Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12341

ElytronAuthenticator fails with InvalidKeySpecException

    Details

    • Type: Bug
    • Status: Verified (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: 7.1.0.ER2
    • Fix Version/s: 7.1.0.CR1
    • Component/s: Security
    • Labels:
      None
    • Target Release:
    • Steps to Reproduce:
      Hide

      Shared reproducer with JBEAP-12340. The two test methods whose names end with `*WithWorkaround` shows the problem described in this issue.

      Reproducer test code is available here: https://github.com/kwart/wildfly/blob/JBEAP-12340-reproducer/testsuite/integration/manualmode/src/test/java/org/wildfly/test/manual/elytron/seccontext/SecurityContextPropagationTestCase.java

      Full steps to reproduce the issue:

      git clone -b JBEAP-12340-reproducer https://github.com/kwart/wildfly.git
      cd wildfly
      mvn clean install -DskipTests -Dcheckstyle.skip -Denforcer.skip
      cd testsuite/integration/manualmode
      mvn clean test -Dcheckstyle.skip -Dcheckstyle.skip -Denforcer.skip -DtestLogToFile=false -Dtest=SecurityContextPropagationTestCase
      
      Show
      Shared reproducer with JBEAP-12340 . The two test methods whose names end with `*WithWorkaround` shows the problem described in this issue. Reproducer test code is available here: https://github.com/kwart/wildfly/blob/JBEAP-12340-reproducer/testsuite/integration/manualmode/src/test/java/org/wildfly/test/manual/elytron/seccontext/SecurityContextPropagationTestCase.java Full steps to reproduce the issue: git clone -b JBEAP-12340-reproducer https: //github.com/kwart/wildfly.git cd wildfly mvn clean install -DskipTests -Dcheckstyle.skip -Denforcer.skip cd testsuite/integration/manualmode mvn clean test -Dcheckstyle.skip -Dcheckstyle.skip -Denforcer.skip -DtestLogToFile= false -Dtest=SecurityContextPropagationTestCase

      Description

      One of the scenarios which are expected to work in Elytron is a Security context propagation from a protected EJB to a protected Servlet using HttpUrlConnection (details in RFE EAP7-284).

      The scenario doesn't work for me. My configuration:

      EJB client ->  protected EJB on server-1 -> protected Servlet on server-2 (BASIC authn)
      

      The EJB contains following code:

      // this is a hack/workaround for another related issue JBEAP-12340
      Authenticator.setDefault(new ElytronAuthenticator());
      
      final Callable<String> callable = () -> {
          URLConnection conn = url.openConnection();
          conn.connect();
          try (InputStream is = conn.getInputStream()) {
              return IOUtils.toString(is, StandardCharsets.UTF_8);
          }
      };
      
      AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.empty()
          .useForwardedIdentity(SecurityDomain.getCurrent())
          .setSaslMechanismSelector(SaslMechanismSelector.ALL))
          .runCallable(callable);
      

      the authentication fails with

      java.security.spec.InvalidKeySpecException
              at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineGetKeySpec(PasswordFactorySpiImpl.java:493)
              at org.wildfly.security.password.PasswordFactory.getKeySpec(PasswordFactory.java:163)
              at org.wildfly.security.auth.util.ElytronAuthenticator.getPasswordAuthentication(ElytronAuthenticator.java:95)
              at java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317)
              at sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453)
              at sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448)
              at java.security.AccessController.doPrivileged(Native Method)
              at sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447)
              at sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2421)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1719)
              at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
              at org.wildfly.test.manual.elytron.seccontext.EntryBean.lambda$readUrl$1(EntryBean.java:71)
              at org.wildfly.common.context.Contextual.runCallable(Contextual.java:127)
              at org.wildfly.test.manual.elytron.seccontext.SeccontextUtil.switchIdentity(SeccontextUtil.java:32)
              at org.wildfly.test.manual.elytron.seccontext.EntryBean.readUrl(EntryBean.java:78)
      ...
      

      The problem seems to be in the method PasswordFactorySpiImpl.engineKeySpec(), which checks the password type:

      if (password instanceof AbstractPasswordImpl) {
      ...
      

      this condition fails for the provided password, which is of type org.wildfly.security.password.interfaces.RawClearPassword.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  pcraveiro Pedro Igor Silva
                  Reporter:
                  jcacek Josef Cacek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: