[JBoss JIRA] (ELY-1444) Jdbc-realm with simple digest mapper
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/ELY-1444?page=com.atlassian.jira.plugin.s... ]
Martin Choma commented on ELY-1444:
-----------------------------------
In DB there should be stored byte hash encoded with base64, e.g XohImNooBHFR0OVvjcYpJ3NgPQ1qq73WKhHvch0VQtg=
plain: password
hex form: 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8
encoded byte array: XohImNooBHFR0OVvjcYpJ3NgPQ1qq73WKhHvch0VQtg=
{code:java}
// #1 approach
byte[] preDigested = CodePointIterator.ofString(hexDigest).hexDecode().drain();
// #2 approach
PasswordFactory factory = PasswordFactory.getInstance(algorithmName);
EncryptablePasswordSpec encryptableSpec = new EncryptablePasswordSpec(password, null);
SimpleDigestPassword simplePassword = (SimpleDigestPassword) factory.generatePassword(encryptableSpec);
Encoder encoder = Base64.getEncoder();
System.out.println(encoder.encodeToString( simplePassword.getDigest()));
System.out.println(encoder.encodeToString( preDigested ));
{code}
> Jdbc-realm with simple digest mapper
> ------------------------------------
>
> Key: ELY-1444
> URL: https://issues.jboss.org/browse/ELY-1444
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Passwords
> Affects Versions: 1.2.0.Beta9
> Reporter: Martin Choma
>
> This is inspired by ELY-1435, but in this case trying simple digest hash.
> In db is stored this sha-256 password hash: 5E884898DA28047151D0E56F8DC6292773603D0D6AABBDD62A11EF721D1542D8
> I get these values by http://passwordsgenerator.net/sha256-hash-generator/
> {noformat}
> 17:30:50,211 DEBUG [org.wildfly.security] (default task-3) Using UsernamePasswordAuthenticationMechanism for username authentication. Realm: [Some Realm], Username: [correctUser].
> 17:30:50,211 TRACE [org.wildfly.security] (default task-3) Handling RealmCallback: selected = [Some Realm]
> 17:30:50,212 TRACE [org.wildfly.security] (default task-3) Handling NameCallback: authenticationName = correctUser
> 17:30:50,212 TRACE [org.wildfly.security] (default task-3) Principal assigning: [correctUser], pre-realm rewritten: [correctUser], realm name: [jdbc-realm], post-realm rewritten: [correctUser], realm rewritten: [correctUser]
> 17:30:50,215 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD FROM USERS WHERE NAME = ? with value correctUser
> 17:30:50,301 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT roles.name FROM users, roles, users_roles WHERE users.name=? AND users.id = users_roles.userid AND roles.id = users_roles.roleid with value correctUser
> 17:30:50,306 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD FROM USERS WHERE NAME = ? with value correctUser
> 17:30:50,324 DEBUG [org.wildfly.security] (default task-3) User correctUser authentication failed.
> 17:30:50,324 TRACE [org.wildfly.security] (default task-3) Handling AuthenticationCompleteCallback: fail
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (ELY-1443) Jdbc-realm with scram mapper and empty password
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/ELY-1443?page=com.atlassian.jira.plugin.s... ]
Martin Choma updated ELY-1443:
------------------------------
Description:
This is follow up on ELY-1435, but in this case trying scram hash.
In DB there is
{noformat}
Salt: c2FsdA==
Password: YywoEuRtRgQQK6dhjp1tfS+BKPYma0oDJk0qBGC33LM=
Salt: 1000
{noformat}
I get these values by
{code:java|name=ScramDigestPasswordTest.java}
digest = ScramDigestPasswordImpl.scramDigest(ALGORITHM_SCRAM_SHA_256, "password".getBytes(StandardCharsets.UTF_8), "salt".getBytes(StandardCharsets.UTF_8), 1000);
assertEquals("632c2812e46d4604102ba7618e9d6d7d2f8128f6266b4a03264d2a0460b7dcb3", ByteIterator.ofBytes(digest).hexEncode().drainToString());
spec = new IteratedSaltedHashPasswordSpec(digest, "salt".getBytes(StandardCharsets.UTF_8), 1000);
impl = new ScramDigestPasswordImpl(ALGORITHM_SCRAM_SHA_256, spec);
assertTrue(impl.verify("password".toCharArray()));
assertFalse(impl.verify("bad".toCharArray()));
Encoder encoder = Base64.getEncoder();
String elytronSalt = encoder.encodeToString( impl.getSalt() );
String elytronHash = encoder.encodeToString( impl.getDigest() );
int itertationCount = impl.getIterationCount();
{code}
When user provides empty password "", there is error.
{noformat}
17:05:40,723 TRACE [org.wildfly.security] (default task-3) Handling NameCallback: authenticationName = correctUser
17:05:40,723 TRACE [org.wildfly.security] (default task-3) Principal assigning: [correctUser], pre-realm rewritten: [correctUser], realm name: [jdbc-realm], post-realm rewritten: [correctUser], realm rewritten: [correctUser]
17:05:40,727 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
17:05:40,813 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT roles.name FROM users, roles, users_roles WHERE users.name=? AND users.id = users_roles.userid AND roles.id = users_roles.roleid with value correctUser
17:05:40,817 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
17:05:40,865 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /elytron-app/protected/printRoles: java.lang.IllegalArgumentException: Empty key
at javax.crypto.spec.SecretKeySpec.<init>(SecretKeySpec.java:96)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.getMacInstance(ScramDigestPasswordImpl.java:281)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.scramDigest(ScramDigestPasswordImpl.java:240)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.verify(ScramDigestPasswordImpl.java:195)
at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineVerify(PasswordFactorySpiImpl.java:755)
at org.wildfly.security.password.PasswordFactory.verify(PasswordFactory.java:209)
at org.wildfly.security.credential.PasswordCredential.verify(PasswordCredential.java:116)
at org.wildfly.security.credential.Credential.verify(Credential.java:79)
at org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm$JdbcRealmIdentity.verifyEvidence(JdbcSecurityRealm.java:199)
at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1052)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)
at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:76)
at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:152)
at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
{noformat}
was:
This is follow up on ELY-1435, but in this case trying scram hash.
In DB there is
Salt: c2FsdA==
Password: YywoEuRtRgQQK6dhjp1tfS+BKPYma0oDJk0qBGC33LM=
Salt: 1000
I get these values by
{code:java|name=ScramDigestPasswordTest.java}
digest = ScramDigestPasswordImpl.scramDigest(ALGORITHM_SCRAM_SHA_256, "password".getBytes(StandardCharsets.UTF_8), "salt".getBytes(StandardCharsets.UTF_8), 1000);
assertEquals("632c2812e46d4604102ba7618e9d6d7d2f8128f6266b4a03264d2a0460b7dcb3", ByteIterator.ofBytes(digest).hexEncode().drainToString());
spec = new IteratedSaltedHashPasswordSpec(digest, "salt".getBytes(StandardCharsets.UTF_8), 1000);
impl = new ScramDigestPasswordImpl(ALGORITHM_SCRAM_SHA_256, spec);
assertTrue(impl.verify("password".toCharArray()));
assertFalse(impl.verify("bad".toCharArray()));
Encoder encoder = Base64.getEncoder();
String elytronSalt = encoder.encodeToString( impl.getSalt() );
String elytronHash = encoder.encodeToString( impl.getDigest() );
int itertationCount = impl.getIterationCount();
{code}
When user provides empty password "", there is error.
{noformat}
17:05:40,723 TRACE [org.wildfly.security] (default task-3) Handling NameCallback: authenticationName = correctUser
17:05:40,723 TRACE [org.wildfly.security] (default task-3) Principal assigning: [correctUser], pre-realm rewritten: [correctUser], realm name: [jdbc-realm], post-realm rewritten: [correctUser], realm rewritten: [correctUser]
17:05:40,727 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
17:05:40,813 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT roles.name FROM users, roles, users_roles WHERE users.name=? AND users.id = users_roles.userid AND roles.id = users_roles.roleid with value correctUser
17:05:40,817 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
17:05:40,865 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /elytron-app/protected/printRoles: java.lang.IllegalArgumentException: Empty key
at javax.crypto.spec.SecretKeySpec.<init>(SecretKeySpec.java:96)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.getMacInstance(ScramDigestPasswordImpl.java:281)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.scramDigest(ScramDigestPasswordImpl.java:240)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.verify(ScramDigestPasswordImpl.java:195)
at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineVerify(PasswordFactorySpiImpl.java:755)
at org.wildfly.security.password.PasswordFactory.verify(PasswordFactory.java:209)
at org.wildfly.security.credential.PasswordCredential.verify(PasswordCredential.java:116)
at org.wildfly.security.credential.Credential.verify(Credential.java:79)
at org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm$JdbcRealmIdentity.verifyEvidence(JdbcSecurityRealm.java:199)
at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1052)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)
at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:76)
at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:152)
at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
{noformat}
> Jdbc-realm with scram mapper and empty password
> -----------------------------------------------
>
> Key: ELY-1443
> URL: https://issues.jboss.org/browse/ELY-1443
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Passwords
> Affects Versions: 1.2.0.Beta9
> Reporter: Martin Choma
> Assignee: David Lloyd
>
> This is follow up on ELY-1435, but in this case trying scram hash.
> In DB there is
> {noformat}
> Salt: c2FsdA==
> Password: YywoEuRtRgQQK6dhjp1tfS+BKPYma0oDJk0qBGC33LM=
> Salt: 1000
> {noformat}
> I get these values by
> {code:java|name=ScramDigestPasswordTest.java}
> digest = ScramDigestPasswordImpl.scramDigest(ALGORITHM_SCRAM_SHA_256, "password".getBytes(StandardCharsets.UTF_8), "salt".getBytes(StandardCharsets.UTF_8), 1000);
> assertEquals("632c2812e46d4604102ba7618e9d6d7d2f8128f6266b4a03264d2a0460b7dcb3", ByteIterator.ofBytes(digest).hexEncode().drainToString());
> spec = new IteratedSaltedHashPasswordSpec(digest, "salt".getBytes(StandardCharsets.UTF_8), 1000);
> impl = new ScramDigestPasswordImpl(ALGORITHM_SCRAM_SHA_256, spec);
> assertTrue(impl.verify("password".toCharArray()));
> assertFalse(impl.verify("bad".toCharArray()));
> Encoder encoder = Base64.getEncoder();
> String elytronSalt = encoder.encodeToString( impl.getSalt() );
> String elytronHash = encoder.encodeToString( impl.getDigest() );
> int itertationCount = impl.getIterationCount();
> {code}
> When user provides empty password "", there is error.
> {noformat}
> 17:05:40,723 TRACE [org.wildfly.security] (default task-3) Handling NameCallback: authenticationName = correctUser
> 17:05:40,723 TRACE [org.wildfly.security] (default task-3) Principal assigning: [correctUser], pre-realm rewritten: [correctUser], realm name: [jdbc-realm], post-realm rewritten: [correctUser], realm rewritten: [correctUser]
> 17:05:40,727 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
> 17:05:40,813 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT roles.name FROM users, roles, users_roles WHERE users.name=? AND users.id = users_roles.userid AND roles.id = users_roles.roleid with value correctUser
> 17:05:40,817 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
> 17:05:40,865 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /elytron-app/protected/printRoles: java.lang.IllegalArgumentException: Empty key
> at javax.crypto.spec.SecretKeySpec.<init>(SecretKeySpec.java:96)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.getMacInstance(ScramDigestPasswordImpl.java:281)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.scramDigest(ScramDigestPasswordImpl.java:240)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.verify(ScramDigestPasswordImpl.java:195)
> at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineVerify(PasswordFactorySpiImpl.java:755)
> at org.wildfly.security.password.PasswordFactory.verify(PasswordFactory.java:209)
> at org.wildfly.security.credential.PasswordCredential.verify(PasswordCredential.java:116)
> at org.wildfly.security.credential.Credential.verify(Credential.java:79)
> at org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm$JdbcRealmIdentity.verifyEvidence(JdbcSecurityRealm.java:199)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
> at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1052)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
> at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:76)
> at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:152)
> at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
> at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
> at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
> at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (ELY-1443) Jdbc-realm with scram mapper and empty password
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/ELY-1443?page=com.atlassian.jira.plugin.s... ]
Martin Choma edited comment on ELY-1443 at 11/14/17 3:22 AM:
-------------------------------------------------------------
You are right, this issue is just about case when user provided password is empty "". Null is handled properly.
Also do you think it is possible to add some TRACE logging into ScramDigestPasswordImpl for troubleshooting purposes? To see what is going on and which part suceeded, but don't leak any sensitive information on the other hand.
was (Author: mchoma):
You are right, this issue is just about case when user provided password is empty "". Null is handled properly.
Do you think it is possible to add some TRACE logging into ScramDigestPasswordImpl for troubleshooting purposes? To see what is going on and which part suceeded, but don't leak any sensitive information on the other hand.
> Jdbc-realm with scram mapper and empty password
> -----------------------------------------------
>
> Key: ELY-1443
> URL: https://issues.jboss.org/browse/ELY-1443
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Passwords
> Affects Versions: 1.2.0.Beta9
> Reporter: Martin Choma
> Assignee: David Lloyd
>
> This is follow up on ELY-1435, but in this case trying scram hash.
> In DB there is
> Salt: c2FsdA==
> Password: YywoEuRtRgQQK6dhjp1tfS+BKPYma0oDJk0qBGC33LM=
> Salt: 1000
> I get these values by
> {code:java|name=ScramDigestPasswordTest.java}
> digest = ScramDigestPasswordImpl.scramDigest(ALGORITHM_SCRAM_SHA_256, "password".getBytes(StandardCharsets.UTF_8), "salt".getBytes(StandardCharsets.UTF_8), 1000);
> assertEquals("632c2812e46d4604102ba7618e9d6d7d2f8128f6266b4a03264d2a0460b7dcb3", ByteIterator.ofBytes(digest).hexEncode().drainToString());
> spec = new IteratedSaltedHashPasswordSpec(digest, "salt".getBytes(StandardCharsets.UTF_8), 1000);
> impl = new ScramDigestPasswordImpl(ALGORITHM_SCRAM_SHA_256, spec);
> assertTrue(impl.verify("password".toCharArray()));
> assertFalse(impl.verify("bad".toCharArray()));
> Encoder encoder = Base64.getEncoder();
> String elytronSalt = encoder.encodeToString( impl.getSalt() );
> String elytronHash = encoder.encodeToString( impl.getDigest() );
> int itertationCount = impl.getIterationCount();
> {code}
> When user provides empty password "", there is error.
> {noformat}
> 17:05:40,723 TRACE [org.wildfly.security] (default task-3) Handling NameCallback: authenticationName = correctUser
> 17:05:40,723 TRACE [org.wildfly.security] (default task-3) Principal assigning: [correctUser], pre-realm rewritten: [correctUser], realm name: [jdbc-realm], post-realm rewritten: [correctUser], realm rewritten: [correctUser]
> 17:05:40,727 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
> 17:05:40,813 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT roles.name FROM users, roles, users_roles WHERE users.name=? AND users.id = users_roles.userid AND roles.id = users_roles.roleid with value correctUser
> 17:05:40,817 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
> 17:05:40,865 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /elytron-app/protected/printRoles: java.lang.IllegalArgumentException: Empty key
> at javax.crypto.spec.SecretKeySpec.<init>(SecretKeySpec.java:96)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.getMacInstance(ScramDigestPasswordImpl.java:281)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.scramDigest(ScramDigestPasswordImpl.java:240)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.verify(ScramDigestPasswordImpl.java:195)
> at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineVerify(PasswordFactorySpiImpl.java:755)
> at org.wildfly.security.password.PasswordFactory.verify(PasswordFactory.java:209)
> at org.wildfly.security.credential.PasswordCredential.verify(PasswordCredential.java:116)
> at org.wildfly.security.credential.Credential.verify(Credential.java:79)
> at org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm$JdbcRealmIdentity.verifyEvidence(JdbcSecurityRealm.java:199)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
> at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1052)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
> at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:76)
> at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:152)
> at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
> at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
> at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
> at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (ELY-1443) Jdbc-realm with scram mapper and empty password
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/ELY-1443?page=com.atlassian.jira.plugin.s... ]
Martin Choma updated ELY-1443:
------------------------------
Description:
This is follow up on ELY-1435, but in this case trying scram hash.
In DB there is
Salt: c2FsdA==
Password: YywoEuRtRgQQK6dhjp1tfS+BKPYma0oDJk0qBGC33LM=
Salt: 1000
I get these values by
{code:java|name=ScramDigestPasswordTest.java}
digest = ScramDigestPasswordImpl.scramDigest(ALGORITHM_SCRAM_SHA_256, "password".getBytes(StandardCharsets.UTF_8), "salt".getBytes(StandardCharsets.UTF_8), 1000);
assertEquals("632c2812e46d4604102ba7618e9d6d7d2f8128f6266b4a03264d2a0460b7dcb3", ByteIterator.ofBytes(digest).hexEncode().drainToString());
spec = new IteratedSaltedHashPasswordSpec(digest, "salt".getBytes(StandardCharsets.UTF_8), 1000);
impl = new ScramDigestPasswordImpl(ALGORITHM_SCRAM_SHA_256, spec);
assertTrue(impl.verify("password".toCharArray()));
assertFalse(impl.verify("bad".toCharArray()));
Encoder encoder = Base64.getEncoder();
String elytronSalt = encoder.encodeToString( impl.getSalt() );
String elytronHash = encoder.encodeToString( impl.getDigest() );
int itertationCount = impl.getIterationCount();
{code}
When user provides empty password "", there is error.
{noformat}
17:05:40,723 TRACE [org.wildfly.security] (default task-3) Handling NameCallback: authenticationName = correctUser
17:05:40,723 TRACE [org.wildfly.security] (default task-3) Principal assigning: [correctUser], pre-realm rewritten: [correctUser], realm name: [jdbc-realm], post-realm rewritten: [correctUser], realm rewritten: [correctUser]
17:05:40,727 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
17:05:40,813 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT roles.name FROM users, roles, users_roles WHERE users.name=? AND users.id = users_roles.userid AND roles.id = users_roles.roleid with value correctUser
17:05:40,817 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
17:05:40,865 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /elytron-app/protected/printRoles: java.lang.IllegalArgumentException: Empty key
at javax.crypto.spec.SecretKeySpec.<init>(SecretKeySpec.java:96)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.getMacInstance(ScramDigestPasswordImpl.java:281)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.scramDigest(ScramDigestPasswordImpl.java:240)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.verify(ScramDigestPasswordImpl.java:195)
at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineVerify(PasswordFactorySpiImpl.java:755)
at org.wildfly.security.password.PasswordFactory.verify(PasswordFactory.java:209)
at org.wildfly.security.credential.PasswordCredential.verify(PasswordCredential.java:116)
at org.wildfly.security.credential.Credential.verify(Credential.java:79)
at org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm$JdbcRealmIdentity.verifyEvidence(JdbcSecurityRealm.java:199)
at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1052)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)
at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:76)
at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:152)
at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
{noformat}
was:
This is follow up on ELY-1435, but in this case trying scram hash.
Salt: c2FsdA==
Password: YywoEuRtRgQQK6dhjp1tfS+BKPYma0oDJk0qBGC33LM=
Salt: 1000
I get these values by
{code:java|name=ScramDigestPasswordTest.java}
digest = ScramDigestPasswordImpl.scramDigest(ALGORITHM_SCRAM_SHA_256, "password".getBytes(StandardCharsets.UTF_8), "salt".getBytes(StandardCharsets.UTF_8), 1000);
assertEquals("632c2812e46d4604102ba7618e9d6d7d2f8128f6266b4a03264d2a0460b7dcb3", ByteIterator.ofBytes(digest).hexEncode().drainToString());
spec = new IteratedSaltedHashPasswordSpec(digest, "salt".getBytes(StandardCharsets.UTF_8), 1000);
impl = new ScramDigestPasswordImpl(ALGORITHM_SCRAM_SHA_256, spec);
assertTrue(impl.verify("password".toCharArray()));
assertFalse(impl.verify("bad".toCharArray()));
Encoder encoder = Base64.getEncoder();
String elytronSalt = encoder.encodeToString( impl.getSalt() );
String elytronHash = encoder.encodeToString( impl.getDigest() );
int itertationCount = impl.getIterationCount();
{code}
When user provides empty password, there is error.
{noformat}
17:05:40,723 TRACE [org.wildfly.security] (default task-3) Handling NameCallback: authenticationName = correctUser
17:05:40,723 TRACE [org.wildfly.security] (default task-3) Principal assigning: [correctUser], pre-realm rewritten: [correctUser], realm name: [jdbc-realm], post-realm rewritten: [correctUser], realm rewritten: [correctUser]
17:05:40,727 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
17:05:40,813 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT roles.name FROM users, roles, users_roles WHERE users.name=? AND users.id = users_roles.userid AND roles.id = users_roles.roleid with value correctUser
17:05:40,817 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
17:05:40,865 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /elytron-app/protected/printRoles: java.lang.IllegalArgumentException: Empty key
at javax.crypto.spec.SecretKeySpec.<init>(SecretKeySpec.java:96)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.getMacInstance(ScramDigestPasswordImpl.java:281)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.scramDigest(ScramDigestPasswordImpl.java:240)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.verify(ScramDigestPasswordImpl.java:195)
at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineVerify(PasswordFactorySpiImpl.java:755)
at org.wildfly.security.password.PasswordFactory.verify(PasswordFactory.java:209)
at org.wildfly.security.credential.PasswordCredential.verify(PasswordCredential.java:116)
at org.wildfly.security.credential.Credential.verify(Credential.java:79)
at org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm$JdbcRealmIdentity.verifyEvidence(JdbcSecurityRealm.java:199)
at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1052)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)
at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:76)
at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:152)
at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
{noformat}
> Jdbc-realm with scram mapper and empty password
> -----------------------------------------------
>
> Key: ELY-1443
> URL: https://issues.jboss.org/browse/ELY-1443
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Passwords
> Affects Versions: 1.2.0.Beta9
> Reporter: Martin Choma
> Assignee: David Lloyd
>
> This is follow up on ELY-1435, but in this case trying scram hash.
> In DB there is
> Salt: c2FsdA==
> Password: YywoEuRtRgQQK6dhjp1tfS+BKPYma0oDJk0qBGC33LM=
> Salt: 1000
> I get these values by
> {code:java|name=ScramDigestPasswordTest.java}
> digest = ScramDigestPasswordImpl.scramDigest(ALGORITHM_SCRAM_SHA_256, "password".getBytes(StandardCharsets.UTF_8), "salt".getBytes(StandardCharsets.UTF_8), 1000);
> assertEquals("632c2812e46d4604102ba7618e9d6d7d2f8128f6266b4a03264d2a0460b7dcb3", ByteIterator.ofBytes(digest).hexEncode().drainToString());
> spec = new IteratedSaltedHashPasswordSpec(digest, "salt".getBytes(StandardCharsets.UTF_8), 1000);
> impl = new ScramDigestPasswordImpl(ALGORITHM_SCRAM_SHA_256, spec);
> assertTrue(impl.verify("password".toCharArray()));
> assertFalse(impl.verify("bad".toCharArray()));
> Encoder encoder = Base64.getEncoder();
> String elytronSalt = encoder.encodeToString( impl.getSalt() );
> String elytronHash = encoder.encodeToString( impl.getDigest() );
> int itertationCount = impl.getIterationCount();
> {code}
> When user provides empty password "", there is error.
> {noformat}
> 17:05:40,723 TRACE [org.wildfly.security] (default task-3) Handling NameCallback: authenticationName = correctUser
> 17:05:40,723 TRACE [org.wildfly.security] (default task-3) Principal assigning: [correctUser], pre-realm rewritten: [correctUser], realm name: [jdbc-realm], post-realm rewritten: [correctUser], realm rewritten: [correctUser]
> 17:05:40,727 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
> 17:05:40,813 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT roles.name FROM users, roles, users_roles WHERE users.name=? AND users.id = users_roles.userid AND roles.id = users_roles.roleid with value correctUser
> 17:05:40,817 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
> 17:05:40,865 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /elytron-app/protected/printRoles: java.lang.IllegalArgumentException: Empty key
> at javax.crypto.spec.SecretKeySpec.<init>(SecretKeySpec.java:96)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.getMacInstance(ScramDigestPasswordImpl.java:281)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.scramDigest(ScramDigestPasswordImpl.java:240)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.verify(ScramDigestPasswordImpl.java:195)
> at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineVerify(PasswordFactorySpiImpl.java:755)
> at org.wildfly.security.password.PasswordFactory.verify(PasswordFactory.java:209)
> at org.wildfly.security.credential.PasswordCredential.verify(PasswordCredential.java:116)
> at org.wildfly.security.credential.Credential.verify(Credential.java:79)
> at org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm$JdbcRealmIdentity.verifyEvidence(JdbcSecurityRealm.java:199)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
> at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1052)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
> at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:76)
> at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:152)
> at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
> at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
> at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
> at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (ELY-1443) Jdbc-realm with scram mapper and empty password
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/ELY-1443?page=com.atlassian.jira.plugin.s... ]
Martin Choma commented on ELY-1443:
-----------------------------------
You are right, this issue is just about case when user provided password is empty "". Null is handled properly.
Do you think it is possible to add some TRACE logging into ScramDigestPasswordImpl for troubleshooting purposes? To see what is going on and which part suceeded, but don't leak any sensitive information on the other hand.
> Jdbc-realm with scram mapper and empty password
> -----------------------------------------------
>
> Key: ELY-1443
> URL: https://issues.jboss.org/browse/ELY-1443
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Passwords
> Affects Versions: 1.2.0.Beta9
> Reporter: Martin Choma
> Assignee: David Lloyd
>
> This is follow up on ELY-1435, but in this case trying scram hash.
> Salt: c2FsdA==
> Password: YywoEuRtRgQQK6dhjp1tfS+BKPYma0oDJk0qBGC33LM=
> Salt: 1000
> I get these values by
> {code:java|name=ScramDigestPasswordTest.java}
> digest = ScramDigestPasswordImpl.scramDigest(ALGORITHM_SCRAM_SHA_256, "password".getBytes(StandardCharsets.UTF_8), "salt".getBytes(StandardCharsets.UTF_8), 1000);
> assertEquals("632c2812e46d4604102ba7618e9d6d7d2f8128f6266b4a03264d2a0460b7dcb3", ByteIterator.ofBytes(digest).hexEncode().drainToString());
> spec = new IteratedSaltedHashPasswordSpec(digest, "salt".getBytes(StandardCharsets.UTF_8), 1000);
> impl = new ScramDigestPasswordImpl(ALGORITHM_SCRAM_SHA_256, spec);
> assertTrue(impl.verify("password".toCharArray()));
> assertFalse(impl.verify("bad".toCharArray()));
> Encoder encoder = Base64.getEncoder();
> String elytronSalt = encoder.encodeToString( impl.getSalt() );
> String elytronHash = encoder.encodeToString( impl.getDigest() );
> int itertationCount = impl.getIterationCount();
> {code}
> When user provides empty password, there is error.
> {noformat}
> 17:05:40,723 TRACE [org.wildfly.security] (default task-3) Handling NameCallback: authenticationName = correctUser
> 17:05:40,723 TRACE [org.wildfly.security] (default task-3) Principal assigning: [correctUser], pre-realm rewritten: [correctUser], realm name: [jdbc-realm], post-realm rewritten: [correctUser], realm rewritten: [correctUser]
> 17:05:40,727 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
> 17:05:40,813 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT roles.name FROM users, roles, users_roles WHERE users.name=? AND users.id = users_roles.userid AND roles.id = users_roles.roleid with value correctUser
> 17:05:40,817 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
> 17:05:40,865 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /elytron-app/protected/printRoles: java.lang.IllegalArgumentException: Empty key
> at javax.crypto.spec.SecretKeySpec.<init>(SecretKeySpec.java:96)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.getMacInstance(ScramDigestPasswordImpl.java:281)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.scramDigest(ScramDigestPasswordImpl.java:240)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.verify(ScramDigestPasswordImpl.java:195)
> at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineVerify(PasswordFactorySpiImpl.java:755)
> at org.wildfly.security.password.PasswordFactory.verify(PasswordFactory.java:209)
> at org.wildfly.security.credential.PasswordCredential.verify(PasswordCredential.java:116)
> at org.wildfly.security.credential.Credential.verify(Credential.java:79)
> at org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm$JdbcRealmIdentity.verifyEvidence(JdbcSecurityRealm.java:199)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
> at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1052)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
> at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:76)
> at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:152)
> at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
> at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
> at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
> at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3417) JmxControlledStateNotificationsTestCase fails with security manager with IBM JDK in WF core
by Ondrej Lukas (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3417?page=com.atlassian.jira.plugi... ]
Ondrej Lukas updated WFCORE-3417:
---------------------------------
Affects Version/s: 4.0.0.Alpha2
> JmxControlledStateNotificationsTestCase fails with security manager with IBM JDK in WF core
> -------------------------------------------------------------------------------------------
>
> Key: WFCORE-3417
> URL: https://issues.jboss.org/browse/WFCORE-3417
> Project: WildFly Core
> Issue Type: Bug
> Components: Test Suite
> Affects Versions: 4.0.0.Alpha2
> Reporter: Ondrej Lukas
> Assignee: Tomaz Cerar
>
> *org.jboss.as.test.integration.domain.events.JmxControlledStateNotificationsTestCase*
> {code}
> cd testsuite/domain/
> mvn test -DtestLogToFile=false -Dtest=JmxControlledStateNotificationsTestCase -Dsecurity.manager
> {code}
> fails on IBM JDK with:
> {code}
> java.lang.AssertionError: {"outcome" => "failed","result" => undefined,"failure-description" => {"WFLYDC0074: Operation failed or was rolled back on all servers. Server failures:" => {"server-group" => {"main-server-group" => {"host" => {"master" => {"main-one" => {"WFLYCTL0080: Failed services" => {"test.deployment.jmx" => "java.security.AccessControlException: WFSM000001: Permission check failed (permission \"(\"java.io.FilePermission\" \"/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-core-rhel-secman/19de6045/testsuite/domain/target/domains/JmxControlledStateNotificationsTestCase/master\" \"read\")\" in code source \"(vfs:/content/test-jmx-notifications-deployment.jar <no signer certificates>)\" of \"ModuleClassLoader for Module \"deployment.test-jmx-notifications-deployment.jar\" from Service Module Loader\")
> Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission \"(\"java.io.FilePermission\" \"/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-core-rhel-secman/19de6045/testsuite/domain/target/domains/JmxControlledStateNotificationsTestCase/master\" \"read\")\" in code source \"(vfs:/content/test-jmx-notifications-deployment.jar <no signer certificates>)\" of \"ModuleClassLoader for Module \"deployment.test-jmx-notifications-deployment.jar\" from Service Module Loader\")"}}}}}}}},"rolled-back" => true,"server-groups" => {"main-server-group" => {"host" => {"master" => {"main-one" => {"response" => {"outcome" => "failed","failure-description" => {"WFLYCTL0080: Failed services" => {"test.deployment.jmx" => "java.security.AccessControlException: WFSM000001: Permission check failed (permission \"(\"java.io.FilePermission\" \"/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-core-rhel-secman/19de6045/testsuite/domain/target/domains/JmxControlledStateNotificationsTestCase/master\" \"read\")\" in code source \"(vfs:/content/test-jmx-notifications-deployment.jar <no signer certificates>)\" of \"ModuleClassLoader for Module \"deployment.test-jmx-notifications-deployment.jar\" from Service Module Loader\")
> Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission \"(\"java.io.FilePermission\" \"/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-core-rhel-secman/19de6045/testsuite/domain/target/domains/JmxControlledStateNotificationsTestCase/master\" \"read\")\" in code source \"(vfs:/content/test-jmx-notifications-deployment.jar <no signer certificates>)\" of \"ModuleClassLoader for Module \"deployment.test-jmx-notifications-deployment.jar\" from Service Module Loader\")"}},"rolled-back" => true}}}}}}}
> at org.junit.Assert.fail(Assert.java:88)
> at org.jboss.as.test.integration.management.rbac.RbacUtil.checkOperationResult(RbacUtil.java:115)
> at org.jboss.as.test.integration.management.rbac.RbacUtil.executeOperation(RbacUtil.java:100)
> at org.wildfly.test.jmx.JMXListenerDeploymentSetupTask.setup(JMXListenerDeploymentSetupTask.java:75)
> at org.jboss.as.test.integration.domain.events.JmxControlledStateNotificationsTestCase.setupClass(JmxControlledStateNotificationsTestCase.java:86)
> {code}
> Moreover it causes that all following test cases will fail.
> It seems it is caused by [1] which configures different Path for IBM JDK, but this is not covered in permissions for deployment created in [2].
> [1] https://github.com/wildfly/wildfly-core/blob/8b28abb588dd7d9d51e662011180...
> [2] https://github.com/wildfly/wildfly-core/blob/8b28abb588dd7d9d51e662011180...
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3417) JmxControlledStateNotificationsTestCase fails with security manager with IBM JDK in WF core
by Ondrej Lukas (JIRA)
[ https://issues.jboss.org/browse/WFCORE-3417?page=com.atlassian.jira.plugi... ]
Ondrej Lukas reassigned WFCORE-3417:
------------------------------------
Assignee: (was: Tomaz Cerar)
> JmxControlledStateNotificationsTestCase fails with security manager with IBM JDK in WF core
> -------------------------------------------------------------------------------------------
>
> Key: WFCORE-3417
> URL: https://issues.jboss.org/browse/WFCORE-3417
> Project: WildFly Core
> Issue Type: Bug
> Components: Test Suite
> Affects Versions: 4.0.0.Alpha2
> Reporter: Ondrej Lukas
>
> *org.jboss.as.test.integration.domain.events.JmxControlledStateNotificationsTestCase*
> {code}
> cd testsuite/domain/
> mvn test -DtestLogToFile=false -Dtest=JmxControlledStateNotificationsTestCase -Dsecurity.manager
> {code}
> fails on IBM JDK with:
> {code}
> java.lang.AssertionError: {"outcome" => "failed","result" => undefined,"failure-description" => {"WFLYDC0074: Operation failed or was rolled back on all servers. Server failures:" => {"server-group" => {"main-server-group" => {"host" => {"master" => {"main-one" => {"WFLYCTL0080: Failed services" => {"test.deployment.jmx" => "java.security.AccessControlException: WFSM000001: Permission check failed (permission \"(\"java.io.FilePermission\" \"/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-core-rhel-secman/19de6045/testsuite/domain/target/domains/JmxControlledStateNotificationsTestCase/master\" \"read\")\" in code source \"(vfs:/content/test-jmx-notifications-deployment.jar <no signer certificates>)\" of \"ModuleClassLoader for Module \"deployment.test-jmx-notifications-deployment.jar\" from Service Module Loader\")
> Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission \"(\"java.io.FilePermission\" \"/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-core-rhel-secman/19de6045/testsuite/domain/target/domains/JmxControlledStateNotificationsTestCase/master\" \"read\")\" in code source \"(vfs:/content/test-jmx-notifications-deployment.jar <no signer certificates>)\" of \"ModuleClassLoader for Module \"deployment.test-jmx-notifications-deployment.jar\" from Service Module Loader\")"}}}}}}}},"rolled-back" => true,"server-groups" => {"main-server-group" => {"host" => {"master" => {"main-one" => {"response" => {"outcome" => "failed","failure-description" => {"WFLYCTL0080: Failed services" => {"test.deployment.jmx" => "java.security.AccessControlException: WFSM000001: Permission check failed (permission \"(\"java.io.FilePermission\" \"/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-core-rhel-secman/19de6045/testsuite/domain/target/domains/JmxControlledStateNotificationsTestCase/master\" \"read\")\" in code source \"(vfs:/content/test-jmx-notifications-deployment.jar <no signer certificates>)\" of \"ModuleClassLoader for Module \"deployment.test-jmx-notifications-deployment.jar\" from Service Module Loader\")
> Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission \"(\"java.io.FilePermission\" \"/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-core-rhel-secman/19de6045/testsuite/domain/target/domains/JmxControlledStateNotificationsTestCase/master\" \"read\")\" in code source \"(vfs:/content/test-jmx-notifications-deployment.jar <no signer certificates>)\" of \"ModuleClassLoader for Module \"deployment.test-jmx-notifications-deployment.jar\" from Service Module Loader\")"}},"rolled-back" => true}}}}}}}
> at org.junit.Assert.fail(Assert.java:88)
> at org.jboss.as.test.integration.management.rbac.RbacUtil.checkOperationResult(RbacUtil.java:115)
> at org.jboss.as.test.integration.management.rbac.RbacUtil.executeOperation(RbacUtil.java:100)
> at org.wildfly.test.jmx.JMXListenerDeploymentSetupTask.setup(JMXListenerDeploymentSetupTask.java:75)
> at org.jboss.as.test.integration.domain.events.JmxControlledStateNotificationsTestCase.setupClass(JmxControlledStateNotificationsTestCase.java:86)
> {code}
> Moreover it causes that all following test cases will fail.
> It seems it is caused by [1] which configures different Path for IBM JDK, but this is not covered in permissions for deployment created in [2].
> [1] https://github.com/wildfly/wildfly-core/blob/8b28abb588dd7d9d51e662011180...
> [2] https://github.com/wildfly/wildfly-core/blob/8b28abb588dd7d9d51e662011180...
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (WFCORE-3417) JmxControlledStateNotificationsTestCase fails with security manager with IBM JDK in WF core
by Ondrej Lukas (JIRA)
Ondrej Lukas created WFCORE-3417:
------------------------------------
Summary: JmxControlledStateNotificationsTestCase fails with security manager with IBM JDK in WF core
Key: WFCORE-3417
URL: https://issues.jboss.org/browse/WFCORE-3417
Project: WildFly Core
Issue Type: Bug
Components: Test Suite
Reporter: Ondrej Lukas
Assignee: Tomaz Cerar
*org.jboss.as.test.integration.domain.events.JmxControlledStateNotificationsTestCase*
{code}
cd testsuite/domain/
mvn test -DtestLogToFile=false -Dtest=JmxControlledStateNotificationsTestCase -Dsecurity.manager
{code}
fails on IBM JDK with:
{code}
java.lang.AssertionError: {"outcome" => "failed","result" => undefined,"failure-description" => {"WFLYDC0074: Operation failed or was rolled back on all servers. Server failures:" => {"server-group" => {"main-server-group" => {"host" => {"master" => {"main-one" => {"WFLYCTL0080: Failed services" => {"test.deployment.jmx" => "java.security.AccessControlException: WFSM000001: Permission check failed (permission \"(\"java.io.FilePermission\" \"/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-core-rhel-secman/19de6045/testsuite/domain/target/domains/JmxControlledStateNotificationsTestCase/master\" \"read\")\" in code source \"(vfs:/content/test-jmx-notifications-deployment.jar <no signer certificates>)\" of \"ModuleClassLoader for Module \"deployment.test-jmx-notifications-deployment.jar\" from Service Module Loader\")
Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission \"(\"java.io.FilePermission\" \"/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-core-rhel-secman/19de6045/testsuite/domain/target/domains/JmxControlledStateNotificationsTestCase/master\" \"read\")\" in code source \"(vfs:/content/test-jmx-notifications-deployment.jar <no signer certificates>)\" of \"ModuleClassLoader for Module \"deployment.test-jmx-notifications-deployment.jar\" from Service Module Loader\")"}}}}}}}},"rolled-back" => true,"server-groups" => {"main-server-group" => {"host" => {"master" => {"main-one" => {"response" => {"outcome" => "failed","failure-description" => {"WFLYCTL0080: Failed services" => {"test.deployment.jmx" => "java.security.AccessControlException: WFSM000001: Permission check failed (permission \"(\"java.io.FilePermission\" \"/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-core-rhel-secman/19de6045/testsuite/domain/target/domains/JmxControlledStateNotificationsTestCase/master\" \"read\")\" in code source \"(vfs:/content/test-jmx-notifications-deployment.jar <no signer certificates>)\" of \"ModuleClassLoader for Module \"deployment.test-jmx-notifications-deployment.jar\" from Service Module Loader\")
Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission \"(\"java.io.FilePermission\" \"/mnt/hudson_workspace/workspace/eap-7x-as-testsuite-test-core-rhel-secman/19de6045/testsuite/domain/target/domains/JmxControlledStateNotificationsTestCase/master\" \"read\")\" in code source \"(vfs:/content/test-jmx-notifications-deployment.jar <no signer certificates>)\" of \"ModuleClassLoader for Module \"deployment.test-jmx-notifications-deployment.jar\" from Service Module Loader\")"}},"rolled-back" => true}}}}}}}
at org.junit.Assert.fail(Assert.java:88)
at org.jboss.as.test.integration.management.rbac.RbacUtil.checkOperationResult(RbacUtil.java:115)
at org.jboss.as.test.integration.management.rbac.RbacUtil.executeOperation(RbacUtil.java:100)
at org.wildfly.test.jmx.JMXListenerDeploymentSetupTask.setup(JMXListenerDeploymentSetupTask.java:75)
at org.jboss.as.test.integration.domain.events.JmxControlledStateNotificationsTestCase.setupClass(JmxControlledStateNotificationsTestCase.java:86)
{code}
Moreover it causes that all following test cases will fail.
It seems it is caused by [1] which configures different Path for IBM JDK, but this is not covered in permissions for deployment created in [2].
[1] https://github.com/wildfly/wildfly-core/blob/8b28abb588dd7d9d51e662011180...
[2] https://github.com/wildfly/wildfly-core/blob/8b28abb588dd7d9d51e662011180...
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (ELY-1443) Jdbc-realm with scram mapper
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/ELY-1443?page=com.atlassian.jira.plugin.s... ]
Martin Choma updated ELY-1443:
------------------------------
Description:
This is follow up on ELY-1435, but in this case trying scram hash.
Salt: c2FsdA==
Password: YywoEuRtRgQQK6dhjp1tfS+BKPYma0oDJk0qBGC33LM=
Salt: 1000
I get these values by
{code:java|name=ScramDigestPasswordTest.java}
digest = ScramDigestPasswordImpl.scramDigest(ALGORITHM_SCRAM_SHA_256, "password".getBytes(StandardCharsets.UTF_8), "salt".getBytes(StandardCharsets.UTF_8), 1000);
assertEquals("632c2812e46d4604102ba7618e9d6d7d2f8128f6266b4a03264d2a0460b7dcb3", ByteIterator.ofBytes(digest).hexEncode().drainToString());
spec = new IteratedSaltedHashPasswordSpec(digest, "salt".getBytes(StandardCharsets.UTF_8), 1000);
impl = new ScramDigestPasswordImpl(ALGORITHM_SCRAM_SHA_256, spec);
assertTrue(impl.verify("password".toCharArray()));
assertFalse(impl.verify("bad".toCharArray()));
Encoder encoder = Base64.getEncoder();
String elytronSalt = encoder.encodeToString( impl.getSalt() );
String elytronHash = encoder.encodeToString( impl.getDigest() );
int itertationCount = impl.getIterationCount();
{code}
When user provides empty password, there is error.
{noformat}
17:05:40,723 TRACE [org.wildfly.security] (default task-3) Handling NameCallback: authenticationName = correctUser
17:05:40,723 TRACE [org.wildfly.security] (default task-3) Principal assigning: [correctUser], pre-realm rewritten: [correctUser], realm name: [jdbc-realm], post-realm rewritten: [correctUser], realm rewritten: [correctUser]
17:05:40,727 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
17:05:40,813 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT roles.name FROM users, roles, users_roles WHERE users.name=? AND users.id = users_roles.userid AND roles.id = users_roles.roleid with value correctUser
17:05:40,817 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
17:05:40,865 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /elytron-app/protected/printRoles: java.lang.IllegalArgumentException: Empty key
at javax.crypto.spec.SecretKeySpec.<init>(SecretKeySpec.java:96)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.getMacInstance(ScramDigestPasswordImpl.java:281)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.scramDigest(ScramDigestPasswordImpl.java:240)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.verify(ScramDigestPasswordImpl.java:195)
at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineVerify(PasswordFactorySpiImpl.java:755)
at org.wildfly.security.password.PasswordFactory.verify(PasswordFactory.java:209)
at org.wildfly.security.credential.PasswordCredential.verify(PasswordCredential.java:116)
at org.wildfly.security.credential.Credential.verify(Credential.java:79)
at org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm$JdbcRealmIdentity.verifyEvidence(JdbcSecurityRealm.java:199)
at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1052)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)
at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:76)
at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:152)
at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
{noformat}
was:
This is follow up on ELY-1435, but in this case trying scram hash.
Salt: c2FsdA==
Password: YywoEuRtRgQQK6dhjp1tfS+BKPYma0oDJk0qBGC33LM=
Salt: 1000
I get these values by
{code:java|name=ScramDigestPasswordTest.java}
digest = ScramDigestPasswordImpl.scramDigest(ALGORITHM_SCRAM_SHA_256, "password".getBytes(StandardCharsets.UTF_8), "salt".getBytes(StandardCharsets.UTF_8), 1000);
assertEquals("632c2812e46d4604102ba7618e9d6d7d2f8128f6266b4a03264d2a0460b7dcb3", ByteIterator.ofBytes(digest).hexEncode().drainToString());
spec = new IteratedSaltedHashPasswordSpec(digest, "salt".getBytes(StandardCharsets.UTF_8), 1000);
impl = new ScramDigestPasswordImpl(ALGORITHM_SCRAM_SHA_256, spec);
assertTrue(impl.verify("password".toCharArray()));
assertFalse(impl.verify("bad".toCharArray()));
Encoder encoder = Base64.getEncoder();
String elytronSalt = encoder.encodeToString( impl.getSalt() );
String elytronHash = encoder.encodeToString( impl.getDigest() );
int itertationCount = impl.getIterationCount();
{code}
{noformat}
17:05:40,723 TRACE [org.wildfly.security] (default task-3) Handling NameCallback: authenticationName = correctUser
17:05:40,723 TRACE [org.wildfly.security] (default task-3) Principal assigning: [correctUser], pre-realm rewritten: [correctUser], realm name: [jdbc-realm], post-realm rewritten: [correctUser], realm rewritten: [correctUser]
17:05:40,727 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
17:05:40,813 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT roles.name FROM users, roles, users_roles WHERE users.name=? AND users.id = users_roles.userid AND roles.id = users_roles.roleid with value correctUser
17:05:40,817 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
17:05:40,865 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /elytron-app/protected/printRoles: java.lang.IllegalArgumentException: Empty key
at javax.crypto.spec.SecretKeySpec.<init>(SecretKeySpec.java:96)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.getMacInstance(ScramDigestPasswordImpl.java:281)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.scramDigest(ScramDigestPasswordImpl.java:240)
at org.wildfly.security.password.impl.ScramDigestPasswordImpl.verify(ScramDigestPasswordImpl.java:195)
at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineVerify(PasswordFactorySpiImpl.java:755)
at org.wildfly.security.password.PasswordFactory.verify(PasswordFactory.java:209)
at org.wildfly.security.credential.PasswordCredential.verify(PasswordCredential.java:116)
at org.wildfly.security.credential.Credential.verify(Credential.java:79)
at org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm$JdbcRealmIdentity.verifyEvidence(JdbcSecurityRealm.java:199)
at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1052)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)
at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:76)
at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:152)
at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
{noformat}
> Jdbc-realm with scram mapper
> ----------------------------
>
> Key: ELY-1443
> URL: https://issues.jboss.org/browse/ELY-1443
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Passwords
> Affects Versions: 1.2.0.Beta9
> Reporter: Martin Choma
> Assignee: David Lloyd
>
> This is follow up on ELY-1435, but in this case trying scram hash.
> Salt: c2FsdA==
> Password: YywoEuRtRgQQK6dhjp1tfS+BKPYma0oDJk0qBGC33LM=
> Salt: 1000
> I get these values by
> {code:java|name=ScramDigestPasswordTest.java}
> digest = ScramDigestPasswordImpl.scramDigest(ALGORITHM_SCRAM_SHA_256, "password".getBytes(StandardCharsets.UTF_8), "salt".getBytes(StandardCharsets.UTF_8), 1000);
> assertEquals("632c2812e46d4604102ba7618e9d6d7d2f8128f6266b4a03264d2a0460b7dcb3", ByteIterator.ofBytes(digest).hexEncode().drainToString());
> spec = new IteratedSaltedHashPasswordSpec(digest, "salt".getBytes(StandardCharsets.UTF_8), 1000);
> impl = new ScramDigestPasswordImpl(ALGORITHM_SCRAM_SHA_256, spec);
> assertTrue(impl.verify("password".toCharArray()));
> assertFalse(impl.verify("bad".toCharArray()));
> Encoder encoder = Base64.getEncoder();
> String elytronSalt = encoder.encodeToString( impl.getSalt() );
> String elytronHash = encoder.encodeToString( impl.getDigest() );
> int itertationCount = impl.getIterationCount();
> {code}
> When user provides empty password, there is error.
> {noformat}
> 17:05:40,723 TRACE [org.wildfly.security] (default task-3) Handling NameCallback: authenticationName = correctUser
> 17:05:40,723 TRACE [org.wildfly.security] (default task-3) Principal assigning: [correctUser], pre-realm rewritten: [correctUser], realm name: [jdbc-realm], post-realm rewritten: [correctUser], realm rewritten: [correctUser]
> 17:05:40,727 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
> 17:05:40,813 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT roles.name FROM users, roles, users_roles WHERE users.name=? AND users.id = users_roles.userid AND roles.id = users_roles.roleid with value correctUser
> 17:05:40,817 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
> 17:05:40,865 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /elytron-app/protected/printRoles: java.lang.IllegalArgumentException: Empty key
> at javax.crypto.spec.SecretKeySpec.<init>(SecretKeySpec.java:96)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.getMacInstance(ScramDigestPasswordImpl.java:281)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.scramDigest(ScramDigestPasswordImpl.java:240)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.verify(ScramDigestPasswordImpl.java:195)
> at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineVerify(PasswordFactorySpiImpl.java:755)
> at org.wildfly.security.password.PasswordFactory.verify(PasswordFactory.java:209)
> at org.wildfly.security.credential.PasswordCredential.verify(PasswordCredential.java:116)
> at org.wildfly.security.credential.Credential.verify(Credential.java:79)
> at org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm$JdbcRealmIdentity.verifyEvidence(JdbcSecurityRealm.java:199)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
> at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1052)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
> at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:76)
> at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:152)
> at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
> at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
> at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
> at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months
[JBoss JIRA] (ELY-1443) Jdbc-realm with scram mapper and empty password
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/ELY-1443?page=com.atlassian.jira.plugin.s... ]
Martin Choma updated ELY-1443:
------------------------------
Summary: Jdbc-realm with scram mapper and empty password (was: Jdbc-realm with scram mapper)
> Jdbc-realm with scram mapper and empty password
> -----------------------------------------------
>
> Key: ELY-1443
> URL: https://issues.jboss.org/browse/ELY-1443
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Passwords
> Affects Versions: 1.2.0.Beta9
> Reporter: Martin Choma
> Assignee: David Lloyd
>
> This is follow up on ELY-1435, but in this case trying scram hash.
> Salt: c2FsdA==
> Password: YywoEuRtRgQQK6dhjp1tfS+BKPYma0oDJk0qBGC33LM=
> Salt: 1000
> I get these values by
> {code:java|name=ScramDigestPasswordTest.java}
> digest = ScramDigestPasswordImpl.scramDigest(ALGORITHM_SCRAM_SHA_256, "password".getBytes(StandardCharsets.UTF_8), "salt".getBytes(StandardCharsets.UTF_8), 1000);
> assertEquals("632c2812e46d4604102ba7618e9d6d7d2f8128f6266b4a03264d2a0460b7dcb3", ByteIterator.ofBytes(digest).hexEncode().drainToString());
> spec = new IteratedSaltedHashPasswordSpec(digest, "salt".getBytes(StandardCharsets.UTF_8), 1000);
> impl = new ScramDigestPasswordImpl(ALGORITHM_SCRAM_SHA_256, spec);
> assertTrue(impl.verify("password".toCharArray()));
> assertFalse(impl.verify("bad".toCharArray()));
> Encoder encoder = Base64.getEncoder();
> String elytronSalt = encoder.encodeToString( impl.getSalt() );
> String elytronHash = encoder.encodeToString( impl.getDigest() );
> int itertationCount = impl.getIterationCount();
> {code}
> When user provides empty password, there is error.
> {noformat}
> 17:05:40,723 TRACE [org.wildfly.security] (default task-3) Handling NameCallback: authenticationName = correctUser
> 17:05:40,723 TRACE [org.wildfly.security] (default task-3) Principal assigning: [correctUser], pre-realm rewritten: [correctUser], realm name: [jdbc-realm], post-realm rewritten: [correctUser], realm rewritten: [correctUser]
> 17:05:40,727 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
> 17:05:40,813 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT roles.name FROM users, roles, users_roles WHERE users.name=? AND users.id = users_roles.userid AND roles.id = users_roles.roleid with value correctUser
> 17:05:40,817 TRACE [org.wildfly.security] (default task-3) Executing principalQuery SELECT PASSWORD, SALT, ITERATION FROM USERS WHERE NAME = ? with value correctUser
> 17:05:40,865 ERROR [io.undertow.request] (default task-3) UT005023: Exception handling request to /elytron-app/protected/printRoles: java.lang.IllegalArgumentException: Empty key
> at javax.crypto.spec.SecretKeySpec.<init>(SecretKeySpec.java:96)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.getMacInstance(ScramDigestPasswordImpl.java:281)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.scramDigest(ScramDigestPasswordImpl.java:240)
> at org.wildfly.security.password.impl.ScramDigestPasswordImpl.verify(ScramDigestPasswordImpl.java:195)
> at org.wildfly.security.password.impl.PasswordFactorySpiImpl.engineVerify(PasswordFactorySpiImpl.java:755)
> at org.wildfly.security.password.PasswordFactory.verify(PasswordFactory.java:209)
> at org.wildfly.security.credential.PasswordCredential.verify(PasswordCredential.java:116)
> at org.wildfly.security.credential.Credential.verify(Credential.java:79)
> at org.wildfly.security.auth.realm.jdbc.JdbcSecurityRealm$JdbcRealmIdentity.verifyEvidence(JdbcSecurityRealm.java:199)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1977)
> at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:759)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:992)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:902)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:1052)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:839)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
> at org.wildfly.security.http.impl.UsernamePasswordAuthenticationMechanism.authenticate(UsernamePasswordAuthenticationMechanism.java:76)
> at org.wildfly.security.http.impl.BasicAuthenticationMechanism.evaluateRequest(BasicAuthenticationMechanism.java:152)
> at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
> at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
> at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
> at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:748)
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
8 years, 8 months