Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11177

Unable to define realm-mapping for TrustManager based auth

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 7.1.0.ER1
    • 7.1.0.DR19
    • Security
    • None
    • Hide
      • clone wildfly-elytron project (key material from it is used)
      • download attached standalone.xml, and edit path element referencing the wildfly-elytron project: 
        <path name="elytron.project" path="/home/kwart/projects/wildfly-security/wildfly-elytron"/>
      • start the server
      • clone elytron-client-demo - used as the reproducer 
        git clone -b SASL-EXTERNAL-server-stuck https://github.com/jboss-security-qe/elytron-client-demo.git
      • edit path to key material in the reproducer method SimpleClient.loadKeyStore too
      • run the reproducer: 
        mvn package exec:java

      It should pass and print "Dung" as username, but it fails.

      Show
      clone wildfly-elytron project (key material from it is used) download attached standalone.xml , and edit path element referencing the wildfly-elytron project: <path name= "elytron.project" path= "/home/kwart/projects/wildfly-security/wildfly-elytron" /> start the server clone elytron-client-demo - used as the reproducer git clone -b SASL-EXTERNAL-server-stuck https: //github.com/jboss-security-qe/elytron-client-demo.git edit path to key material in the reproducer method SimpleClient.loadKeyStore too run the reproducer: mvn package exec:java It should pass and print "Dung" as username, but it fails.

    Description

      For SASL and HTTP mechanisms it is possible to define realm-mapping as part of *-authentication-factory. But this cannot be used for EXTERNAL/CLIENT_CERT mechanism, because ServerAuthenticationContext is not constructed by mechanism but by SecurityDomainTrustManager - without relation to any *-authentication-factory.

      It can be misleading for user, that EXTERNAL mechanism is present in sasl-authentication-factory, but if realm-mapper is defined here, it is ignored: (because SSL authentication finish before any SASL is initiated)

      <sasl-authentication-factory name="client-cert-digest" sasl-server-factory="configured" security-domain="client-cert-domain">
    <mechanism-configuration>
        <mechanism mechanism-name="EXTERNAL" realm-mapper="key-store-realm"/>
    </mechanism-configuration>
</sasl-authentication-factory>

      Should be considered adding way how to pass realm-mapper into SSL authentication - maybe add realm-mapper attribute into server-ssl-context definition?

      Attachments

        1. server.log
          67 kB
        2. standalone.xml
          34 kB

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ELY-1217 Unable to define realm-mapping for TrustManager based auth

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-2898 Unable to define realm-mapping for TrustManager based auth

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-11305 Upgrade WildFly Elytron to 1.1.0.Beta51

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11684 Elytron realm-mapper on server-ssl-context is ignored for HTTP based authn

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Ondrej Kotek Ondrej Kotek
              Ondrej Kotek Ondrej Kotek
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: