Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1280

GSSAPI only identities credential if we actually have one.

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 1.1.0.CR3
    • Component/s: None
    • Labels:
      None
    • Steps to Reproduce:
      Hide
      Show
      Follow steps in https://access.qa.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces Or run test from internal TS git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-ldap-kerberos.git cd tests-ldap-kerberos ./build-eap71.sh -Dversion.jboss.bom=7.1.0.GA -Dversion.wildfly.core=3.0.0.Beta28-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER2/jboss-eap-7.1.0.GA-maven-repository/maven-repository -Djboss.dist.zip=/home/mchoma/workspace/eap-versions/7.1.0.ER2/jboss-eap-7.1.0.ER2.2.zip -Dmaven.test.failure.ignore= true -Dtest=KerberosCLITestCase#testValidKerberosTicketRemoteHttpProtocol -DtestLogToFile= false

      Description

      In ER2 kerberos authentication in remoting does not work with IBM java. I see same error in 2 scenarios:

      • Elytron kerberos authentication for management interface - CLI
      • Elytron kerberos authenticaiton for EJB

      This issue (reproducer/description)is based on CLI case. As it seems to me it is caused by same error.

      13:15:25,038 INFO  [org.jboss.eapqe.krbldap.utils.CustomCLIExecutor] (main) Command:[/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.sh, -Djboss.cli.config=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.xml, -c, --controller=remote+http://localhost.localdomain:9990, --timeout=60000, -Djavax.security.auth.useSubjectCredsOnly=false, -Djava.security.krb5.conf=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb5-4030706113084817464.conf, -Dsun.security.krb5.debug=true, -Dcom.ibm.security.jgss.debug=all, -Dcom.ibm.security.krb5.Krb5Debug=all, -Djavax.net.ssl.trustStore=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/localhost.keystore, :whoami]
      13:15:26,352 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Initialized connection from /127.0.0.1:41690 to /127.0.0.1:9990 with options {org.jboss.remoting3.RemotingOptions.SASL_PROTOCOL=>remote}
      13:15:26,352 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Accepted connection from /127.0.0.1:41690 to localhost.localdomain/127.0.0.1:9990
      13:15:26,353 TRACE [org.jboss.remoting.remote] (management I/O-1) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@6a1d77d9
      13:15:26,353 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 28 bytes
      13:15:26,353 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel
      13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header
      13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Allocated fresh buffers
      13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received 56 bytes
      13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=52 cap=8192]
      13:15:26,375 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Received java.nio.HeapByteBuffer[pos=0 lim=52 cap=8192]
      13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capabilities request
      13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: version 1
      13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote endpoint name "cli-client"
      13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: message close protocol supported
      13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote version is "5.0.0.CR4-redhat-1"
      13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote channels in is "40"
      13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote channels out is "40"
      13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: authentication service
      13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) No EXTERNAL mechanism due to lack of SSL
      13:15:26,380 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Added mechanism GSSAPI
      13:15:26,381 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Added mechanism PLAIN
      13:15:26,381 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 81 bytes
      13:15:26,381 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel
      13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header
      13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Allocated fresh buffers
      13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received 583 bytes
      13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=579 cap=8192]
      13:15:27,194 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Received java.nio.HeapByteBuffer[pos=0 lim=579 cap=8192]
      13:15:27,194 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received authentication request
      13:15:27,194 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback type='SASL' name='GSSAPI' host-name='localhost.localdomain' protocol='remote'
      13:15:27,194 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback type='SASL' name='GSSAPI' host-name='localhost.localdomain' protocol='remote'
      13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) configuredMaxReceiveBuffer=16777215
      13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) relaxComplianceChecks=false
      13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) QOP={AUTH}
      13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) Obtaining GSSCredential for the service from callback handler...
      13:15:27,197 TRACE [org.wildfly.security] (management I/O-1) No valid cached credential, obtaining new one...
      13:15:27,198 TRACE [org.wildfly.security] (management I/O-1) Logging in using LoginContext and subject [Subject:
      ]
      13:15:27,218 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: debug=true
      13:15:27,218 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: principal=remote/localhost.localdomain@JBOSS.ORG
      13:15:27,218 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: credsType=accept only
      13:15:27,218 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 config: useDefaultCcache=false (default)
      13:15:27,219 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 config: useCcache=null
      13:15:27,219 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 config: useDefaultKeytab=false
      13:15:27,220 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 config: useKeytab=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4304838673032362747.keytab
      13:15:27,224 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: forwardable=false (default)
      13:15:27,224 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: renewable=false (default)
      13:15:27,224 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: proxiable=false (default)
      13:15:27,224 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: tryFirstPass=false (default)
      13:15:27,224 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: useFirstPass=false (default)
      13:15:27,224 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: moduleBanner=false (default)
      13:15:27,225 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: interactive login? no
      13:15:27,225 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 Try keytab for principal=remote/localhost.localdomain@JBOSS.ORG
      13:15:27,327 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 No Kerberos creds in keytab for principal remote/localhost.localdomain@JBOSS.ORG
      13:15:27,327 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 Login successful
      13:15:27,327 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 kprincipal : remote/localhost.localdomain@JBOSS.ORG
      13:15:27,327 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 remote/localhost.localdomain@JBOSS.ORG added to Subject
      13:15:27,327 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 KeyTab added to Subject
      13:15:27,328 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 No keys to add to Subject for remote/localhost.localdomain@JBOSS.ORG
      13:15:27,328 TRACE [org.wildfly.security] (management I/O-1) Logging in using LoginContext and subject [Subject:
      	Principal: remote/localhost.localdomain@JBOSS.ORG
      	Private Credential: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4304838673032362747.keytab for remote/localhost.localdomain@JBOSS.ORG
      ] succeed
      13:15:27,329 TRACE [org.wildfly.security] (management I/O-1) Creating GSSName for Principal 'remote/localhost.localdomain@JBOSS.ORG'
      13:15:27,337 TRACE [org.wildfly.security] (management I/O-1) Obtained GSSCredentialCredential [org.wildfly.security.credential.GSSKerberosCredential@b7cba9ed]
      13:15:27,337 TRACE [org.wildfly.security] (management I/O-1) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
      13:15:27,339 TRACE [org.wildfly.security] (management I/O-1) Created SaslServer for mechanism GSSAPI and protocol remote
      13:15:27,339 TRACE [org.wildfly.security] (management I/O-1) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@7e6923d] for mechanism [GSSAPI]
      13:15:27,339 TRACE [org.jboss.remoting.endpoint] (management I/O-1) Allocated tick to 9 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@48dbe42)
      13:15:27,599 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) Negotiated mechanism 1.2.840.113554.1.2.2
      13:15:27,599 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) No response so triggering next state immediately.
      13:15:27,599 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) Not offering a security layer so zero length.
      13:15:27,601 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) Transitioning to receive chosen security layer from client
      13:15:27,601 TRACE [org.jboss.remoting.remote.server] (management task-6) Server sending authentication challenge
      13:15:27,601 TRACE [org.jboss.remoting.remote] (management task-6) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Authentication@aa1379f
      13:15:27,601 TRACE [org.jboss.remoting.endpoint] (management task-6) Resource closed count 00000008 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@48dbe42)
      13:15:27,601 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 37 bytes
      13:15:27,601 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel
      13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header
      13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Allocated fresh buffers
      13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received 37 bytes
      13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=33 cap=8192]
      13:15:27,608 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Received java.nio.HeapByteBuffer[pos=0 lim=33 cap=8192]
      13:15:27,608 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received authentication response
      13:15:27,608 TRACE [org.jboss.remoting.endpoint] (management I/O-1) Allocated tick to 9 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@48dbe42)
      13:15:27,609 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) Client selected security layer AUTH, with maxBuffer of 0
      13:15:27,610 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) Authentication ID=jdukec4c36a8b-173f-41e7-af5b-7492f91a404c@JBOSS.ORG,  Authorization ID=jdukec4c36a8b-173f-41e7-af5b-7492f91a404c@JBOSS.ORG
      13:15:27,610 TRACE [org.wildfly.security] (management task-7) Principal assigning: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c@JBOSS.ORG], pre-realm rewritten: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c], realm name: [fileSystemRealm], post-realm rewritten: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c], realm rewritten: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c]
      13:15:27,611 TRACE [org.wildfly.security] (management task-7) Role mapping: principal [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
      13:15:27,611 TRACE [org.wildfly.security] (management task-7) Authorizing principal jdukec4c36a8b-173f-41e7-af5b-7492f91a404c.
      13:15:27,611 TRACE [org.wildfly.security] (management task-7) Authorizing against the following attributes: [] => []
      13:15:27,611 TRACE [org.wildfly.security] (management task-7) Permission mapping: identity [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
      13:15:27,611 TRACE [org.wildfly.security] (management task-7) Authorization succeed
      13:15:27,611 TRACE [org.wildfly.security] (management task-7) RunAs authorization succeed - the same identity
      13:15:27,611 TRACE [org.wildfly.security] (management task-7) Handling AuthorizeCallback: authenticationID = jdukec4c36a8b-173f-41e7-af5b-7492f91a404c@JBOSS.ORG  authorizationID = jdukec4c36a8b-173f-41e7-af5b-7492f91a404c@JBOSS.ORG  authorized = true
      13:15:27,613 TRACE [org.jboss.remoting.remote.server] (management task-7) Server sending authentication rejected: java.lang.IllegalArgumentException: Parameter 'gssCredential' may not be null
      	at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:70)
      	at org.wildfly.common.Assert.checkNotNullParam(Assert.java:48)
      	at org.wildfly.security.credential.GSSKerberosCredential.<init>(GSSKerberosCredential.java:53)
      	at org.wildfly.security.credential.GSSKerberosCredential.<init>(GSSKerberosCredential.java:43)
      	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:284)
      	at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
      	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateResponse(GssapiServer.java:122)
      	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
      	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
      	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
      	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
      	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
      	at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:468)
      	at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:898)
      	at org.jboss.remoting3.EndpointImpl$TrackingExecutor$$Lambda$905.00000000201F9C40.run(Unknown Source)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
      	at java.lang.Thread.run(Thread.java:785)
      
      13:15:27,614 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) dispose
      13:15:27,614 TRACE [org.wildfly.security] (management task-7) Handling AuthenticationCompleteCallback: fail
      13:15:27,614 TRACE [org.jboss.remoting.remote] (management task-7) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@18fce815
      13:15:27,614 TRACE [org.jboss.remoting.endpoint] (management task-7) Resource closed count 00000008 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@48dbe42)
      13:15:27,614 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 5 bytes
      13:15:27,614 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel
      13:15:27,615 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header
      13:15:27,615 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Alloca
      

      Test pass just fine on Oracle/OpenJDK JDK

      In stacktrace there is involved code introduced by https://github.com/wildfly-security/wildfly-elytron/commit/faf1aff340c3a2d88dc6aa1fb39a9991e9ff3057 .

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  mchoma Martin Choma
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: