Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10090

Attribute allow-sasl-mechanisms is ignored in Elytron Authentication Configuration

    XMLWordPrintable

Details

    • Hide

      1) Add user:

      ./add-user.sh -u admin -p pass@123 -s

      2) Setup authentication context for deployments:

      /subsystem=elytron/authentication-configuration=config:add(authentication-name=admin,allow-sasl-mechanisms=[PLAIN],credential-reference={clear-text=pass@123})
/subsystem=elytron/authentication-context=ctx:add(match-rules=[{authentication-configuration=config}])
/subsystem=elytron:write-attribute(name=default-authentication-context,value=ctx)
reload

      3) Deploy application which calls :whoami operation see attachments and access http://127.0.0.1:8080/dep/directCall. It prints admin even if only PLAIN mechanism is allowed on client side.

      Show
      1) Add user: ./add-user.sh -u admin -p pass@123 -s 2) Setup authentication context for deployments: /subsystem=elytron/authentication-configuration=config:add(authentication-name=admin,allow-sasl-mechanisms=[PLAIN],credential-reference={clear-text=pass@123}) /subsystem=elytron/authentication-context=ctx:add(match-rules=[{authentication-configuration=config}]) /subsystem=elytron:write-attribute(name= default -authentication-context,value=ctx) reload 3) Deploy application which calls :whoami operation see attachments and access http://127.0.0.1:8080/dep/directCall . It prints admin even if only PLAIN mechanism is allowed on client side.

    Description

      In case when attribute allow-sasl-mechanisms from Elytron Authentication Configuration includes some SASL mechanisms then this attribute (and mechanisms configured there) is not taken into account during choosing SASL mechanism. It means that client tries to use all of mechanisms allowed on server side even if client does not allow them. e.g. in case when server side allowed DIGEST-MD5 and JBOSS-LOCAL-USER and client side allows PLAIN, then it tries to use DIGEST-MD5 and JBOSS-LOCAL-USER mechanisms.

      See log from wireshark in attachments. This is log for server configured through "Steps to Reproduce".

      This happens also for using allow-sasl-mechanisms from wildfly config and also for programatically configured client.

      We request blocker since this issue blocks RFE EAP7-567 and EAP7-568 and it allows to use some SASL mechanisms even if they are not allowed on client side.

      Attachments

        1. dep.war
          4 kB
        2. wireshark.pcapng
          6 kB

        Issue Links

          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-10159 Sticky authentication is not working correctly

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-10664 Setting sasl-mechanism-selector with some name value in Elytron client configuration file causes NPE during parsing

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified
          is caused by

          Enhancement - An enhancement to or refactoring of existing functionality that is not configurable by an end user (typically a change made by an internal team that affects users) ELY-1090 SASL mechanism selection strings with ordering and filtering

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-2615 Attribute allow-sasl-mechanisms is ignored in Elytron Authentication Configuration

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-10479 Upgrade WildFly Elytron to 1.1.0.Beta38

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-10698 Propagate sasl-mechanism-selector to elytron subsystem

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              dlloyd@redhat.com David Lloyd
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: