Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8772

Deployments referencing outbound connection with authentication context always use Elytron default-authentication-context

    XMLWordPrintable

Details

    • Hide

      This uses https://github.com/jmartisk/mock-artifacts/tree/master/ejb-server-to-server/ejb-server-to-server-elytron .

      1. Start server-side EAP, add user and deploy server side deployment:

      {$SERVER_SIDE}/bin/add-user.sh -a -g users -u admin -p admin123+

      2. Start client-side EAP bound to different loopback address with system property:

      {$CLIENT_SIDE}/bin/standalone.sh -b 127.0.0.8 -bmanagement 127.0.0.8 -Dremote.ejb.host=127.0.0.1

      3. Use the following setups to reproduce the three configuration scenarios mentioned in description, then access http://127.0.0.8:8080/client-side/ :

      Authentication context defined in remote outbound connection, no Elytron default
      /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080)
/subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text="admin123+"}, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5])
/subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}])
/subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=admin-ctx, outbound-socket-binding-ref=remote-ejb)
reload
deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war
      Authentication context defined only in Elytron default
      /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080)
/subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text="admin123+"}, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5])
/subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}])
/subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(outbound-socket-binding-ref=remote-ejb)
/subsystem=elytron:write-attribute(name=default-authentication-context,value=admin-ctx)
reload
deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war
      Correct authentication context defined in remote outbound connection, wrong in Elytron default
      /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080)
/subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text="admin123+"}, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5])
/subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}])
/subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(outbound-socket-binding-ref=remote-ejb)
/subsystem=elytron/authentication-configuration=default-wrong-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text="badPwd"}, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5])
/subsystem=elytron/authentication-context=default-wrong-ctx:add(match-rules=[{authentication-configuration=default-wrong-cfg}])
/subsystem=elytron:write-attribute(name=default-authentication-context,value=default-wrong-ctx)
reload
deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war

      4. The only working setup would look like this:

      /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080)
/subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text="admin123+"}, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5])
/subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}])
/subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=admin-ctx, outbound-socket-binding-ref=remote-ejb)
/subsystem=elytron:write-attribute(name=default-authentication-context,value=admin-ctx)
reload
deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war
      Show
      This uses https://github.com/jmartisk/mock-artifacts/tree/master/ejb-server-to-server/ejb-server-to-server-elytron . 1. Start server-side EAP, add user and deploy server side deployment: {$SERVER_SIDE}/bin/add-user.sh -a -g users -u admin -p admin123+ 2. Start client-side EAP bound to different loopback address with system property: {$CLIENT_SIDE}/bin/standalone.sh -b 127.0.0.8 -bmanagement 127.0.0.8 -Dremote.ejb.host=127.0.0.1 3. Use the following setups to reproduce the three configuration scenarios mentioned in description, then access http://127.0.0.8:8080/client-side/ : Authentication context defined in remote outbound connection, no Elytron default /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080) /subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text= "admin123+" }, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}]) /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=admin-ctx, outbound-socket-binding-ref=remote-ejb) reload deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war Authentication context defined only in Elytron default /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080) /subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text= "admin123+" }, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}]) /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(outbound-socket-binding-ref=remote-ejb) /subsystem=elytron:write-attribute(name= default -authentication-context,value=admin-ctx) reload deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war Correct authentication context defined in remote outbound connection, wrong in Elytron default /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080) /subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text= "admin123+" }, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}]) /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(outbound-socket-binding-ref=remote-ejb) /subsystem=elytron/authentication-configuration= default -wrong-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text= "badPwd" }, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context= default -wrong-ctx:add(match-rules=[{authentication-configuration= default -wrong-cfg}]) /subsystem=elytron:write-attribute(name= default -authentication-context,value= default -wrong-ctx) reload deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war 4. The only working setup would look like this: /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=${remote.ejb.host}, port=8080) /subsystem=elytron/authentication-configuration=admin-cfg:add(forbid-sasl-mechanisms=[JBOSS-LOCAL-USER], credential-reference={clear-text= "admin123+" }, authentication-name=admin, realm=ApplicationRealm, allow-sasl-mechanisms=[DIGEST-MD5]) /subsystem=elytron/authentication-context=admin-ctx:add(match-rules=[{authentication-configuration=admin-cfg}]) /subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=admin-ctx, outbound-socket-binding-ref=remote-ejb) /subsystem=elytron:write-attribute(name= default -authentication-context,value=admin-ctx) reload deploy {$MOCK_ARTIFACTS}/ejb-server-to-server/ejb-server-to-server-elytron/client/target/client-side.war

    Description

      Analysis document for EAP7-551 states the following:

      This RFE is to add a reference to the new authentication-context capability to the remote-outbound-connection resource and make use of it satisfy the security requirements for the outbound connections being established.

      The AuthenticationContext will be used to access both information required for authentication and also for any SSLContext required for the connection.

      A newly referenced authentication-context will be used to provide all security configuration for outbound connections.

      However, currently the remoting outbound connections will only use Elytron default authentication context and ignore authentication context defined in remoting outbound connection resource:

      • If no default authentication context is defined in Elytron subsystem but remote outbound connection has defined one, no authentication context is associated with remote outbound connection.
      • If the default authentication context is defined in Elytron subsystem but no authentication context is defined in remote outbound connection, remoting assumes that outbound connection uses legacy security.
      • If the default authentication context is defined in Elytron subsystem and different authentication context is defined in remote outbound connection, the remote outbound connection will use the Elytron subsystem default none the less.
      • The authentication context defined in outbound remote connection will only work if it is the same as default authentication context in Elytron subsystem.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-10610 Deployments referencing outbound connection with authentication context always use Elytron default-authentication-context

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified
          impacts account

          Bug - A problem that impairs or prevents the functions of the product. WFCC-33 Processing of wildfly.config.url does not check for empty string

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              fjuma1@redhat.com Farah Juma
              fjuma1@redhat.com Farah Juma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: