MechanismInformationCallback blocks certificate based authn (Undertow with Elytron) ----------------------------------------------------------------------------------- Key: ELY-978 URL: https://issues.jboss.org/browse/ELY-978 Project: WildFly Elytron Issue Type: Bug Components: HTTP Affects Versions: 1.1.0.Beta26 Reporter: Ondrej Kotek Priority: Blocker Labels: authentication, eap71_alpha, http, ssl Attachments: deployment.war, standalone.xml It is not possible to set up authentication based on certificates. Following the community documentation [1,2] to set up 2-way SSL for apps and certificates based auth. Everything works as expected until a client with {{client}} certificate tries to access protected resource that should be accessible. Such resource returns 403 Forbidden instead of 200 OK. Trace log: {noformat} 13:31:15,565 TRACE [org.wildfly.security] (default task-33) Evidence verification: evidence = org.wildfly.security.evidence.X509PeerCertificateChainEvidence@42d7e114 evidencePrincipal = CN=client 13:31:15,566 TRACE [org.wildfly.security] (default task-33) X500 principal [CN=client] decoded as name [client] (attribute values: [client]) 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Principal assigning: [CN=client], pre-realm rewritten: [client], realm name: [ksRealm], post realm rewritten: [client], realm rewritten: [client] 13:31:15,566 TRACE [org.wildfly.security] (default task-33) X500 principal [CN=client] decoded as name [client] (attribute values: [client]) 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Evidence verification succeed for alias [client] 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Role mapping: principal [client] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles [Guest, Admin] 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authorizing principal client. 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authorizing against the following attributes: [] => [] 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Permission mapping: identity [client] with roles [Guest, Admin] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authorization succeed 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authentication succeed for principal [CN=client] 13:31:15,573 TRACE [org.wildfly.security] (default task-34) Handling MechanismInformationCallback 13:31:15,574 TRACE [org.wildfly.security] (default task-34) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='CLIENT_CERT', hostName='localhost', protocol='https'. {noformat} The last message comes from {{ServerAuthenticationContext}} [3]. [1] https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem#Us... [2] https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem#Us... [3] https://github.com/wildfly-security/wildfly-elytron/blob/6e4dad322ab04215...