Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-7349

configurable-sasl-server-factory cannot set mechanism information

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 11.0.0.Alpha1
    • None
    • Security
    • None
    • Hide 
          <sasl>
        <provider-sasl-server-factory name="MySaslServer"/>
        <configurable-sasl-server-factory name="ConfigurableSaslServer" sasl-server-factory="MySaslServer" protocol="myProtocol" server-name="TestingServer" />
        <sasl-authentication-factory name="MySaslAuth" security-domain="MyDomain" sasl-server-factory="ConfigurableSaslServer">
            <mechanism-configuration>
                <mechanism mechanism-name="DIGEST-MD5">
                    <mechanism-realm realm-name="MyRealm"/>
                </mechanism>
            </mechanism-configuration>
        </sasl-authentication-factory>
    </sasl>
      Show
      <sasl> <provider-sasl-server-factory name= "MySaslServer" /> <configurable-sasl-server-factory name= "ConfigurableSaslServer" sasl-server-factory= "MySaslServer" protocol= "myProtocol" server-name= "TestingServer" /> <sasl-authentication-factory name= "MySaslAuth" security-domain= "MyDomain" sasl-server-factory= "ConfigurableSaslServer" > <mechanism-configuration> <mechanism mechanism-name= "DIGEST-MD5" > <mechanism-realm realm-name= "MyRealm" /> </mechanism> </mechanism-configuration> </sasl-authentication-factory> </sasl>

    Description

      sasl-authentication-factory and sasl-server-factory creates chain of SaslServerFactories - for example ServerNameSaslServerFactory only delegates creating to following factory in chain but with rewriting of the server name.
      In this chain is also SetMechanismInformationSaslServerFactory, which call callback handler to send MechanismInformation into ServerAuthenticationContext - there it will cause state change from InactiveState to InitialState.

      The problem is, if the configurable-sasl-server-factory is used, the SetMechanismInformationSaslServerFactory is in chain twice. The first occurence (by sasl-authentication-factory) will cause change state to InitialState, but before the serverName+protocol is overriden by SaslServerFactories following in chain. The second occurence (by configurable-sasl-server-factory) already have serverName+protocol set, but because the ServerAuthenticationContext is already in InitialState, the exception "Too late to set" is thrown and createSaslServer returns null - fail completely.

      The chain of SaslServerFactories:

      AuthenticationTimeoutSSF
TrustManagerSSF
AuthenticationCompleteSSF
SetMechanismInformationSSF => cbh => InactiveState -> InitialState(undefined, null)
ServerNameSSF
ProtocolSSF
SetMechanismInformationSSF => cbh => "Too late to set" => return null
SecurityProviderSSF

      Will have to discuss yet how to correctly solve this... (maybe consider allowing of multiple MechanismInformation setting? In current design the sasl-authentication-factory cannot detect the configurable-sasl-server-factory WILL change the MechanismInformation yet...)

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ELY-702 configurable-sasl-server-factory cannot set mechanism information

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFLY-7527 Upgrade to Elytron Subsystem 1.0.0.Alpha13

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: