[JBoss JIRA] (WFCORE-2658) Elytron, mechanism-names and mechanism-oids allows duplicate values
by Martin Choma (JIRA)
Martin Choma created WFCORE-2658:
------------------------------------
Summary: Elytron, mechanism-names and mechanism-oids allows duplicate values
Key: WFCORE-2658
URL: https://issues.jboss.org/browse/WFCORE-2658
Project: WildFly Core
Issue Type: Bug
Components: Security
Reporter: Martin Choma
Assignee: Darran Lofthouse
Priority: Critical
Trying to create kerberos-security-factory specifying KRB5 (1.2.840.113554.1.2.2) mechanism in both mechanism-names and mechanism-oids is succesfull
{code}
[standalone@localhost:9990 /] /subsystem=elytron/kerberos-security-factory=c:add(principal="HTTP/localhost(a)JBOSS.ORG", path="/path/to/keytab", mechanism-names=[KRB5,SPNEGO], mechanism-oids=["1.2.840.113554.1.2.2"])
{"outcome" => "success"}
{code}
However, later that leads to error {{GSSException: Duplicate element found: 1.2.840.113554.1.2.2 usage: Accept}}
{code:title=server.log}
07:32:19,873 TRACE [org.wildfly.security] (default task-1) SPNEGO: org.wildfly.security.http.HttpAuthenticationException: ELY05053: [SPNEGO] Callback handler failed for unknown reason
at org.wildfly.security.http.impl.SpnegoAuthenticationMechanism.evaluateRequest(SpnegoAuthenticationMechanism.java:118)
at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115)
at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:97)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1704)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.IOException: ELY01156: Cannot obtain a credential from a security factory
at org.wildfly.security.credential.source.CredentialSource$4.getCredential(CredentialSource.java:327)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:858)
at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:730)
at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$SecurityIdentityCallbackHandler.handle(SecurityIdentityServerMechanismFactory.java:113)
at org.wildfly.security.http.impl.SpnegoAuthenticationMechanism.evaluateRequest(SpnegoAuthenticationMechanism.java:114)
... 37 more
Caused by: java.security.GeneralSecurityException: GSSException: Duplicate element found: 1.2.840.113554.1.2.2 usage: Accept
at org.wildfly.security.auth.util.GSSCredentialSecurityFactory$Builder.createGSSCredential(GSSCredentialSecurityFactory.java:302)
at org.wildfly.security.auth.util.GSSCredentialSecurityFactory$Builder.lambda$build$0(GSSCredentialSecurityFactory.java:251)
at org.wildfly.security.auth.util.GSSCredentialSecurityFactory.create(GSSCredentialSecurityFactory.java:98)
at org.wildfly.security.auth.util.GSSCredentialSecurityFactory.create(GSSCredentialSecurityFactory.java:60)
at org.wildfly.security.credential.source.CredentialSource$4.getCredential(CredentialSource.java:325)
... 41 more
Caused by: GSSException: Duplicate element found: 1.2.840.113554.1.2.2 usage: Accept
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:419)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:77)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:160)
at org.wildfly.security.auth.util.GSSCredentialSecurityFactory$Builder$1.run(GSSCredentialSecurityFactory.java:291)
at org.wildfly.security.auth.util.GSSCredentialSecurityFactory$Builder$1.run(GSSCredentialSecurityFactory.java:277)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.wildfly.security.auth.util.GSSCredentialSecurityFactory$Builder.createGSSCredential(GSSCredentialSecurityFactory.java:277)
... 45 more
{code}
mechanism-names and mechanism-oids attributes should be
* either "deduplicated" - that in result each OID mechanism occures at most once
* or validated - that duplicate values are not configured
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (WFCORE-2657) Elytron, mechanism-names is not checked on defined allowed values.
by Martin Choma (JIRA)
Martin Choma created WFCORE-2657:
------------------------------------
Summary: Elytron, mechanism-names is not checked on defined allowed values.
Key: WFCORE-2657
URL: https://issues.jboss.org/browse/WFCORE-2657
Project: WildFly Core
Issue Type: Bug
Components: Security
Reporter: Martin Choma
Assignee: Darran Lofthouse
Priority: Critical
Although {{mechanism-names}} attributes model metadata define allowed values. This is not checked and I am allowed to execute this command
{code}
/subsystem=elytron/kerberos-security-factory=c:add(principal="HTTP/localhost", path="/not/exist", mechanism-names=[DOES_NOT_EXIST])
[standalone@localhost:9990 /] /subsystem=elytron/kerberos-security-factory=c:add(principal="HTTP/localhost", path="/not/exist", mechanism-names=[DOES_NOT_EXIST])
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0158: Operation handler failed: java.lang.IllegalArgumentException: GSSException: Improperly formatted Object Identifier String - null",
"rolled-back" => true
}
{code}
{code:title=elytron.model}
"mechanism-names" => {
"type" => LIST,
"description" => "The mechanism names the credential should be usable with. Names will be converted to OIDs and used together with OIDs from mechanism-oids attribute.",
"expressions-allowed" => true,
"required" => false,
"nillable" => true,
"default" => [
"KRB5",
"SPNEGO"
],
"allowed" => [
"KRB5LEGACY",
"GENERIC",
"KRB5",
"KRB5V2",
"SPNEGO"
],
"value-type" => STRING,
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "resource-services"
}
{code}
{code:title=server.log}
07:15:56,489 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 4) WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "elytron"),
("kerberos-security-factory" => "c")
]): java.lang.IllegalArgumentException: GSSException: Improperly formatted Object Identifier String - null
at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.lambda$getValueSupplier$1(KerberosSecurityFactoryDefinition.java:172)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at java.util.LinkedList$LLSpliterator.forEachRemaining(LinkedList.java:1235)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.StreamSpliterators$WrappingSpliterator.forEachRemaining(StreamSpliterators.java:312)
at java.util.stream.Streams$ConcatSpliterator.forEachRemaining(Streams.java:742)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.getValueSupplier(KerberosSecurityFactoryDefinition.java:174)
at org.wildfly.extension.elytron.TrivialAddHandler.performRuntime(TrivialAddHandler.java:77)
at org.jboss.as.controller.AbstractAddStepHandler$1.execute(AbstractAddStepHandler.java:151)
at org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:979)
at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:722)
at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:441)
at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1397)
at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:421)
at org.jboss.as.controller.ModelControllerImpl.lambda$execute$1(ModelControllerImpl.java:243)
at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:263)
at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:229)
at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:243)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.doExecute(ModelControllerClientOperationHandler.java:217)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler.access$400(ModelControllerClientOperationHandler.java:137)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:161)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1$1.run(ModelControllerClientOperationHandler.java:157)
at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:287)
at org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:244)
at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:254)
at org.jboss.as.controller.AccessAuditContext.doAs(AccessAuditContext.java:225)
at org.jboss.as.controller.remote.ModelControllerClientOperationHandler$ExecuteRequestHandler$1.execute(ModelControllerClientOperationHandler.java:157)
at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$1.doExecute(ManagementRequestContextImpl.java:70)
at org.jboss.as.protocol.mgmt.ManagementRequestContextImpl$AsyncTaskRunner.run(ManagementRequestContextImpl.java:160)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: GSSException: Improperly formatted Object Identifier String - null
at org.ietf.jgss.Oid.<init>(Oid.java:71)
at org.wildfly.extension.elytron.KerberosSecurityFactoryDefinition$2.lambda$getValueSupplier$1(KerberosSecurityFactoryDefinition.java:170)
... 39 more
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (ELY-1072) Add a way to acquire the domain for an identity
by David Lloyd (JIRA)
[ https://issues.jboss.org/browse/ELY-1072?page=com.atlassian.jira.plugin.s... ]
David Lloyd resolved ELY-1072.
------------------------------
Resolution: Done
> Add a way to acquire the domain for an identity
> -----------------------------------------------
>
> Key: ELY-1072
> URL: https://issues.jboss.org/browse/ELY-1072
> Project: WildFly Elytron
> Issue Type: Enhancement
> Components: API / SPI
> Reporter: David Lloyd
> Assignee: David Lloyd
> Fix For: 1.1.0.Beta36
>
>
> Add a way to get the domain for an identity. The rationale is, users can already acquire the current security domain via a global context-sensitive method, if they have the appropriate SM permission.
> The method could be on SecurityDomain in order to keep it local to the getCurrent() method as its behavior and security requirements are similar.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (ELY-1075) Provide a utility to track and query the principal from a SASL client authentication
by David Lloyd (JIRA)
David Lloyd created ELY-1075:
--------------------------------
Summary: Provide a utility to track and query the principal from a SASL client authentication
Key: ELY-1075
URL: https://issues.jboss.org/browse/ELY-1075
Project: WildFly Elytron
Issue Type: Enhancement
Reporter: David Lloyd
Assignee: David Lloyd
Fix For: 1.1.0.Beta36
The client needs to be able to discover what its authentication principal is. The server does not always share that information. So, we need a way to derive the authentication principal from the authorization ID, callbacks, mechanism, and/or external identity.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (WFCORE-2640) Improve description of Elytron mapped-regex-realm-mapper and simple-regex-realm-mapper
by Ilia Vassilev (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2640?page=com.atlassian.jira.plugi... ]
Ilia Vassilev reassigned WFCORE-2640:
-------------------------------------
Assignee: Ilia Vassilev (was: Darran Lofthouse)
> Improve description of Elytron mapped-regex-realm-mapper and simple-regex-realm-mapper
> --------------------------------------------------------------------------------------
>
> Key: WFCORE-2640
> URL: https://issues.jboss.org/browse/WFCORE-2640
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta13
> Reporter: Ondrej Lukas
> Assignee: Ilia Vassilev
> Labels: user_experience
>
> Description of Elytron {{mapped-regex-realm-mapper}} and {{simple-regex-realm-mapper}} for {{read-resource-description}} operation in JBoss CLI and in {{wildfly-elytron_1_0.xsd}} should be improved. Following information should be provided there for {{mapped-regex-realm-mapper}}:
> * In case when username does not matches pattern and delegate-realm-mapper is used then result of delegate-realm-mapper is mapped through realm-map. Add this information to description of {{delegate-realm-mapper}}.
> * In case when value for mapping is not in the map or in case when realm with name of value in {{to}} from realm-map does exist in given security domain then default realm is used.
> Following information should be provided for both {{simple-regex-realm-mapper}} and {{mapped-regex-realm-mapper}}
> * In case when more capture groups are obtained in pattern then first capture group is used. Add this information to description of {{pattern}}.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (WFLY-8553) Adding external contexts breaks resolution of non-external on demand resources
by Paul Ferraro (JIRA)
[ https://issues.jboss.org/browse/WFLY-8553?page=com.atlassian.jira.plugin.... ]
Paul Ferraro moved JBEAP-10269 to WFLY-8553:
--------------------------------------------
Project: WildFly (was: JBoss Enterprise Application Platform)
Key: WFLY-8553 (was: JBEAP-10269)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Naming
(was: Naming)
Affects Version/s: 11.0.0.Alpha1
(was: 7.1.0.DR16)
> Adding external contexts breaks resolution of non-external on demand resources
> ------------------------------------------------------------------------------
>
> Key: WFLY-8553
> URL: https://issues.jboss.org/browse/WFLY-8553
> Project: WildFly
> Issue Type: Bug
> Components: Naming
> Affects Versions: 11.0.0.Alpha1
> Reporter: Paul Ferraro
> Assignee: David Lloyd
> Priority: Critical
>
> The logic in ContextNames.BindInfo.setupLookupInjection(...) does not correctly establish dependencies for non-external context in the presence of external contexts.
> Take the resource: java:jboss/infinispan/cache/mycontainer/mycache
> The service registered under this name is installed on-demand. When no external contexts are defined, ExternalContexts.getParentExternalContext(...) returns null and the dependency is established correctly. However, when there are external contexts whose name is lexicographically larger than the external context, the ExternalContexts.getParentExternalContext(...) returns the ServiceName of the lexicographically smallest external context, i.e. the result of NavigableSet.lower(...), where the set contains the ServiceName of all external contexts. Therefore, if a user defines an external context with name "java:global/foo", a call to ContextNames.BindInfo.setupLookupInjection(...) for the jndi name above will establish a dependency on "java:global/foo" instead of the correct service name corresponding to the non-external context.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (ELY-1074) Add option to wrap the GSSCredential in GSSCredentialSecurityFactory
by Stefan Guilhen (JIRA)
Stefan Guilhen created ELY-1074:
-----------------------------------
Summary: Add option to wrap the GSSCredential in GSSCredentialSecurityFactory
Key: ELY-1074
URL: https://issues.jboss.org/browse/ELY-1074
Project: WildFly Elytron
Issue Type: Task
Affects Versions: 1.1.0.Beta32
Reporter: Stefan Guilhen
Assignee: Stefan Guilhen
Fix For: 1.1.0.Beta36
The legacy KerberosLoginModule has an option called wrapGssCredential that tells the code building the GSSCredential that it should wrap the constructed credential to prevent improper credential disposal by some DB drivers. It essentially delegates every method to the wrapped GSSCredential but makes dispose() a no-op.
The GSSCredentialSecurityFactory in Elytron doesn't offer an option to wrap the constructed credential.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (WFCORE-2655) Add option to wrap the GSSCredential in kerberos security factory
by Stefan Guilhen (JIRA)
[ https://issues.jboss.org/browse/WFCORE-2655?page=com.atlassian.jira.plugi... ]
Stefan Guilhen updated WFCORE-2655:
-----------------------------------
Description:
The legacy KerberosLoginModule has an option called wrapGssCredential that tells the code building the GSSCredential that it should wrap the constructed credential to prevent improper credential disposal by some DB drivers. It essentially delegates every method to the wrapped GSSCredential but makes dispose() a no-op.
The kerberos security factory in the Elytron subsystem doesn't offer an option to wrap the credential and it creates a backwards compatibility problem.
was:
The legacy KerberosLoginModule has an option called wrapGssCredential that tells the code building the GSSCredential that it should wrap the constructed credential to prevent improper credential disposal by some DB drivers. It essentially delegates every method to the wrapped GSSCredential but makes dispose() a no-op.
The kerberos security factory in Elytron doesn't offer an option to wrap the credential and it creates a backwards compatibility problem.
> Add option to wrap the GSSCredential in kerberos security factory
> -----------------------------------------------------------------
>
> Key: WFCORE-2655
> URL: https://issues.jboss.org/browse/WFCORE-2655
> Project: WildFly Core
> Issue Type: Feature Request
> Components: Security
> Affects Versions: 3.0.0.Beta14
> Reporter: Stefan Guilhen
> Assignee: Stefan Guilhen
> Fix For: 3.0.0.Beta15
>
>
> The legacy KerberosLoginModule has an option called wrapGssCredential that tells the code building the GSSCredential that it should wrap the constructed credential to prevent improper credential disposal by some DB drivers. It essentially delegates every method to the wrapped GSSCredential but makes dispose() a no-op.
> The kerberos security factory in the Elytron subsystem doesn't offer an option to wrap the credential and it creates a backwards compatibility problem.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months
[JBoss JIRA] (WFLY-8552) Add support for GSSKerberosCredential in ElytronSubjectFactory
by Stefan Guilhen (JIRA)
[ https://issues.jboss.org/browse/WFLY-8552?page=com.atlassian.jira.plugin.... ]
Stefan Guilhen reassigned WFLY-8552:
------------------------------------
Assignee: Stefan Guilhen (was: Stefano Maestri)
> Add support for GSSKerberosCredential in ElytronSubjectFactory
> --------------------------------------------------------------
>
> Key: WFLY-8552
> URL: https://issues.jboss.org/browse/WFLY-8552
> Project: WildFly
> Issue Type: Task
> Components: JCA, Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Stefan Guilhen
> Assignee: Stefan Guilhen
>
> The JCA ElytronSubjectFactory must be improved to handle GSSKerberosCredentials to enable kerberos based authentication for databases.
> It should use a CredentialCallback of type GSSKerberosCredential to obtain the GSSCredential and associated KerberosTicket when building the Subject that is used to establish the connections to the DB. If the authentication configuration matched by the configured authentication context references a kerberos security factory, this factory will be used to create the credential and ticket that will in turn be inserted into the constructed Subject instance.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 3 months