Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11904

x509-credential-mapper in ldap-realm does not work correctly with server-ssl-context

    XMLWordPrintable

Details

    • Hide

      1) generate needed keystores and truststores

      2) configure Elytron application server:

      <security-domain name="security-domain-subject-dn" default-realm="ldap-realm-subject-dn" permission-mapper="default-permission-mapper" principal-decoder="x500AttributePrincipalDecoder">
    <realm name="ldap-realm-subject-dn"/>
</security-domain>
...
<ldap-realm name="ldap-realm-subject-dn" dir-context="elytron-ldap-dir-context" direct-verification="true">
    <identity-mapping rdn-identifier="uid" use-recursive-search="true" search-base-dn="o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org">
        <x509-credential-mapper subject-dn-from="businessCategory"/>
    </identity-mapping>
</ldap-realm>
...
<x500-attribute-principal-decoder name="x500AttributePrincipalDecoder" oid="2.5.4.3" maximum-segments="1"/>
...
<tls>
    <key-stores>
        <key-store name="keyStore" type="jks">
            <file path="PATH/server.keystore"/>
            <credential-reference clear-text="secretKeyStore"/>
        </key-store>
        <key-store name="trustStore" type="jks">
            <file path="PATH/server.truststore"/>
            <credential-reference clear-text="secretKeyStore"/>
        </key-store>
    </key-stores>
    <key-managers>
        <key-manager name="keyManager" algorithm="SunX509" key-store="keyStore">
            <credential-reference clear-text="secret"/>
        </key-manager>
    </key-managers>
    <trust-managers>
        <trust-manager name="trustManager" algorithm="SunX509" key-store="trustStore"/>
    </trust-managers>
    <server-ssl-contexts>
        <server-ssl-context name="serverSslContext" security-domain="security-domain-subject-dn" want-client-auth="true" need-client-auth="true" key-manager="keyManager" trust-manager="trustManager"/>
    </server-ssl-contexts>
</tls>
...
<dir-contexts>
    <dir-context name="elytron-ldap-dir-context" url="ldap://localhost:10389" principal="uid=admin,ou=system">
        <credential-reference clear-text="secret"/>
    </dir-context>
</dir-contexts>

      3) configure in undertow:

      <https-listener name="https" socket-binding="https" ssl-context="serverSslContext" enable-http2="true"/>

      4) configure LDAP server to include needed data

      5) try to access https://localhost:8443

      Show
      1) generate needed keystores and truststores 2) configure Elytron application server: <security-domain name= "security-domain-subject-dn" default -realm= "ldap-realm-subject-dn" permission-mapper= " default -permission-mapper" principal-decoder= "x500AttributePrincipalDecoder" > <realm name= "ldap-realm-subject-dn" /> </security-domain> ... <ldap-realm name= "ldap-realm-subject-dn" dir-context= "elytron-ldap-dir-context" direct-verification= " true " > <identity-mapping rdn-identifier= "uid" use-recursive-search= " true " search-base-dn= "o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org" > <x509-credential-mapper subject-dn-from= "businessCategory" /> </identity-mapping> </ldap-realm> ... <x500-attribute-principal-decoder name= "x500AttributePrincipalDecoder" oid= "2.5.4.3" maximum-segments= "1" /> ... <tls> <key-stores> <key-store name= "keyStore" type= "jks" > <file path= "PATH/server.keystore" /> <credential-reference clear-text= "secretKeyStore" /> </key-store> <key-store name= "trustStore" type= "jks" > <file path= "PATH/server.truststore" /> <credential-reference clear-text= "secretKeyStore" /> </key-store> </key-stores> <key-managers> <key-manager name= "keyManager" algorithm= "SunX509" key-store= "keyStore" > <credential-reference clear-text= "secret" /> </key-manager> </key-managers> <trust-managers> <trust-manager name= "trustManager" algorithm= "SunX509" key-store= "trustStore" /> </trust-managers> <server-ssl-contexts> <server-ssl-context name= "serverSslContext" security-domain= "security-domain-subject-dn" want-client-auth= " true " need-client-auth= " true " key-manager= "keyManager" trust-manager= "trustManager" /> </server-ssl-contexts> </tls> ... <dir-contexts> <dir-context name= "elytron-ldap-dir-context" url= "ldap: //localhost:10389" principal= "uid=admin,ou=system" > <credential-reference clear-text= "secret" /> </dir-context> </dir-contexts> 3) configure in undertow: <https-listener name= "https" socket-binding= "https" ssl-context= "serverSslContext" enable-http2= " true " /> 4) configure LDAP server to include needed data 5) try to access https://localhost:8443

    Description

      When ldap-realm with x509-credential-mapper is used in security-domain which is referenced from server-ssl-context then authorization fails. It seems it is caused by using ServerAuthenticationContext.NameAssignedState in [1] which fails in [2] due to [3]. This issue causes that x509-credential-mapper cannot work in server-ssl-context.

      Server log:

      2017-06-30 15:01:22,019 TRACE [org.wildfly.security] (default task-2) X500 principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as name [clientSubjectDn] (attribute values: [clientSubjectDn])
2017-06-30 15:01:22,022 TRACE [org.wildfly.security] (default task-2) Principal assigning: [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ], pre-realm rewritten: [clientSubjectDn], realm name: [ldap-realm-subject-dn], post-realm rewritten: [clientSubjectDn], realm rewritten: [clientSubjectDn]
2017-06-30 15:01:22,023 DEBUG [org.wildfly.security] (default task-2) Obtaining lock for identity [clientSubjectDn]...
2017-06-30 15:01:22,028 DEBUG [org.wildfly.security] (default task-2) Obtained lock for identity [clientSubjectDn].
2017-06-30 15:01:22,044 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]]
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://localhost:10389]
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [uid=admin,ou=system]
2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
2017-06-30 15:01:22,081 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@6ca3ef32] successfully created. Connection established to LDAP server.
2017-06-30 15:01:22,084 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn].
2017-06-30 15:01:22,086 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [null]. Binary attributes are [null].
2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@6ca3ef32] was closed. Connection closed or just returned to the pool.
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://localhost:10389]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [uid=admin,ou=system]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
2017-06-30 15:01:22,154 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
2017-06-30 15:01:22,179 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@75395ba6] successfully created. Connection established to LDAP server.
2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn].
2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary attributes are [].
2017-06-30 15:01:22,195 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,197 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,198 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@75395ba6] was closed. Connection closed or just returned to the pool.
2017-06-30 15:01:22,200 TRACE [org.wildfly.security] (default task-2) X500 principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as name [clientSubjectDn] (attribute values: [clientSubjectDn])
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.authentication] with value [simple]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.provider.url] with value [ldap://localhost:10389]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.read.timeout] with value [60000]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.pool] with value [false]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.security.principal] with value [uid=admin,ou=system]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.referral] with value [ignore]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2)     Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
2017-06-30 15:01:22,212 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@22d42495] successfully created. Connection established to LDAP server.
2017-06-30 15:01:22,213 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn].
2017-06-30 15:01:22,214 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary attributes are [].
2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,227 TRACE [org.wildfly.security] (default task-2) X509 client certificate accepted by X509EvidenceVerifier
2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@22d42495] was closed. Connection closed or just returned to the pool.
2017-06-30 15:01:22,228 TRACE [org.wildfly.security] (default task-2) Authentication succeed for principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ]
2017-06-30 15:01:22,240 ERROR [org.xnio.nio] (default I/O-4) XNIO000011: Task io.undertow.protocols.ssl.SslConduit$5$1@46b65284 failed with an exception: java.lang.RuntimeException: ELY01112: Authentication cannot succeed; not authorized
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
	at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:265)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
	at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.unwrap(ALPNLimitingSSLEngine.java:73)
	at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:749)
	at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:646)
	at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
	at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1046)
	at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:592)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:472)
Caused by: java.lang.IllegalStateException: ELY01112: Authentication cannot succeed; not authorized
	at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.succeed(ServerAuthenticationContext.java:1947)
	at org.wildfly.security.auth.server.ServerAuthenticationContext.succeed(ServerAuthenticationContext.java:492)
	at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:123)
	at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72)
	at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869)
	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
	at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

      Since there is no documentation for this scenario it is possible that this is just a configuration issue - in that case please provide valid configuration for this scenario.

      [1] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/ssl/SecurityDomainTrustManager.java#L120
      [2] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/ssl/SecurityDomainTrustManager.java#L122
      [3] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java#L1943

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ELY-1275 x509-credential-mapper in ldap-realm does not work correctly with server-ssl-context

          • Critical - To be worked on immediately following BLOCKER issues.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-12265 Upgrade WildFly Elytron to 1.1.0.CR3

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: