[JBoss JIRA] (ELY-271) EJB authentication via Kerberos does not work with wildfly-security-api
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-271?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse resolved ELY-271.
----------------------------------
Resolution: Out of Date
> EJB authentication via Kerberos does not work with wildfly-security-api
> -----------------------------------------------------------------------
>
> Key: ELY-271
> URL: https://issues.jboss.org/browse/ELY-271
> Project: WildFly Elytron
> Issue Type: Bug
> Components: SASL
> Affects Versions: 1.0.0.Alpha3
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Fix For: 1.1.0.CR2
>
> Attachments: client.zip, server.jar
>
>
> EJB authentication via Kerberos does not work for projects using EJB Client with dependency on org.wildfly:wildfly-security-api. EJB invocation failed with exception:
> {noformat}
> java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
> GSSAPI: javax.security.sasl.SaslException: ELY05108: [GSSAPI] Unable to create response token [Caused by javax.security.sasl.SaslException: ELY05127: [GSSAPI] No security layer supported by server but maximum message size received: "65536"]
> at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:92)
> at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:80)
> at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)
> at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.setupEJBReceivers(ConfigBasedEJBClientContextSelector.java:158)
> at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.getCurrent(ConfigBasedEJBClientContextSelector.java:115)
> at org.jboss.ejb.client.naming.ejb.EjbNamingContext.createIdentifiableEjbClientContext(EjbNamingContext.java:258)
> at org.jboss.ejb.client.naming.ejb.EjbNamingContext.setupScopedEjbClientContextIfNeeded(EjbNamingContext.java:123)
> at org.jboss.ejb.client.naming.ejb.EjbNamingContext.<init>(EjbNamingContext.java:98)
> at org.jboss.ejb.client.naming.ejb.ejbURLContextFactory.getObjectInstance(ejbURLContextFactory.java:38)
> at javax.naming.spi.NamingManager.getURLObject(NamingManager.java:601)
> at javax.naming.spi.NamingManager.getURLContext(NamingManager.java:550)
> at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:345)
> at javax.naming.InitialContext.lookup(InitialContext.java:417)
> at client.Client.main(Client.java:19)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:483)
> at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:297)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
> GSSAPI: javax.security.sasl.SaslException: ELY05108: [GSSAPI] Unable to create response token [Caused by javax.security.sasl.SaslException: ELY05127: [GSSAPI] No security layer supported by server but maximum message size received: "65536"]
> at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:114)
> at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:393)
> at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:243)
> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:199)
> at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:113)
> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
> at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)
> at ...asynchronous invocation...(Unknown Source)
> at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:272)
> at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:388)
> at org.jboss.ejb.client.remoting.EndpointPool$PooledEndpoint.connect(EndpointPool.java:192)
> at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:153)
> at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:133)
> at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:78)
> ... 18 more
> {noformat}
> Note:
> Dependency org.wildfly:wildfly-security-api has transitive dependency on org.wildfly.security:wildfly-elytron. Artifact wildfly-elytron using service org.wildfly.security.sasl.gssapi.GssapiClientFactory which is added via Java SPI as javax.security.sasl.SaslClientService. Adding this service causes that Kerberos authentication is handled by org.wildfly.security.sasl.gssapi.GssapiClient which leads to authentication failures.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 3 months
[JBoss JIRA] (ELY-415) Eliminate RuntimeExceptions thrown from SecurityRealm implementations.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-415?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse resolved ELY-415.
----------------------------------
Resolution: Out of Date
> Eliminate RuntimeExceptions thrown from SecurityRealm implementations.
> ----------------------------------------------------------------------
>
> Key: ELY-415
> URL: https://issues.jboss.org/browse/ELY-415
> Project: WildFly Elytron
> Issue Type: Task
> Components: Realms
> Reporter: Darran Lofthouse
> Priority: Critical
> Fix For: 1.1.0.CR2
>
>
> Where a realm is temporarily unavailable we have the RealmUnavailableException - in other cases however our API generally requires that null or empty representations are returned when identities can not be loaded or validation.
> In a few cases RuntimeExceptions have crept into the implementations, we need to eliminate these as any code written according the API and not expecting them risks breaking for unexpected RuntimeExceptions.
> Each method on the API should also be double checked to ensure it clearly documents what should happen if it can not return the desired result.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 3 months
[JBoss JIRA] (ELY-355) HTTP Authentication Mechanism Testing
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-355?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse updated ELY-355:
---------------------------------
Fix Version/s: 1.2.0.Beta1
(was: 1.1.0.CR2)
> HTTP Authentication Mechanism Testing
> -------------------------------------
>
> Key: ELY-355
> URL: https://issues.jboss.org/browse/ELY-355
> Project: WildFly Elytron
> Issue Type: Enhancement
> Components: Testsuite
> Reporter: Darran Lofthouse
> Assignee: Darran Lofthouse
> Fix For: 1.2.0.Beta1
>
>
> We don't want to create a full HTTP server but we should have a sufficient wrapper to test the HTTP authentication framework and test out specific mechanims.
> This will leave the Elytron Web project to smoke test integration and not focus on testing the actual mechanisms.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 3 months
[JBoss JIRA] (ELY-341) PEM file format support
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-341?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse updated ELY-341:
---------------------------------
Fix Version/s: 1.2.0.Beta1
(was: 1.1.0.CR2)
> PEM file format support
> -----------------------
>
> Key: ELY-341
> URL: https://issues.jboss.org/browse/ELY-341
> Project: WildFly Elytron
> Issue Type: Enhancement
> Components: KeyStores
> Reporter: David Lloyd
> Assignee: Pedro Igor
> Fix For: 1.2.0.Beta1
>
>
> We should add support for PEM formats for formats including (but not limited to):
> * X.509 Certificate
> * CSRs
> * CRLs
> * RSA and DSA Public and Private Keys
> * PKCS8 format Private Keys
> * DH parameters
> * ECDSA Public Key
> * EC Private Key
> * EC Parameters
> This API could be consumed by various utilities or by custom credential storage implementations.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 3 months
[JBoss JIRA] (ELY-422) Default SSLContext?
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-422?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse updated ELY-422:
---------------------------------
Fix Version/s: 1.2.0.Beta1
(was: 1.1.0.CR2)
> Default SSLContext?
> -------------------
>
> Key: ELY-422
> URL: https://issues.jboss.org/browse/ELY-422
> Project: WildFly Elytron
> Issue Type: Task
> Components: SSL
> Reporter: Darran Lofthouse
> Fix For: 1.2.0.Beta1
>
>
> We know we want one, what we don't know is exactly that it means and is it an Elytron concern or subsystem concern.
> One issue is within Elytron our SSLContext implementations are either server side specific or client side specific - we may even want to review if there is any way to review what it is being used for and act accordingly.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 3 months
[JBoss JIRA] (ELY-415) Eliminate RuntimeExceptions thrown from SecurityRealm implementations.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-415?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse resolved ELY-415.
----------------------------------
Resolution: Rejected
> Eliminate RuntimeExceptions thrown from SecurityRealm implementations.
> ----------------------------------------------------------------------
>
> Key: ELY-415
> URL: https://issues.jboss.org/browse/ELY-415
> Project: WildFly Elytron
> Issue Type: Task
> Components: Realms
> Reporter: Darran Lofthouse
> Priority: Critical
> Fix For: 1.1.0.CR2
>
>
> Where a realm is temporarily unavailable we have the RealmUnavailableException - in other cases however our API generally requires that null or empty representations are returned when identities can not be loaded or validation.
> In a few cases RuntimeExceptions have crept into the implementations, we need to eliminate these as any code written according the API and not expecting them risks breaking for unexpected RuntimeExceptions.
> Each method on the API should also be double checked to ensure it clearly documents what should happen if it can not return the desired result.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 3 months
[JBoss JIRA] (ELY-415) Eliminate RuntimeExceptions thrown from SecurityRealm implementations.
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-415?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse reopened ELY-415:
----------------------------------
> Eliminate RuntimeExceptions thrown from SecurityRealm implementations.
> ----------------------------------------------------------------------
>
> Key: ELY-415
> URL: https://issues.jboss.org/browse/ELY-415
> Project: WildFly Elytron
> Issue Type: Task
> Components: Realms
> Reporter: Darran Lofthouse
> Priority: Critical
> Fix For: 1.1.0.CR2
>
>
> Where a realm is temporarily unavailable we have the RealmUnavailableException - in other cases however our API generally requires that null or empty representations are returned when identities can not be loaded or validation.
> In a few cases RuntimeExceptions have crept into the implementations, we need to eliminate these as any code written according the API and not expecting them risks breaking for unexpected RuntimeExceptions.
> Each method on the API should also be double checked to ensure it clearly documents what should happen if it can not return the desired result.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
8 years, 3 months