolved:: 2023/04/17 10:07 PM