Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-3626

JAASIdentityManagerImpl reauthenticates on verify(), CallerPrincipal mapping bug

    XMLWordPrintable

    Details

      Description

      cf. forum

      org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(Account) - which is called on every request - results in reauthentication of Account: performance issue, in my case this includes an Ldap bind

      also, if CallerPrincipal mapping is used, the original (ldap) username that was successfully authenticated via ldap bind, gets mapped to an application username. Account verification reauthenticates with the mapped application username not the original ldap username and therefore fails ldap bind and verify.

      So with regards to CallerPrincipal, JAASIdentityManagerImpl.verify(Account) is faulty.

      injection of JAASIdentityManagerImpl cannot be parameterized, nor its verify(Account) behaviour.

      as mentioned in the forum thread, my workaround was to replace JAASIdentityManagerImpl after injection with a delegating IdentityManager that does not reauthenticate on verify().

      Replacement happens via means of io.undertow.servlet.ServletExtension as explained in http://undertow.io/documentation/servlet/using-non-blocking-handlers-with-servlet.html

      Sidenote: org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(Account) simply returns account;

        Attachments

          Activity

            People

            Assignee:
            swd847 Stuart Douglas
            Reporter:
            work_registries John Doe (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: