Details
-
Bug
-
Resolution: Done
-
Major
-
8.1.0.CR2, 8.1.0.Final
-
None
Description
I exchanged the security realm 'ManagementRealm' for the management-interfaces with a custom one (which I wrote) like this:
<management-interfaces> <http-interface security-realm="SaltAndPepperRealm" http-upgrade-enabled="true" > <socket-binding http="management-http"/> </http-interface> </management-interfaces>
My custom security realm is using the "PLAIN" mechanism, because I need the ValidatePasswordCredential interface.
It is all working fine as long as you do not try to log into the wildfly management (http://localhost:9990/console/App.html) with an empty username.
Here is the stacktrace, which an empty username login attempt creates:
22:20:34,722 ERROR [io.undertow.request] (XNIO-1 task-9) Blocking request failed HttpServerExchange{ POST /management}: java.lang.IllegalArgumentException at javax.security.auth.callback.NameCallback.<init>(NameCallback.java:90) [rt.jar:1.8.0] at org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(RealmIdentityManager.java:137) [wildfly-domain-http-interface-8.1.0.Final.jar:8.1.0.Final] at org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(RealmIdentityManager.java:120) [wildfly-domain-http-interface-8.1.0.Final.jar:8.1.0.Final] at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:110) [undertow-core-1.0.15.Final.jar:1.0.15.Final] at org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper.authenticate(AuthenticationMechanismWrapper.java:57) [wildfly-domain-http-interface-8.1.0.Final.jar:8.1.0.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) [undertow-core-1.0.15.Final.jar:1.0.15.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) [undertow-core-1.0.15.Final.jar:1.0.15.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) [undertow-core-1.0.15.Final.jar:1.0.15.Final] at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) [undertow-core-1.0.15.Final.jar:1.0.15.Final] at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) [undertow-core-1.0.15.Final.jar:1.0.15.Final] at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) [undertow-core-1.0.15.Final.jar:1.0.15.Final] at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50) [undertow-core-1.0.15.Final.jar:1.0.15.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0] at java.lang.Thread.run(Thread.java:744) [rt.jar:1.8.0]
I then debugged the wildfly and undertow code and found out that in
BasicAuthenticationMechanism.java at line 102 the variable 'plainChallenge' had the value ":" (just a colon) and the if-condition is nevertheless fulfilled. Maybe this is correct behavior (I do not know), but then in RealmIdentityManager.java at line 137 the upper exception gets thrown.
The problem is that the user will not get any feedback in his browser and just stares at the "Loading ..." text and gif. Also with reloading the page or open it again in a new tab the site will still show the loading message. One needs to restart the browser, clear the cache or do it in a private tab to get it work.