[JBoss JIRA] (WFLY-8295) Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true
by Martin Choma (JIRA)
[ https://issues.jboss.org/browse/WFLY-8295?page=com.atlassian.jira.plugin.... ]
Martin Choma updated WFLY-8295:
-------------------------------
Steps to Reproduce:
* On IBM java
* Follow https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildF...
* During adding kerberos-security-factory add obtain-kerberos-ticket = true option
{code}
/subsystem=elytron/kerberos-security-factory=krbSF:add( \
principal="HTTP/host@REALM", \
path="/path/to/http.keytab", \
obtain-kerberos-ticket="true", \
mechanism-oids=[ \
1.2.840.113554.1.2.2, \
1.3.6.1.5.5.2 \
] \
)
{code}
was:
* On IBM java
* Follow https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_en...
* In step 2.4.1.1 during adding kerberos-security-factory add obtain-kerberos-ticket = true option
{code}
/subsystem=elytron/kerberos-security-factory=krbSF:add( \
principal="HTTP/host@REALM", \
path="/path/to/http.keytab", \
obtain-kerberos-ticket="true", \
mechanism-oids=[ \
1.2.840.113554.1.2.2, \
1.3.6.1.5.5.2 \
] \
)
{code}
> Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true
> ----------------------------------------------------------------------------------------
>
> Key: WFLY-8295
> URL: https://issues.jboss.org/browse/WFLY-8295
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Critical
> Labels: ibm-java, kerberos
>
> On IBM java when obtain-kerberos-ticket is set to true user always get
> {code}
> javax.security.auth.login.LoginException: Bad JAAS configuration: credsType and keytab values are not compatible
> {code}
> According to ibm documentation [1] credsType=initiator and useKeytab are really incompatible.
> This constraint can't be avoided once obtain-kerberos-ticket = true, because keytab path is required in model.
> {code}
> "path" => {
> "type" => STRING,
> "description" => "The path of the KeyTab to load to obtain the credential.",
> "attribute-group" => "file",
> "expressions-allowed" => true,
> "required" => true,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "resource-services"
> },
> {code}
> And keytab is always set into Kerberos login module options
> {code:title=GSSCredentialSecurityFactory.java}
> if (IS_IBM) {
> options.put("noAddress", "true");
> options.put("credsType", (isServer && !obtainKerberosTicket) ? "acceptor" : "initiator");
> options.put("useKeytab", keyTab.toURI().toURL().toString());
> }
> {code}
> [1] https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.sec...
> I am not setting to blocker just because I am not sure about importance of obtain-kerberos-ticket. See my question JBEAP-9292.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 7 months
[JBoss JIRA] (WFLY-8295) Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true
by Martin Choma (JIRA)
Martin Choma created WFLY-8295:
----------------------------------
Summary: Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true
Key: WFLY-8295
URL: https://issues.jboss.org/browse/WFLY-8295
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Martin Choma
Assignee: Darran Lofthouse
Priority: Critical
On IBM java when obtain-kerberos-ticket is set to true user always get
{code}
javax.security.auth.login.LoginException: Bad JAAS configuration: credsType and keytab values are not compatible
{code}
According to ibm documentation [1] credsType=initiator and useKeytab are really incompatible.
This constraint can't be avoided once obtain-kerberos-ticket = true, because keytab path is required in model.
{code}
"path" => {
"type" => STRING,
"description" => "The path of the KeyTab to load to obtain the credential.",
"attribute-group" => "file",
"expressions-allowed" => true,
"required" => true,
"nillable" => false,
"min-length" => 1L,
"max-length" => 2147483647L,
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "resource-services"
},
{code}
And keytab is always set into Kerberos login module options
{code:title=GSSCredentialSecurityFactory.java}
if (IS_IBM) {
options.put("noAddress", "true");
options.put("credsType", (isServer && !obtainKerberosTicket) ? "acceptor" : "initiator");
options.put("useKeytab", keyTab.toURI().toURL().toString());
}
{code}
[1] https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.sec...
I am not setting to blocker just because I am not sure about importance of obtain-kerberos-ticket. See my question JBEAP-9292.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 7 months
[JBoss JIRA] (WFLY-8294) credential-reference must have defined combinations of constraints
by Hynek Švábek (JIRA)
Hynek Švábek created WFLY-8294:
----------------------------------
Summary: credential-reference must have defined combinations of constraints
Key: WFLY-8294
URL: https://issues.jboss.org/browse/WFLY-8294
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Hynek Švábek
Assignee: Darran Lofthouse
credential-reference must have defined these combinations of constraints:
requires constraint:
alias "requires" [store],
store "requires" [alias]
alternatives constraint:
clear-text "alternatives" [store]
store "alternatives" [clear-text]
optional: type
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 7 months
[JBoss JIRA] (WFLY-8293) Changing Elytron default-authentication-context with allow-resource-service-restart ends in reload-required state
by Ondrej Lukas (JIRA)
Ondrej Lukas created WFLY-8293:
----------------------------------
Summary: Changing Elytron default-authentication-context with allow-resource-service-restart ends in reload-required state
Key: WFLY-8293
URL: https://issues.jboss.org/browse/WFLY-8293
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Ondrej Lukas
Assignee: Darran Lofthouse
If I try to change Elytron default-authentication-context with header {{allow-resource-service-restart=true}} server ends in reload-required state.
{code}
/subsystem=elytron/authentication-context=auth-context:add()
/subsystem=elytron:write-attribute(name=default-authentication-context,value=auth-context){allow-resource-service-restart=true}
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
{code}
Using header allow-resource-service-restart=true should restart necessary services.
It seems it is caused by {{"restart-required" => "no-services"}} for {{default-authentication-context}} attribute of Elytron subsystem. See:
{code}
/subsystem=elytron:read-resource-description(recursive=false)
{
...
"default-authentication-context" => {
"type" => STRING,
"description" => "The default authentication context to be associated with all deployments.",
"expressions-allowed" => false,
"required" => false,
"nillable" => true,
"capability-reference" => "org.wildfly.security.authentication-context",
"min-length" => 1L,
"max-length" => 2147483647L,
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "no-services"
},
...
}
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 7 months
[JBoss JIRA] (WFLY-8228) Servlet server distribution fails to work with Elytron - NoClassDefFoundError
by Ingo Weiss (JIRA)
[ https://issues.jboss.org/browse/WFLY-8228?page=com.atlassian.jira.plugin.... ]
Ingo Weiss updated WFLY-8228:
-----------------------------
Original Estimate: 1 day
Remaining Estimate: 1 day
> Servlet server distribution fails to work with Elytron - NoClassDefFoundError
> -----------------------------------------------------------------------------
>
> Key: WFLY-8228
> URL: https://issues.jboss.org/browse/WFLY-8228
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Josef Cacek
> Assignee: Ingo Weiss
> Priority: Blocker
> Original Estimate: 1 day
> Remaining Estimate: 1 day
>
> Elytron uses {{javax.json.Json}} to format audit events (e.g. authentication). The {{javax.json}} is not part of the servlet distribution, so the usage of Elytron fails.
> Sample output:
> {code}
> 17:08:20,394 ERROR [io.undertow.request] (default task-8) UT005023: Exception handling request to /form-auth/restricted/j_security_check: java.lang.NoClassDefFoundError: javax/json/Json
> at org.wildfly.security.audit.JsonSecurityEventFormatter.handlePermissionCheckEvent(JsonSecurityEventFormatter.java:91)
> at org.wildfly.security.audit.JsonSecurityEventFormatter.handlePermissionCheckEvent(JsonSecurityEventFormatter.java:42)
> at org.wildfly.security.auth.server.event.SecurityEventVisitor.handlePermissionCheckSuccessfulEvent(SecurityEventVisitor.java:104)
> at org.wildfly.security.auth.server.event.SecurityPermissionCheckSuccessfulEvent.accept(SecurityPermissionCheckSuccessfulEvent.java:43)
> at org.wildfly.extension.elytron.AuditResourceDefinitions$1.lambda$null$1(AuditResourceDefinitions.java:156)
> at org.wildfly.security.audit.AuditLogger.accept(AuditLogger.java:56)
> at org.wildfly.security.audit.AuditLogger.accept(AuditLogger.java:35)
> at org.wildfly.security.auth.server.SecurityDomain.handleSecurityEvent(SecurityDomain.java:588)
> at org.wildfly.security.auth.server.SecurityDomain.safeHandleSecurityEvent(SecurityDomain.java:595)
> at org.wildfly.security.auth.server.SecurityIdentity.implies(SecurityIdentity.java:684)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.doAuthorization(ServerAuthenticationContext.java:1727)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.authorize(ServerAuthenticationContext.java:1697)
> at org.wildfly.security.auth.server.ServerAuthenticationContext.authorize(ServerAuthenticationContext.java:450)
> at org.wildfly.security.auth.server.ServerAuthenticationContext.authorize(ServerAuthenticationContext.java:446)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:929)
> at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:728)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
> at org.wildfly.security.http.impl.FormAuthenticationMechanism.authorize(FormAuthenticationMechanism.java:215)
> at org.wildfly.security.http.impl.FormAuthenticationMechanism.attemptAuthentication(FormAuthenticationMechanism.java:172)
> at org.wildfly.security.http.impl.FormAuthenticationMechanism.evaluateRequest(FormAuthenticationMechanism.java:105)
> at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:110)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
> at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
> at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:84)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
> at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:46)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1702)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1702)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 7 months
[JBoss JIRA] (WFLY-7496) Non complete resource description
by Stuart Douglas (JIRA)
[ https://issues.jboss.org/browse/WFLY-7496?page=com.atlassian.jira.plugin.... ]
Stuart Douglas reopened WFLY-7496:
----------------------------------
> Non complete resource description
> ---------------------------------
>
> Key: WFLY-7496
> URL: https://issues.jboss.org/browse/WFLY-7496
> Project: WildFly
> Issue Type: Bug
> Components: Web (Undertow)
> Reporter: Stuart Douglas
> Assignee: Stuart Douglas
> Fix For: 11.0.0.Alpha1
>
>
> Missing time unit
> {noformat}
> "session-timeout" => {
> "type" => INT,
> "description" => "The session timeout for sessions that are owned by crawlers",
> "expressions-allowed" => true,
> "nillable" => true,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "all-services"
> },
> "timeout" => {
> "type" => INT,
> "description" => "The request timeout",
> "expressions-allowed" => false,
> "nillable" => true,
> "access-type" => "read-only",
> "storage" => "runtime"
> "connection-idle-timeout" => {
> "type" => INT,
> "description" => "The amount of time a connection can be idle before it will be closed. Connections will not time out once the pool size is down to the configured minimum (as configured by cached-connections-per-thread)",
> "expressions-allowed" => true,
> "nillable" => true,
> "default" => 60L,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> "max-request-time" => {
> "type" => INT,
> "description" => "The maximum time that a proxy request can be active for, before being killed. Defaults to unlimited",
> "expressions-allowed" => true,
> "nillable" => true,
> "default" => -1,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "no-services"
> {noformat}
> Description not fully understandable
> {noformat}
> "require-host-http11" => {
> "type" => BOOLEAN,
> "description" => "Require the Host header when using the HTTP/1.1 protocol",
> "expressions-allowed" => true,
> "nillable" => true,
> "default" => false,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "all-services"
> },
> "proxy-address-forwarding" => {
> "type" => BOOLEAN,
> "description" => "enables x-forwarded-host and similar headers and set a remote ip address and hostname",
> "expressions-allowed" => true,
> "nillable" => true,
> "default" => false,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "resource-services"
> {noformat}
> Name X Description
> {noformat}
> "disabled" => {
> "type" => BOOLEAN,
> "description" => "Enable the JSP container.",
> "expressions-allowed" => true,
> "nillable" => true,
> "default" => false,
> "access-type" => "read-write",
> "storage" => "configuration",
> "restart-required" => "all-services"
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 7 months
[JBoss JIRA] (WFLY-8291) Mod_cluster operation descriptions only refer to Apache httpd
by Radoslav Husar (JIRA)
[ https://issues.jboss.org/browse/WFLY-8291?page=com.atlassian.jira.plugin.... ]
Radoslav Husar moved JBEAP-9304 to WFLY-8291:
---------------------------------------------
Project: WildFly (was: JBoss Enterprise Application Platform)
Key: WFLY-8291 (was: JBEAP-9304)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: mod_cluster
(was: mod_cluster)
Affects Version/s: (was: 7.1.0.DR10)
> Mod_cluster operation descriptions only refer to Apache httpd
> -------------------------------------------------------------
>
> Key: WFLY-8291
> URL: https://issues.jboss.org/browse/WFLY-8291
> Project: WildFly
> Issue Type: Bug
> Components: mod_cluster
> Reporter: Radoslav Husar
> Assignee: Radoslav Husar
> Priority: Minor
>
> Please repair description in following operations as they are outdated, undertow proxy
> is able to process this messages.
> {noformat}
> {
> "outcome" => "success",
> "result" => {
> "operation-name" => "disable",
> "description" => "Tell Apache httpd that all contexts of the node can't process new requests.",
> "request-properties" => {},
> "reply-properties" => {},
> "read-only" => false,
> "runtime-only" => true
> }
> }
> {noformat}
> {noformat}
> {
> "outcome" => "success",
> "result" => {
> "operation-name" => "disable-context",
> "description" => "Tell Apache httpd that the context can't process new requests.",
> "request-properties" => {
> "virtualhost" => {
> "type" => STRING,
> "description" => "virtual host",
> "expressions-allowed" => false,
> "required" => true,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "context" => {
> "type" => STRING,
> "description" => "context",
> "expressions-allowed" => false,
> "required" => true,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L
> }
> },
> "reply-properties" => {},
> "read-only" => false,
> "runtime-only" => true
> }
> }
> {noformat}
> {noformat}
> {
> "outcome" => "success",
> "result" => {
> "operation-name" => "enable",
> "description" => "Tell Apache httpd that all contexts of the node are ready receive requests.",
> "request-properties" => {},
> "reply-properties" => {},
> "read-only" => false,
> "runtime-only" => true
> }
> }
> {noformat}
> {noformat}
> {
> "outcome" => "success",
> "result" => {
> "operation-name" => "enable-context",
> "description" => "Tell Apache httpd that the context is ready receive requests.",
> "request-properties" => {
> "virtualhost" => {
> "type" => STRING,
> "description" => "Virtual host",
> "expressions-allowed" => false,
> "required" => true,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "context" => {
> "type" => STRING,
> "description" => "Context",
> "expressions-allowed" => false,
> "required" => true,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L
> }
> },
> "reply-properties" => {},
> "read-only" => false,
> "runtime-only" => true
> }
> }
> {noformat}
> {noformat}
> {
> "outcome" => "success",
> "result" => {
> "operation-name" => "stop",
> "description" => "Tell Apache httpd that all contexts of the node can't process requests.",
> "request-properties" => {"waittime" => {
> "type" => INT,
> "description" => "wait timeout",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "default" => 10,
> "unit" => "SECONDS"
> }},
> "reply-properties" => {},
> "read-only" => false,
> "runtime-only" => true
> }
> }
> {noformat}
> {noformat}
> {
> "outcome" => "success",
> "result" => {
> "operation-name" => "stop-context",
> "description" => "Tell Apache httpd that the context can't process requests.",
> "request-properties" => {
> "virtualhost" => {
> "type" => STRING,
> "description" => "Virtual host",
> "expressions-allowed" => false,
> "required" => true,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "context" => {
> "type" => STRING,
> "description" => "Context",
> "expressions-allowed" => false,
> "required" => true,
> "nillable" => false,
> "min-length" => 1L,
> "max-length" => 2147483647L
> },
> "waittime" => {
> "type" => INT,
> "description" => "wait timeout",
> "expressions-allowed" => false,
> "required" => false,
> "nillable" => true,
> "default" => 10,
> "unit" => "SECONDS"
> }
> },
> "reply-properties" => {},
> "read-only" => false,
> "runtime-only" => true
> }
> }
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 7 months