Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1275

x509-credential-mapper in ldap-realm does not work correctly with server-ssl-context

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 1.1.0.Beta52
    • Fix Version/s: 1.1.0.CR3
    • Component/s: None
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      1) generate needed keystores and truststores

      2) configure Elytron application server:

      <security-domain name="security-domain-subject-dn" default-realm="ldap-realm-subject-dn" permission-mapper="default-permission-mapper" principal-decoder="x500AttributePrincipalDecoder">
          <realm name="ldap-realm-subject-dn"/>
      </security-domain>
      ...
      <ldap-realm name="ldap-realm-subject-dn" dir-context="elytron-ldap-dir-context" direct-verification="true">
          <identity-mapping rdn-identifier="uid" use-recursive-search="true" search-base-dn="o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org">
              <x509-credential-mapper subject-dn-from="businessCategory"/>
          </identity-mapping>
      </ldap-realm>
      ...
      <x500-attribute-principal-decoder name="x500AttributePrincipalDecoder" oid="2.5.4.3" maximum-segments="1"/>
      ...
      <tls>
          <key-stores>
              <key-store name="keyStore" type="jks">
                  <file path="PATH/server.keystore"/>
                  <credential-reference clear-text="secretKeyStore"/>
              </key-store>
              <key-store name="trustStore" type="jks">
                  <file path="PATH/server.truststore"/>
                  <credential-reference clear-text="secretKeyStore"/>
              </key-store>
          </key-stores>
          <key-managers>
              <key-manager name="keyManager" algorithm="SunX509" key-store="keyStore">
                  <credential-reference clear-text="secret"/>
              </key-manager>
          </key-managers>
          <trust-managers>
              <trust-manager name="trustManager" algorithm="SunX509" key-store="trustStore"/>
          </trust-managers>
          <server-ssl-contexts>
              <server-ssl-context name="serverSslContext" security-domain="security-domain-subject-dn" want-client-auth="true" need-client-auth="true" key-manager="keyManager" trust-manager="trustManager"/>
          </server-ssl-contexts>
      </tls>
      ...
      <dir-contexts>
          <dir-context name="elytron-ldap-dir-context" url="ldap://localhost:10389" principal="uid=admin,ou=system">
              <credential-reference clear-text="secret"/>
          </dir-context>
      </dir-contexts>
      

      3) configure in undertow:

      <https-listener name="https" socket-binding="https" ssl-context="serverSslContext" enable-http2="true"/>
      

      4) configure LDAP server to include needed data

      5) try to access https://localhost:8443

      Show
      1) generate needed keystores and truststores 2) configure Elytron application server: <security-domain name= "security-domain-subject-dn" default -realm= "ldap-realm-subject-dn" permission-mapper= " default -permission-mapper" principal-decoder= "x500AttributePrincipalDecoder" > <realm name= "ldap-realm-subject-dn" /> </security-domain> ... <ldap-realm name= "ldap-realm-subject-dn" dir-context= "elytron-ldap-dir-context" direct-verification= " true " > <identity-mapping rdn-identifier= "uid" use-recursive-search= " true " search-base-dn= "o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org" > <x509-credential-mapper subject-dn-from= "businessCategory" /> </identity-mapping> </ldap-realm> ... <x500-attribute-principal-decoder name= "x500AttributePrincipalDecoder" oid= "2.5.4.3" maximum-segments= "1" /> ... <tls> <key-stores> <key-store name= "keyStore" type= "jks" > <file path= "PATH/server.keystore" /> <credential-reference clear-text= "secretKeyStore" /> </key-store> <key-store name= "trustStore" type= "jks" > <file path= "PATH/server.truststore" /> <credential-reference clear-text= "secretKeyStore" /> </key-store> </key-stores> <key-managers> <key-manager name= "keyManager" algorithm= "SunX509" key-store= "keyStore" > <credential-reference clear-text= "secret" /> </key-manager> </key-managers> <trust-managers> <trust-manager name= "trustManager" algorithm= "SunX509" key-store= "trustStore" /> </trust-managers> <server-ssl-contexts> <server-ssl-context name= "serverSslContext" security-domain= "security-domain-subject-dn" want-client-auth= " true " need-client-auth= " true " key-manager= "keyManager" trust-manager= "trustManager" /> </server-ssl-contexts> </tls> ... <dir-contexts> <dir-context name= "elytron-ldap-dir-context" url= "ldap: //localhost:10389" principal= "uid=admin,ou=system" > <credential-reference clear-text= "secret" /> </dir-context> </dir-contexts> 3) configure in undertow: <https-listener name= "https" socket-binding= "https" ssl-context= "serverSslContext" enable-http2= " true " /> 4) configure LDAP server to include needed data 5) try to access https://localhost:8443

      Description

      When ldap-realm with x509-credential-mapper is used in security-domain which is referenced from server-ssl-context then authorization fails. It seems it is caused by using ServerAuthenticationContext.NameAssignedState in [1] which fails in [2] due to [3]. This issue causes that x509-credential-mapper cannot work in server-ssl-context.

      Server log:

      2017-06-30 15:01:22,019 TRACE [org.wildfly.security] (default task-2) X500 principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as name [clientSubjectDn] (attribute values: [clientSubjectDn])
      2017-06-30 15:01:22,022 TRACE [org.wildfly.security] (default task-2) Principal assigning: [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ], pre-realm rewritten: [clientSubjectDn], realm name: [ldap-realm-subject-dn], post-realm rewritten: [clientSubjectDn], realm rewritten: [clientSubjectDn]
      2017-06-30 15:01:22,023 DEBUG [org.wildfly.security] (default task-2) Obtaining lock for identity [clientSubjectDn]...
      2017-06-30 15:01:22,028 DEBUG [org.wildfly.security] (default task-2) Obtained lock for identity [clientSubjectDn].
      2017-06-30 15:01:22,044 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
      2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]]
      2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
      2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://localhost:10389]
      2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
      2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
      2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
      2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [uid=admin,ou=system]
      2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
      2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
      2017-06-30 15:01:22,081 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@6ca3ef32] successfully created. Connection established to LDAP server.
      2017-06-30 15:01:22,084 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn].
      2017-06-30 15:01:22,086 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [null]. Binary attributes are [null].
      2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
      2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
      2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@6ca3ef32] was closed. Connection closed or just returned to the pool.
      2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
      2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]]
      2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
      2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://localhost:10389]
      2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
      2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
      2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
      2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [uid=admin,ou=system]
      2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
      2017-06-30 15:01:22,154 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
      2017-06-30 15:01:22,179 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@75395ba6] successfully created. Connection established to LDAP server.
      2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn].
      2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary attributes are [].
      2017-06-30 15:01:22,195 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
      2017-06-30 15:01:22,197 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
      2017-06-30 15:01:22,198 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@75395ba6] was closed. Connection closed or just returned to the pool.
      2017-06-30 15:01:22,200 TRACE [org.wildfly.security] (default task-2) X500 principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as name [clientSubjectDn] (attribute values: [clientSubjectDn])
      2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
      2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]]
      2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
      2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://localhost:10389]
      2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
      2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
      2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
      2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [uid=admin,ou=system]
      2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
      2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
      2017-06-30 15:01:22,212 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@22d42495] successfully created. Connection established to LDAP server.
      2017-06-30 15:01:22,213 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn].
      2017-06-30 15:01:22,214 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary attributes are [].
      2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
      2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
      2017-06-30 15:01:22,227 TRACE [org.wildfly.security] (default task-2) X509 client certificate accepted by X509EvidenceVerifier
      2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@22d42495] was closed. Connection closed or just returned to the pool.
      2017-06-30 15:01:22,228 TRACE [org.wildfly.security] (default task-2) Authentication succeed for principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ]
      2017-06-30 15:01:22,240 ERROR [org.xnio.nio] (default I/O-4) XNIO000011: Task io.undertow.protocols.ssl.SslConduit$5$1@46b65284 failed with an exception: java.lang.RuntimeException: ELY01112: Authentication cannot succeed; not authorized
      	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429)
      	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
      	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
      	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
      	at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:265)
      	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
      	at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.unwrap(ALPNLimitingSSLEngine.java:73)
      	at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:749)
      	at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:646)
      	at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
      	at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1046)
      	at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:592)
      	at org.xnio.nio.WorkerThread.run(WorkerThread.java:472)
      Caused by: java.lang.IllegalStateException: ELY01112: Authentication cannot succeed; not authorized
      	at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.succeed(ServerAuthenticationContext.java:1947)
      	at org.wildfly.security.auth.server.ServerAuthenticationContext.succeed(ServerAuthenticationContext.java:492)
      	at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:123)
      	at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72)
      	at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869)
      	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230)
      	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
      	at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
      	at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
      	at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      

      Since there is no documentation for this scenario it is possible that this is just a configuration issue - in that case please provide valid configuration for this scenario.

      [1] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/ssl/SecurityDomainTrustManager.java#L120
      [2] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/ssl/SecurityDomainTrustManager.java#L122
      [3] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java#L1943

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  honza889 Jan Kalina
                  Reporter:
                  olukas Ondrej Lukas
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: