Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8090

Changing Elytron default-authentication-context requires server restart

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 11.0.0.Alpha1
    • None
    • Security
    • None
    • Hide

      1) setup authentication-context:

      /subsystem=elytron/authentication-configuration=auth-config:add(authentication-name=user1,realm=ManagementRealm,allow-sasl-mechanisms=[DIGEST-MD5],credential-reference={clear-text=pass@123})
/subsystem=elytron/authentication-context=auth-context:add(match-rules=[{match-host=localhost,authentication-configuration=auth-config}])

      2) use following http-interface:

      <http-interface http-authentication-factory="management-http-authentication">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http"/>
</http-interface>

      3) add user:

      ./bin/add-user.sh -u user1 -p pass@123 -r ManagementRealm

      4) deploy application for whoami operation (see attachments)

      5) access http://127.0.0.1:8080/AuthnContextApp/directCall. default-authentication-context is not set, so $local is displayed correctly

      6) set default-authentication-context

      /subsystem=elytron:write-attribute(name=default-authentication-context,value=auth-context)
{"outcome" => "success"}

      7) access http://127.0.0.1:8080/AuthnContextApp/directCall again. Result is still $local.

      8) Reload server and access http://127.0.0.1:8080/AuthnContextApp/directCall again. Result is user1.

      Show
      1) setup authentication-context: /subsystem=elytron/authentication-configuration=auth-config:add(authentication-name=user1,realm=ManagementRealm,allow-sasl-mechanisms=[DIGEST-MD5],credential-reference={clear-text=pass@123}) /subsystem=elytron/authentication-context=auth-context:add(match-rules=[{match-host=localhost,authentication-configuration=auth-config}]) 2) use following http-interface: <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" /> </http- interface > 3) add user: ./bin/add-user.sh -u user1 -p pass@123 -r ManagementRealm 4) deploy application for whoami operation (see attachments) 5) access http://127.0.0.1:8080/AuthnContextApp/directCall . default-authentication-context is not set, so $local is displayed correctly 6) set default-authentication-context /subsystem=elytron:write-attribute(name= default -authentication-context,value=auth-context) { "outcome" => "success" } 7) access http://127.0.0.1:8080/AuthnContextApp/directCall again. Result is still $local . 8) Reload server and access http://127.0.0.1:8080/AuthnContextApp/directCall again. Result is user1 .

      In case when Elytron subsystem attribute default-authentication-context is changed (through write-attribute or undefine-attribute operation) then operation succeed and server is NOT set to reload-required state. However changed value is not used until server is reload.

      Before fixing, it must be decided whether change of default-authentication-context should require server reload or not. dlofthouse What should be correct behavior?

        1. AuthnContextApp.war
          5 kB

              darran.lofthouse@redhat.com Darran Lofthouse
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: