Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2894

Authentication with context defined in outbound connection with non-http-remoting protocol always fails unless it is Elytron default

    XMLWordPrintable

Details

    • Hide

      This uses https://github.com/jmartisk/mock-artifacts/tree/master/ejb-server-to-server/ejb-server-to-server-elytron .

      1. Start server-side EAP, add user and deploy server side deployment:

      {$SERVER_SIDE}/bin/add-user.sh -a -g users -u admin -p admin123+

      2. Configure server-side EAP:

      /socket-binding-group=standard-sockets/socket-binding=remoting:add(port=4447)
/subsystem=remoting/connector=remoting-connector:add(socket-binding=remoting, sasl-authentication-factory=application-sasl-authentication)

      3. Start client-side EAP bound to different loopback address with system property:

      {$CLIENT_SIDE}/bin/standalone.sh -b 127.0.0.8 -bmanagement 127.0.0.8 -Dremote.ejb.host=127.0.0.1

      4. Set up the outbound connection referenced from deployment, then access http://127.0.0.8:8080/client-side/ :

      Authentication context defined in remote outbound connection, no Elytron default
      /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=4447)
/subsystem=elytron/authentication-configuration=admin-cfg:add(sasl-mechanism-selector=(!JBOSS-LOCAL-USER && DIGEST-MD5), credential-reference={clear-text="admin123+"}, authentication-name=admin, protocol=remote)
/subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}])
/subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=admin-ctx, outbound-socket-binding-ref=remote-ejb)
reload
deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war

      5. If the aforementioned authentication context is defined as Elytron default (even if not defined for the connection, but exclusively as default), the authentication will pass.

      Show
      This uses https://github.com/jmartisk/mock-artifacts/tree/master/ejb-server-to-server/ejb-server-to-server-elytron . 1. Start server-side EAP, add user and deploy server side deployment: {$SERVER_SIDE}/bin/add-user.sh -a -g users -u admin -p admin123+ 2. Configure server-side EAP: /socket-binding-group=standard-sockets/socket-binding=remoting:add(port=4447) /subsystem=remoting/connector=remoting-connector:add(socket-binding=remoting, sasl-authentication-factory=application-sasl-authentication) 3. Start client-side EAP bound to different loopback address with system property: {$CLIENT_SIDE}/bin/standalone.sh -b 127.0.0.8 -bmanagement 127.0.0.8 -Dremote.ejb.host=127.0.0.1 4. Set up the outbound connection referenced from deployment, then access http://127.0.0.8:8080/client-side/ : Authentication context defined in remote outbound connection, no Elytron default /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=4447) /subsystem=elytron/authentication-configuration=admin-cfg:add(sasl-mechanism-selector=(!JBOSS-LOCAL-USER && DIGEST-MD5), credential-reference={clear-text= "admin123+" }, authentication-name=admin, protocol=remote) /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}]) /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=admin-ctx, outbound-socket-binding-ref=remote-ejb) reload deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war 5. If the aforementioned authentication context is defined as Elytron default (even if not defined for the connection, but exclusively as default), the authentication will pass.

    Description

      Attempting to authenticate with authentication context defined in remote outbound connection will always fail unless a correct Elytron default context is defined with following security output on client side server:

      13:10:45,693 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=http-remoting://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[scheme=http-remoting,host=127.0.0.1,port=4447], AuthenticationConfiguration=[AuthenticationConfiguration:principal=admin,set-host=127.0.0.1,set-protocol=remote,set-port=4447,credentials-present,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,sasl-mechanism-selector=((!JBOSS-LOCAL-USER&&DIGEST-MD5)),mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
13:10:45,729 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[null], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=127.0.0.1,set-port=4447,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
13:10:45,756 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=http-remoting://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[scheme=http-remoting,host=127.0.0.1,port=4447], AuthenticationConfiguration=[AuthenticationConfiguration:principal=admin,set-host=127.0.0.1,set-protocol=remote,set-port=4447,credentials-present,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,sasl-mechanism-selector=((!JBOSS-LOCAL-USER&&DIGEST-MD5)),mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
13:10:45,758 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[null], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=127.0.0.1,set-port=4447,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]

      When a correct Elytron default context is defined, security output on client side server is the following:

      13:14:10,571 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=http-remoting://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[scheme=http-remoting,host=127.0.0.1,port=4447], AuthenticationConfiguration=[AuthenticationConfiguration:principal=admin,set-host=127.0.0.1,set-protocol=remote,set-port=4447,credentials-present,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,sasl-mechanism-selector=((!JBOSS-LOCAL-USER&&DIGEST-MD5)),mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
13:14:10,602 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[], AuthenticationConfiguration=[AuthenticationConfiguration:principal=admin,set-host=127.0.0.1,set-protocol=remote,set-port=4447,credentials-present,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,sasl-mechanism-selector=((!JBOSS-LOCAL-USER&&DIGEST-MD5)),mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
13:14:10,612 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=http-remoting://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[scheme=http-remoting,host=127.0.0.1,port=4447], AuthenticationConfiguration=[AuthenticationConfiguration:principal=admin,set-host=127.0.0.1,set-protocol=remote,set-port=4447,credentials-present,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,sasl-mechanism-selector=((!JBOSS-LOCAL-USER&&DIGEST-MD5)),mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
13:14:10,613 TRACE [org.wildfly.security] (default task-1) getAuthenticationConfiguration uri=remote://127.0.0.1:4447, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, purpose=null, MatchRule=[], AuthenticationConfiguration=[AuthenticationConfiguration:principal=admin,set-host=127.0.0.1,set-protocol=remote,set-port=4447,credentials-present,providers-supplier=org.wildfly.security.util.ProviderUtil$1@220487eb,sasl-mechanism-selector=((!JBOSS-LOCAL-USER&&DIGEST-MD5)),mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11237 Authentication with context defined in outbound connection with non-http-remoting protocol always fails unless it is Elytron default

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              fjuma1@redhat.com Farah Juma
              fjuma1@redhat.com Farah Juma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: