Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-9970

Elytron, misconfiguration of http-authentication-factory leads to 403 - should be 500

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.DR17
    • 7.1.0.DR15
    • Security
    • None
    • Hide
      • Replace creation of http-authentication-factory with this command specifying protocol HTTP 
        /subsystem=elytron/http-authentication-factory=example-krb-http-auth:add( \
  http-server-mechanism-factory=global, \
  security-domain=exampleFsSD, \
  mechanism-configurations=[ \
    { \
      mechanism-name=SPNEGO,\
      mechanism-realm-configurations= \
        [ \
          { \
            realm-name=exampleFsSD \
          } \
        ], \
      protocol=DOES_NOT_EXIST,\
      credential-security-factory=krbSF \
    } \
  ] \
)
      Show
      Follow steps for securing management interface with kerberos https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.alpha/html-single/how_to_set_up_sso_with_kerberos/#secure_mgmt_interface_krb_elytron Replace creation of http-authentication-factory with this command specifying protocol HTTP /subsystem=elytron/http-authentication-factory=example-krb-http-auth:add( \ http-server-mechanism-factory=global, \ security-domain=exampleFsSD, \ mechanism-configurations=[ \ { \ mechanism-name=SPNEGO,\ mechanism-realm-configurations= \ [ \ { \ realm-name=exampleFsSD \ } \ ], \ protocol=DOES_NOT_EXIST,\ credential-security-factory=krbSF \ } \ ] \ )

      When I misconfigured http-authentication-factory, e.g. with unreal protocol "DOES_NOT_EXIST" I get http status code 403.

      I think 500 would be more appropriate here, as server is misconfigured and can't authenticate.
      403 means user has not appropriate roles.

      There should be also some log message in log, that http authentication factory is misconfigured. Now there is just

      10:52:04,694 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback
10:52:04,694 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='BASIC', hostName='localhost.localdomain', protocol='http'.
10:52:04,694 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback
10:52:04,694 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='CLIENT_CERT', hostName='localhost.localdomain', protocol='http'.
10:52:04,694 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback
10:52:04,694 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='DIGEST', hostName='localhost.localdomain', protocol='http'.
10:52:04,694 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback
10:52:04,694 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='FORM', hostName='localhost.localdomain', protocol='http'.
10:52:04,694 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback
10:52:04,694 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='SPNEGO', hostName='localhost.localdomain', protocol='http'.

            darran.lofthouse@redhat.com Darran Lofthouse
            mchoma@redhat.com Martin Choma
            Martin Choma Martin Choma
            Martin Choma Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: