Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9029

Unable to use Sun DIGEST_MD5 SASL mechanism with Elytron

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 7.1.0.ER1
    • 7.1.0.DR12
    • Security
    • None
    • Hide

      1) Add user:

      ./add-user.sh -u user1 -p pass@123 -r ManagementRealm

      2) Change http-interface to Elytron:

      <http-interface http-authentication-factory="management-http-authentication">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http"/>
</http-interface>

      3) Access CLI, it works correctly:

      ./jboss-cli.sh -c -u=user1 -p=pass@123 --no-local-auth

      4) Change sasl-server-factory of sasl-authentication-factory name="management-sasl-authentication" to global:

      /subsystem=elytron/sasl-authentication-factory=management-sasl-authentication:write-attribute(name=sasl-server-factory,value=global)

      5) Reload server and try to authenticate to CLI again. You will see, that incorrect realm (localhost) is used and authentication is not possible:

      ./jboss-cli.sh -c --no-local-auth
Authenticating against security realm: localhost
Username:
      Show
      1) Add user: ./add-user.sh -u user1 -p pass@123 -r ManagementRealm 2) Change http-interface to Elytron: <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" /> </http- interface > 3) Access CLI, it works correctly: ./jboss-cli.sh -c -u=user1 -p=pass@123 --no-local-auth 4) Change sasl-server-factory of sasl-authentication-factory name="management-sasl-authentication" to global: /subsystem=elytron/sasl-authentication-factory=management-sasl-authentication:write-attribute(name=sasl-server-factory,value=global) 5) Reload server and try to authenticate to CLI again. You will see, that incorrect realm (localhost) is used and authentication is not possible: ./jboss-cli.sh -c --no-local-auth Authenticating against security realm: localhost Username:

      In case when some sasl-authentication-factory, which uses directly sasl-server-factory="global", is used for authentication and DIGEST-MD5 mechanism is used, then authentication fails. It is caused by incorrectly passed realm name used for authentication. See Steps to Reproduce for more details.

      Following is used for creating DIGEST-MD5 for authentication response (realm "localhost" is not correct used realm):

      charset=utf-8,username="user1",realm="localhost",nonce="N7K8/KwSm/p8dxOK2LgcCBDPrhva3ILhHLQ4qWXO",nc=00000001,cnonce="MVJ6zYGtLDjffNPgt+l7OKXq62o1vu/QkPooB1EyCBxK6JiG",digest-uri="remote/localhost",maxbuf=65536,response=3acb12f0e1f42edc48e13cac8e77ae2e,qop=auth

        1. mgmt-users.properties
          1 kB
        2. standalone.xml
          27 kB

            fjuma1@redhat.com Farah Juma
            olukas Ondrej Lukas (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: