[JBoss JIRA] (ELY-1191) Undertow CLIENT_CERT via Elytron and HTTP/2 does not work
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-1191?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse updated ELY-1191:
----------------------------------
Fix Version/s: 1.1.0.Beta48
(was: 1.1.0.Beta47)
> Undertow CLIENT_CERT via Elytron and HTTP/2 does not work
> ---------------------------------------------------------
>
> Key: ELY-1191
> URL: https://issues.jboss.org/browse/ELY-1191
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Stuart Douglas
> Assignee: Stuart Douglas
> Priority: Blocker
> Fix For: 1.1.0.Beta48
>
>
> When I setup CLIENT_CERT authentication for an application (see Steps to Reproduce) and utilize HTTP/2 protocol, I get always 403 Forbidden even in case I use correct client certificate that should allow me access to a secured content.
> I can see following TRACE messages in server.log:
> {code}
> 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) X500 principal [CN=client] decoded as name [client] (attribute values: [client])
> 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) Principal assigning: [CN=client], pre-realm rewritten: [client], realm name: [ksRealm], post-realm rewritten: [client], realm rewritten: [client]
> 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) Role mapping: principal [client] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles [gooduser]
> 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) Authorizing principal client.
> 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) Authorizing against the following attributes: [] => []
> 2017-05-23 10:58:31,111 TRACE [org.wildfly.security] (default task-7) Permission mapping: identity [client] with roles [gooduser] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
> 2017-05-23 10:58:31,111 TRACE [org.wildfly.security] (default task-7) Authorization succeed
> 2017-05-23 10:58:31,111 TRACE [org.wildfly.security] (default task-7) Authentication succeed for principal [CN=client]
> 2017-05-23 10:58:31,117 TRACE [org.wildfly.security] (default task-10) Handling MechanismInformationCallback type='HTTP' name='CLIENT_CERT' host-name='localhost' protocol='https'
> 2017-05-23 10:58:31,117 TRACE [org.wildfly.security] (default task-10) CLIENT-CERT no SSL session
> {code}
> Authentication seems that it succeed just fine. But notice the last line - {{CLIENT-CERT no SSL session}}.
> When I disable 'http2' in https-listener:
> {code}
> /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=enable-http2,value=false)
> reload
> {code}
> I can now access secured content as expected. Also trace log contains different (more healthy) messages now.
> This happens both when I utilize HTTP/2 with EAP 'alpn-hack' mechanism and also with ALPN provided by OpenSSL library.
> As described in JBEAP-9803, Undertow needs to write into ssl-context when HTTP/2 with ALPN is utilized. Maybe this might be the source of this problem?
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 4 months
[JBoss JIRA] (ELY-1185) Only the last mechanism selector is used in Elytron client configuration
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-1185?page=com.atlassian.jira.plugin.s... ]
Darran Lofthouse reassigned ELY-1185:
-------------------------------------
Assignee: Chao Wang (was: Darran Lofthouse)
> Only the last mechanism selector is used in Elytron client configuration
> ------------------------------------------------------------------------
>
> Key: ELY-1185
> URL: https://issues.jboss.org/browse/ELY-1185
> Project: WildFly Elytron
> Issue Type: Bug
> Affects Versions: 1.1.0.Beta42
> Reporter: Ondrej Lukas
> Assignee: Chao Wang
> Priority: Critical
>
> When Elytron client configuration file includes {{sasl-mechanism-selector}} with string which contains more mechanisms then only the last mentioned mechanism is used. In correct behavior it should use all given mechanisms in given order, see [1].
> In case when the last given mechanism is supported by server then it tries to authenticate, otherwise no mechanism is used to attempt to authenticate.
> For example, following element for selector can be used in Elytron client configuration file:
> {code}
> <sasl-mechanism-selector selector="PLAIN DIGEST-MD5 ANONYMOUS JBOSS-LOCAL-USER"/>
> {code}
> When only {{DIGEST-MD5}} is supported by server then it works only if {{DIGEST-MD5}} is the last mechanism in selector string.
> [1] https://issues.jboss.org/browse/EAP7-567?focusedCommentId=13408238&page=c...
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
7 years, 4 months