Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2898

Unable to define realm-mapping for TrustManager based auth

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 3.0.0.Beta25
    • 3.0.0.Beta23
    • Security
    • None
    • Hide
      • clone wildfly-elytron project (key material from it is used)
      • download attached standalone.xml, and edit path element referencing the wildfly-elytron project: 
        <path name="elytron.project" path="/home/kwart/projects/wildfly-security/wildfly-elytron"/>
      • start the server
      • clone elytron-client-demo - used as the reproducer 
        git clone -b SASL-EXTERNAL-server-stuck https://github.com/jboss-security-qe/elytron-client-demo.git
      • edit path to key material in the reproducer method SimpleClient.loadKeyStore too
      • run the reproducer: 
        mvn package exec:java

      It should pass and print "Dung" as username, but it fails.

      Show
      clone wildfly-elytron project (key material from it is used) download attached standalone.xml , and edit path element referencing the wildfly-elytron project: <path name= "elytron.project" path= "/home/kwart/projects/wildfly-security/wildfly-elytron" /> start the server clone elytron-client-demo - used as the reproducer git clone -b SASL-EXTERNAL-server-stuck https: //github.com/jboss-security-qe/elytron-client-demo.git edit path to key material in the reproducer method SimpleClient.loadKeyStore too run the reproducer: mvn package exec:java It should pass and print "Dung" as username, but it fails.

    Description

      For SASL and HTTP mechanisms it is possible to define realm-mapping as part of *-authentication-factory. But this cannot be used for EXTERNAL/CLIENT_CERT mechanism, because ServerAuthenticationContext is not constructed by mechanism but by SecurityDomainTrustManager - without relation to any *-authentication-factory.

      It can be misleading for user, that EXTERNAL mechanism is present in sasl-authentication-factory, but if realm-mapper is defined here, it is ignored: (because SSL authentication finish before any SASL is initiated)

      <sasl-authentication-factory name="client-cert-digest" sasl-server-factory="configured" security-domain="client-cert-domain">
    <mechanism-configuration>
        <mechanism mechanism-name="EXTERNAL" realm-mapper="key-store-realm"/>
    </mechanism-configuration>
</sasl-authentication-factory>

      Should be considered adding way how to pass realm-mapper into SSL authentication - maybe add realm-mapper attribute into server-ssl-context definition?

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-11177 Unable to define realm-mapping for TrustManager based auth

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: