Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2442

Incorrect realm for DIGEST-MD5 when Elytron SASL global factory is directly used

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 3.0.0.Beta26
    • None
    • Security
    • None
    • Hide

      1) Add user:

      ./add-user.sh -u user1 -p pass@123 -r ManagementRealm

      2) Change http-interface to Elytron:

      <http-interface http-authentication-factory="management-http-authentication">
    <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
    <socket-binding http="management-http"/>
</http-interface>

      3) Access CLI, it works correctly:

      ./jboss-cli.sh -c -u=user1 -p=pass@123 --no-local-auth

      4) Change sasl-server-factory of sasl-authentication-factory name="management-sasl-authentication" to global:

      /subsystem=elytron/sasl-authentication-factory=management-sasl-authentication:write-attribute(name=sasl-server-factory,value=global)

      5) Reload server and try to authenticate to CLI again. You will see, that incorrect realm (localhost) is used and authentication is not possible:

      ./jboss-cli.sh -c --no-local-auth
Authenticating against security realm: localhost
Username:
      Show
      1) Add user: ./add-user.sh -u user1 -p pass@123 -r ManagementRealm 2) Change http-interface to Elytron: <http- interface http-authentication-factory= "management-http-authentication" > <http-upgrade enabled= " true " sasl-authentication-factory= "management-sasl-authentication" /> <socket-binding http= "management-http" /> </http- interface > 3) Access CLI, it works correctly: ./jboss-cli.sh -c -u=user1 -p=pass@123 --no-local-auth 4) Change sasl-server-factory of sasl-authentication-factory name="management-sasl-authentication" to global: /subsystem=elytron/sasl-authentication-factory=management-sasl-authentication:write-attribute(name=sasl-server-factory,value=global) 5) Reload server and try to authenticate to CLI again. You will see, that incorrect realm (localhost) is used and authentication is not possible: ./jboss-cli.sh -c --no-local-auth Authenticating against security realm: localhost Username:

    Description

      In case when some sasl-authentication-factory, which uses directly sasl-server-factory="global", is used for authentication and DIGEST-MD5 mechanism is used, then authentication fails. It is caused by incorrectly passed realm name used for authentication. See Steps to Reproduce for more details.

      Following is used for creating DIGEST-MD5 for authentication response (realm "localhost" is not correct used realm):

      charset=utf-8,username="user1",realm="localhost",nonce="N7K8/KwSm/p8dxOK2LgcCBDPrhva3ILhHLQ4qWXO",nc=00000001,cnonce="MVJ6zYGtLDjffNPgt+l7OKXq62o1vu/QkPooB1EyCBxK6JiG",digest-uri="remote/localhost",maxbuf=65536,response=3acb12f0e1f42edc48e13cac8e77ae2e,qop=auth

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-9029 Unable to use Sun DIGEST_MD5 SASL mechanism with Elytron

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Activity

            People

              fjuma1@redhat.com Farah Juma
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: