Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-7349

configurable-sasl-server-factory cannot set mechanism information

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 11.0.0.Alpha1
    • None
    • Security
    • None
    • Hide 
          <sasl>
        <provider-sasl-server-factory name="MySaslServer"/>
        <configurable-sasl-server-factory name="ConfigurableSaslServer" sasl-server-factory="MySaslServer" protocol="myProtocol" server-name="TestingServer" />
        <sasl-authentication-factory name="MySaslAuth" security-domain="MyDomain" sasl-server-factory="ConfigurableSaslServer">
            <mechanism-configuration>
                <mechanism mechanism-name="DIGEST-MD5">
                    <mechanism-realm realm-name="MyRealm"/>
                </mechanism>
            </mechanism-configuration>
        </sasl-authentication-factory>
    </sasl>
      Show
      <sasl> <provider-sasl-server-factory name= "MySaslServer" /> <configurable-sasl-server-factory name= "ConfigurableSaslServer" sasl-server-factory= "MySaslServer" protocol= "myProtocol" server-name= "TestingServer" /> <sasl-authentication-factory name= "MySaslAuth" security-domain= "MyDomain" sasl-server-factory= "ConfigurableSaslServer" > <mechanism-configuration> <mechanism mechanism-name= "DIGEST-MD5" > <mechanism-realm realm-name= "MyRealm" /> </mechanism> </mechanism-configuration> </sasl-authentication-factory> </sasl>

      sasl-authentication-factory and sasl-server-factory creates chain of SaslServerFactories - for example ServerNameSaslServerFactory only delegates creating to following factory in chain but with rewriting of the server name.
      In this chain is also SetMechanismInformationSaslServerFactory, which call callback handler to send MechanismInformation into ServerAuthenticationContext - there it will cause state change from InactiveState to InitialState.

      The problem is, if the configurable-sasl-server-factory is used, the SetMechanismInformationSaslServerFactory is in chain twice. The first occurence (by sasl-authentication-factory) will cause change state to InitialState, but before the serverName+protocol is overriden by SaslServerFactories following in chain. The second occurence (by configurable-sasl-server-factory) already have serverName+protocol set, but because the ServerAuthenticationContext is already in InitialState, the exception "Too late to set" is thrown and createSaslServer returns null - fail completely.

      The chain of SaslServerFactories:

      AuthenticationTimeoutSSF
TrustManagerSSF
AuthenticationCompleteSSF
SetMechanismInformationSSF => cbh => InactiveState -> InitialState(undefined, null)
ServerNameSSF
ProtocolSSF
SetMechanismInformationSSF => cbh => "Too late to set" => return null
SecurityProviderSSF

      Will have to discuss yet how to correctly solve this... (maybe consider allowing of multiple MechanismInformation setting? In current design the sasl-authentication-factory cannot detect the configurable-sasl-server-factory WILL change the MechanismInformation yet...)

        1. sasl-test.xml
          3 kB
        2. SaslTestCase.java
          10 kB

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: