Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-7349

configurable-sasl-server-factory cannot set mechanism information

    XMLWordPrintable

Details

    • Hide
          <sasl>
              <provider-sasl-server-factory name="MySaslServer"/>
              <configurable-sasl-server-factory name="ConfigurableSaslServer" sasl-server-factory="MySaslServer" protocol="myProtocol" server-name="TestingServer" />
              <sasl-authentication-factory name="MySaslAuth" security-domain="MyDomain" sasl-server-factory="ConfigurableSaslServer">
                  <mechanism-configuration>
                      <mechanism mechanism-name="DIGEST-MD5">
                          <mechanism-realm realm-name="MyRealm"/>
                      </mechanism>
                  </mechanism-configuration>
              </sasl-authentication-factory>
          </sasl>
      
      Show
      <sasl> <provider-sasl-server-factory name= "MySaslServer" /> <configurable-sasl-server-factory name= "ConfigurableSaslServer" sasl-server-factory= "MySaslServer" protocol= "myProtocol" server-name= "TestingServer" /> <sasl-authentication-factory name= "MySaslAuth" security-domain= "MyDomain" sasl-server-factory= "ConfigurableSaslServer" > <mechanism-configuration> <mechanism mechanism-name= "DIGEST-MD5" > <mechanism-realm realm-name= "MyRealm" /> </mechanism> </mechanism-configuration> </sasl-authentication-factory> </sasl>

    Description

      sasl-authentication-factory and sasl-server-factory creates chain of SaslServerFactories - for example ServerNameSaslServerFactory only delegates creating to following factory in chain but with rewriting of the server name.
      In this chain is also SetMechanismInformationSaslServerFactory, which call callback handler to send MechanismInformation into ServerAuthenticationContext - there it will cause state change from InactiveState to InitialState.

      The problem is, if the configurable-sasl-server-factory is used, the SetMechanismInformationSaslServerFactory is in chain twice. The first occurence (by sasl-authentication-factory) will cause change state to InitialState, but before the serverName+protocol is overriden by SaslServerFactories following in chain. The second occurence (by configurable-sasl-server-factory) already have serverName+protocol set, but because the ServerAuthenticationContext is already in InitialState, the exception "Too late to set" is thrown and createSaslServer returns null - fail completely.

      The chain of SaslServerFactories:

      AuthenticationTimeoutSSF
      TrustManagerSSF
      AuthenticationCompleteSSF
      SetMechanismInformationSSF => cbh => InactiveState -> InitialState(undefined, null)
      ServerNameSSF
      ProtocolSSF
      SetMechanismInformationSSF => cbh => "Too late to set" => return null
      SecurityProviderSSF
      

      Will have to discuss yet how to correctly solve this... (maybe consider allowing of multiple MechanismInformation setting? In current design the sasl-authentication-factory cannot detect the configurable-sasl-server-factory WILL change the MechanismInformation yet...)

      Attachments

        Issue Links

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: