Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1186

Elytron - authentication fails when a realm name is not specified for DIGEST-MD5 mechanism on server side

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 1.1.0.Beta54
    • Component/s: None
    • Labels:
      None

      Description

      When a default configuration is used for DIGEST-MD5 SASL mechanism, then server suggest hostname as a realm name, but authentication fails because ServerAuthenticationContext checks mechanism configuration and fails with following exception:

      @Message(id = 1092, value = "Invalid mechanism realm selection \"%s\"")
      IllegalArgumentException invalidMechRealmSelection(String realmName);
      

      Suggested fix:
      If the server suggests realm name, then it should be able to consume it. Or if the realm name is really mandatory, then server should not suggest such a default value. IMO allowing such a default and simplifying configuration would have positive impact on user experience.

      The full stacktrace (hidden):

       javax.security.sasl.SaslException: ELY05053: [DIGEST-MD5] Callback handler failed for unknown reason [Caused by java.lang.IllegalArgumentException: ELY01092: Invalid mechanism realm selection "localhost"]
               at org.wildfly.security.sasl.util.AbstractSaslParticipant.tryHandleCallbacks(AbstractSaslParticipant.java:105)
               at org.wildfly.security.sasl.digest.AbstractDigestMechanism.getPredigestedSaltedPassword(AbstractDigestMechanism.java:482)
               at org.wildfly.security.sasl.digest.DigestSaslServer.validateDigestResponse(DigestSaslServer.java:259)
               at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateMessage(DigestSaslServer.java:355)
               at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
               at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateResponse(DigestSaslServer.java:328)
               at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
               at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
               at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
               at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
               at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
               at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:470)
               at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:897)
               at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
               at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
               at java.lang.Thread.run(Thread.java:748)
       Caused by: java.lang.IllegalArgumentException: ELY01092: Invalid mechanism realm selection "localhost"
               at org.wildfly.security.auth.server.ServerAuthenticationContext$InitialState.setMechanismRealmName(ServerAuthenticationContext.java:1615)
               at org.wildfly.security.auth.server.ServerAuthenticationContext.setMechanismRealmName(ServerAuthenticationContext.java:712)
               at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:927)
               at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:735)
               at org.wildfly.security.sasl.util.TrustManagerSaslServerFactory.lambda$createSaslServer$0(TrustManagerSaslServerFactory.java:96)
               at org.wildfly.security.sasl.util.AbstractSaslParticipant.tryHandleCallbacks(AbstractSaslParticipant.java:101)
               ... 15 more
      

      Attached also server configuration and WireShark log.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dmlloyd David Lloyd
                  Reporter:
                  jcacek Josef Cacek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: