June 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (ELY-1170) The TrustManagerFactory should use a Provider from the defined Supplier<Provider[]>

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1170?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated ELY-1170: ---------------------------------- Fix Version/s: 1.2.0.Beta1 > The TrustManagerFactory should use a Provider from the defined Supplier<Provider[]> > ----------------------------------------------------------------------------------- > > Key: ELY-1170 > URL: https://issues.jboss.org/browse/ELY-1170 > Project: WildFly Elytron > Issue Type: Task > Components: Authentication Client > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Priority: Critical > Fix For: 1.2.0.Beta1 > > -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ELY-1170) The TrustManagerFactory should use a Provider from the defined Supplier<Provider[]>

by Darran Lofthouse (JIRA)

[ https://issues.jboss.org/browse/ELY-1170?page=com.atlassian.jira.plugin.s... ] Darran Lofthouse updated ELY-1170: ---------------------------------- Fix Version/s: (was: 1.1.0.CR2) > The TrustManagerFactory should use a Provider from the defined Supplier<Provider[]> > ----------------------------------------------------------------------------------- > > Key: ELY-1170 > URL: https://issues.jboss.org/browse/ELY-1170 > Project: WildFly Elytron > Issue Type: Task > Components: Authentication Client > Reporter: Darran Lofthouse > Assignee: Darran Lofthouse > Priority: Critical > -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ELY-261) Rework (and move) UsernamePasswordHashUtil

by David Lloyd (JIRA)

[ https://issues.jboss.org/browse/ELY-261?page=com.atlassian.jira.plugin.sy... ] David Lloyd commented on ELY-261: --------------------------------- I think we should deprecate this class so it is not part of the public API. At this point, any password manipulation should be done via the PasswordFactory. > Rework (and move) UsernamePasswordHashUtil > ------------------------------------------ > > Key: ELY-261 > URL: https://issues.jboss.org/browse/ELY-261 > Project: WildFly Elytron > Issue Type: Feature Request > Components: API / SPI, Passwords > Reporter: Darran Lofthouse > Fix For: 1.1.0.CR2 > > > Firstly this class is not really SASL specific so should be in a general util package. > Secondly we now have password specs and a PasswordFactory - if this class still has a future then maybe it should be using those instead of it's own custom implementation. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (WFLY-9034) Cannot deploy JMS bridge after reload when source-context={} and target-context={}

by Jeff Mesnil (JIRA)

[ https://issues.jboss.org/browse/WFLY-9034?page=com.atlassian.jira.plugin.... ] Jeff Mesnil moved JBEAP-11905 to WFLY-9034: ------------------------------------------- Project: WildFly (was: JBoss Enterprise Application Platform) Key: WFLY-9034 (was: JBEAP-11905) Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1) Component/s: JMS (was: JMS) Affects Version/s: 11.0.0.Alpha1 (was: 7.1.0.DR19) > Cannot deploy JMS bridge after reload when source-context={} and target-context={} > ----------------------------------------------------------------------------------- > > Key: WFLY-9034 > URL: https://issues.jboss.org/browse/WFLY-9034 > Project: WildFly > Issue Type: Bug > Components: JMS > Affects Versions: 11.0.0.Alpha1 > Reporter: Jeff Mesnil > Assignee: Jeff Mesnil > Priority: Minor > > Jms bridge can not be deployed on first attempt when both _source-context={}_ and _target-context={}_. It happens only on server start (or after reload) and only when both _source-context_ and _target-context_ are defined as {}. When at least one of them is undefined, bridge is deployed correctly. > It seems like timing issue, when bridge is looking for queue which is not yet created. > Priority is set to minor, because you don't need to specify target/ source context when local context is supposed to be used. You might also specify higher _max-retries_ on bridge and then it connects when queue is created on local server. > Following is warning print on server startup > {noformat} > 13:24:39,827 WARN [org.apache.activemq.artemis.jms.bridge] (Thread-93) AMQ342010: Failed to connect JMS Bridge N/A: javax.naming.NameNotFoundException: jms/queue/InQueue [Root exception is java.lang.IllegalStateException] > at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153) [wildfly-naming-7.1.0.Beta1-redhat-4.jar:7.1.0.Beta1-redhat-4] > at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83) [wildfly-naming-7.1.0.Beta1-redhat-4.jar:7.1.0.Beta1-redhat-4] > at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207) [wildfly-naming-7.1.0.Beta1-redhat-4.jar:7.1.0.Beta1-redhat-4] > at org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:237) [wildfly-naming-7.1.0.Beta1-redhat-4.jar:7.1.0.Beta1-redhat-4] > at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193) [wildfly-naming-7.1.0.Beta1-redhat-4.jar:7.1.0.Beta1-redhat-4] > at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189) [wildfly-naming-7.1.0.Beta1-redhat-4.jar:7.1.0.Beta1-redhat-4] > at javax.naming.InitialContext.lookup(InitialContext.java:417) [rt.jar:1.8.0_65] > at javax.naming.InitialContext.lookup(InitialContext.java:417) [rt.jar:1.8.0_65] > at org.apache.activemq.artemis.jms.bridge.impl.JNDIFactorySupport.createObject(JNDIFactorySupport.java:46) [artemis-jms-server-1.5.5.001-redhat-1.jar:1.5.5.001-redhat-1] > at org.apache.activemq.artemis.jms.bridge.impl.JNDIDestinationFactory.createDestination(JNDIDestinationFactory.java:32) [artemis-jms-server-1.5.5.001-redhat-1.jar:1.5.5.001-redhat-1] > at org.apache.activemq.artemis.jms.bridge.impl.JMSBridgeImpl.setupJMSObjects(JMSBridgeImpl.java:1070) [artemis-jms-server-1.5.5.001-redhat-1.jar:1.5.5.001-redhat-1] > at org.apache.activemq.artemis.jms.bridge.impl.JMSBridgeImpl.setupJMSObjectsWithRetry(JMSBridgeImpl.java:1247) [artemis-jms-server-1.5.5.001-redhat-1.jar:1.5.5.001-redhat-1] > at org.apache.activemq.artemis.jms.bridge.impl.JMSBridgeImpl.access$2600(JMSBridgeImpl.java:75) [artemis-jms-server-1.5.5.001-redhat-1.jar:1.5.5.001-redhat-1] > at org.apache.activemq.artemis.jms.bridge.impl.JMSBridgeImpl$FailureHandler.run(JMSBridgeImpl.java:1747) [artemis-jms-server-1.5.5.001-redhat-1.jar:1.5.5.001-redhat-1] > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_65] > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_65] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_65] > Caused by: java.lang.IllegalStateException > at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:47) [jboss-msc-1.2.7.SP1-redhat-1.jar:1.2.7.SP1-redhat-1] > at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:142) [wildfly-naming-7.1.0.Beta1-redhat-4.jar:7.1.0.Beta1-redhat-4] > at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46) [wildfly-naming-7.1.0.Beta1-redhat-4.jar:7.1.0.Beta1-redhat-4] > at org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1158) [jboss-msc-1.2.7.SP1-redhat-1.jar:1.2.7.SP1-redhat-1] > at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131) [wildfly-naming-7.1.0.Beta1-redhat-4.jar:7.1.0.Beta1-redhat-4] > ... 16 more > 13:24:39,828 WARN [org.apache.activemq.artemis.jms.bridge] (Thread-93) AMQ342005: JMS Bridge N/A unable to set up connections, bridge will not be started > {noformat} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ELY-1275) x509-credential-mapper in ldap-realm does not work correctly with server-ssl-context

by Ondrej Lukas (JIRA)

[ https://issues.jboss.org/browse/ELY-1275?page=com.atlassian.jira.plugin.s... ] Ondrej Lukas updated ELY-1275: ------------------------------ Affects Version/s: 1.1.0.Beta52 > x509-credential-mapper in ldap-realm does not work correctly with server-ssl-context > ------------------------------------------------------------------------------------ > > Key: ELY-1275 > URL: https://issues.jboss.org/browse/ELY-1275 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta52 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Priority: Critical > > When {{ldap-realm}} with {{x509-credential-mapper}} is used in {{security-domain}} which is referenced from {{server-ssl-context}} then authorization fails. It seems it is caused by using {{ServerAuthenticationContext.NameAssignedState}} in [1] which fails in [2] due to [3]. This issue causes that {{x509-credential-mapper}} cannot work in {{server-ssl-context}}. > Server log: > {code} > 2017-06-30 15:01:22,019 TRACE [org.wildfly.security] (default task-2) X500 principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as name [clientSubjectDn] (attribute values: [clientSubjectDn]) > 2017-06-30 15:01:22,022 TRACE [org.wildfly.security] (default task-2) Principal assigning: [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ], pre-realm rewritten: [clientSubjectDn], realm name: [ldap-realm-subject-dn], post-realm rewritten: [clientSubjectDn], realm rewritten: [clientSubjectDn] > 2017-06-30 15:01:22,023 DEBUG [org.wildfly.security] (default task-2) Obtaining lock for identity [clientSubjectDn]... > 2017-06-30 15:01:22,028 DEBUG [org.wildfly.security] (default task-2) Obtained lock for identity [clientSubjectDn]. > 2017-06-30 15:01:22,044 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment: > 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]] > 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple] > 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://localhost:10389] > 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000] > 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false] > 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000] > 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [uid=admin,ou=system] > 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore] > 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory] > 2017-06-30 15:01:22,081 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@6ca3ef32] successfully created. Connection established to LDAP server. > 2017-06-30 15:01:22,084 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn]. > 2017-06-30 15:01:22,086 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [null]. Binary attributes are [null]. > 2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. > 2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. > 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@6ca3ef32] was closed. Connection closed or just returned to the pool. > 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment: > 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]] > 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple] > 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://localhost:10389] > 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000] > 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false] > 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000] > 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [uid=admin,ou=system] > 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore] > 2017-06-30 15:01:22,154 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory] > 2017-06-30 15:01:22,179 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@75395ba6] successfully created. Connection established to LDAP server. > 2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn]. > 2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary attributes are []. > 2017-06-30 15:01:22,195 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. > 2017-06-30 15:01:22,197 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. > 2017-06-30 15:01:22,198 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@75395ba6] was closed. Connection closed or just returned to the pool. > 2017-06-30 15:01:22,200 TRACE [org.wildfly.security] (default task-2) X500 principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as name [clientSubjectDn] (attribute values: [clientSubjectDn]) > 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment: > 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]] > 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple] > 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://localhost:10389] > 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000] > 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false] > 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000] > 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [uid=admin,ou=system] > 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore] > 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory] > 2017-06-30 15:01:22,212 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@22d42495] successfully created. Connection established to LDAP server. > 2017-06-30 15:01:22,213 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn]. > 2017-06-30 15:01:22,214 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary attributes are []. > 2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. > 2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. > 2017-06-30 15:01:22,227 TRACE [org.wildfly.security] (default task-2) X509 client certificate accepted by X509EvidenceVerifier > 2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@22d42495] was closed. Connection closed or just returned to the pool. > 2017-06-30 15:01:22,228 TRACE [org.wildfly.security] (default task-2) Authentication succeed for principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] > 2017-06-30 15:01:22,240 ERROR [org.xnio.nio] (default I/O-4) XNIO000011: Task io.undertow.protocols.ssl.SslConduit$5$1@46b65284 failed with an exception: java.lang.RuntimeException: ELY01112: Authentication cannot succeed; not authorized > at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429) > at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) > at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) > at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) > at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:265) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) > at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.unwrap(ALPNLimitingSSLEngine.java:73) > at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:749) > at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:646) > at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) > at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1046) > at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:592) > at org.xnio.nio.WorkerThread.run(WorkerThread.java:472) > Caused by: java.lang.IllegalStateException: ELY01112: Authentication cannot succeed; not authorized > at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.succeed(ServerAuthenticationContext.java:1947) > at org.wildfly.security.auth.server.ServerAuthenticationContext.succeed(ServerAuthenticationContext.java:492) > at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:123) > at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72) > at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869) > at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) > at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > {code} > Since there is no documentation for this scenario it is possible that this is just a configuration issue - in that case please provide valid configuration for this scenario. > [1] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc... > [2] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc... > [3] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ELY-1275) x509-credential-mapper in ldap-realm does not work correctly with server-ssl-context

by Ondrej Lukas (JIRA)

Ondrej Lukas created ELY-1275: --------------------------------- Summary: x509-credential-mapper in ldap-realm does not work correctly with server-ssl-context Key: ELY-1275 URL: https://issues.jboss.org/browse/ELY-1275 Project: WildFly Elytron Issue Type: Bug Reporter: Ondrej Lukas Assignee: Darran Lofthouse Priority: Critical When {{ldap-realm}} with {{x509-credential-mapper}} is used in {{security-domain}} which is referenced from {{server-ssl-context}} then authorization fails. It seems it is caused by using {{ServerAuthenticationContext.NameAssignedState}} in [1] which fails in [2] due to [3]. This issue causes that {{x509-credential-mapper}} cannot work in {{server-ssl-context}}. Server log: {code} 2017-06-30 15:01:22,019 TRACE [org.wildfly.security] (default task-2) X500 principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as name [clientSubjectDn] (attribute values: [clientSubjectDn]) 2017-06-30 15:01:22,022 TRACE [org.wildfly.security] (default task-2) Principal assigning: [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ], pre-realm rewritten: [clientSubjectDn], realm name: [ldap-realm-subject-dn], post-realm rewritten: [clientSubjectDn], realm rewritten: [clientSubjectDn] 2017-06-30 15:01:22,023 DEBUG [org.wildfly.security] (default task-2) Obtaining lock for identity [clientSubjectDn]... 2017-06-30 15:01:22,028 DEBUG [org.wildfly.security] (default task-2) Obtained lock for identity [clientSubjectDn]. 2017-06-30 15:01:22,044 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment: 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]] 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple] 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://localhost:10389] 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000] 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false] 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000] 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [uid=admin,ou=system] 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore] 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory] 2017-06-30 15:01:22,081 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@6ca3ef32] successfully created. Connection established to LDAP server. 2017-06-30 15:01:22,084 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn]. 2017-06-30 15:01:22,086 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [null]. Binary attributes are [null]. 2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. 2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@6ca3ef32] was closed. Connection closed or just returned to the pool. 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment: 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]] 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple] 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://localhost:10389] 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000] 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false] 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000] 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [uid=admin,ou=system] 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore] 2017-06-30 15:01:22,154 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory] 2017-06-30 15:01:22,179 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@75395ba6] successfully created. Connection established to LDAP server. 2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn]. 2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary attributes are []. 2017-06-30 15:01:22,195 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. 2017-06-30 15:01:22,197 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. 2017-06-30 15:01:22,198 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@75395ba6] was closed. Connection closed or just returned to the pool. 2017-06-30 15:01:22,200 TRACE [org.wildfly.security] (default task-2) X500 principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as name [clientSubjectDn] (attribute values: [clientSubjectDn]) 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment: 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://localhost:10389] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [uid=admin,ou=system] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore] 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory] 2017-06-30 15:01:22,212 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext@22d42495] successfully created. Connection established to LDAP server. 2017-06-30 15:01:22,213 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn]. 2017-06-30 15:01:22,214 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary attributes are []. 2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. 2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]. 2017-06-30 15:01:22,227 TRACE [org.wildfly.security] (default task-2) X509 client certificate accepted by X509EvidenceVerifier 2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext@22d42495] was closed. Connection closed or just returned to the pool. 2017-06-30 15:01:22,228 TRACE [org.wildfly.security] (default task-2) Authentication succeed for principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] 2017-06-30 15:01:22,240 ERROR [org.xnio.nio] (default I/O-4) XNIO000011: Task io.undertow.protocols.ssl.SslConduit$5$1@46b65284 failed with an exception: java.lang.RuntimeException: ELY01112: Authentication cannot succeed; not authorized at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:265) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.unwrap(ALPNLimitingSSLEngine.java:73) at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:749) at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:646) at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1046) at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:592) at org.xnio.nio.WorkerThread.run(WorkerThread.java:472) Caused by: java.lang.IllegalStateException: ELY01112: Authentication cannot succeed; not authorized at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.succeed(ServerAuthenticationContext.java:1947) at org.wildfly.security.auth.server.ServerAuthenticationContext.succeed(ServerAuthenticationContext.java:492) at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:123) at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72) at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) {code} Since there is no documentation for this scenario it is possible that this is just a configuration issue - in that case please provide valid configuration for this scenario. [1] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc... [2] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc... [3] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ELY-1274) X509EvidenceVerifier.SubjectDnCertificateVerifier denies correct Subject DN due to incorrectly used equals

by Ondrej Lukas (JIRA)

Ondrej Lukas created ELY-1274: --------------------------------- Summary: X509EvidenceVerifier.SubjectDnCertificateVerifier denies correct Subject DN due to incorrectly used equals Key: ELY-1274 URL: https://issues.jboss.org/browse/ELY-1274 Project: WildFly Elytron Issue Type: Bug Reporter: Ondrej Lukas Assignee: Darran Lofthouse Priority: Critical X509EvidenceVerifier.SubjectDnCertificateVerifier verifies Subject DN based on String.equals method [1]. It means that valid Subject DN can be incorrectly denied because it includes (or does not include) space before comma etc. Example: When passed certificate includes DN {{CN=user,OU=EAP QE,...}} and LDAP entry includes entry with attribute value {{CN=user, OU=EAP QE, ...}} then it is not successfully verified. [1] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ELY-1274) X509EvidenceVerifier.SubjectDnCertificateVerifier denies correct Subject DN due to incorrectly used equals

by Ondrej Lukas (JIRA)

[ https://issues.jboss.org/browse/ELY-1274?page=com.atlassian.jira.plugin.s... ] Ondrej Lukas updated ELY-1274: ------------------------------ Affects Version/s: 1.1.0.Beta52 > X509EvidenceVerifier.SubjectDnCertificateVerifier denies correct Subject DN due to incorrectly used equals > ---------------------------------------------------------------------------------------------------------- > > Key: ELY-1274 > URL: https://issues.jboss.org/browse/ELY-1274 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta52 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Priority: Critical > > X509EvidenceVerifier.SubjectDnCertificateVerifier verifies Subject DN based on String.equals method [1]. It means that valid Subject DN can be incorrectly denied because it includes (or does not include) space before comma etc. > Example: > When passed certificate includes DN {{CN=user,OU=EAP QE,...}} and LDAP entry includes entry with attribute value {{CN=user, OU=EAP QE, ...}} then it is not successfully verified. > [1] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ELY-1273) Internal NPE when any attribute from x509-credential-mapper in ldap-realm is missing in LDAP

by Ondrej Lukas (JIRA)

Ondrej Lukas created ELY-1273: --------------------------------- Summary: Internal NPE when any attribute from x509-credential-mapper in ldap-realm is missing in LDAP Key: ELY-1273 URL: https://issues.jboss.org/browse/ELY-1273 Project: WildFly Elytron Issue Type: Bug Reporter: Ondrej Lukas Assignee: Darran Lofthouse Priority: Critical When any of attribute {{digest-from}}, {{certificate-from}}, {{serial-number-from}}, {{subject-dn-from}} from {{x509-credential-mapper}} in {{ldap-realm}} includes attribute which does not occur in searched entry in LDAP then internal NPE is thrown. It is caused by missing null checks. Thrown exception for {{digest-from}}: {code} java.lang.NullPointerException at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$DigestCertificateVerifier.verifyCertificate(X509EvidenceVerifier.java:153) at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$1.verifyEvidence(X509EvidenceVerifier.java:225) at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.verifyEvidence(LdapSecurityRealm.java:618) at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1937) at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:730) at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:121) at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72) at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) {code} Thrown exception for {{certificate-from}}: {code} java.lang.NullPointerException at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$EncodedCertificateVerifier.verifyCertificate(X509EvidenceVerifier.java:190) at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$1.verifyEvidence(X509EvidenceVerifier.java:225) at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.verifyEvidence(LdapSecurityRealm.java:618) at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1937) at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:730) at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:121) at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72) at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) {code} Thrown exception for {{serial-number-from}}: {code} java.lang.NullPointerException at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$SerialNumberCertificateVerifier.verifyCertificate(X509EvidenceVerifier.java:98) at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$1.verifyEvidence(X509EvidenceVerifier.java:225) at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.verifyEvidence(LdapSecurityRealm.java:618) at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1937) at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:730) at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:121) at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72) at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) {code} Thrown exception for {{subject-dn-from}}: {code} java.lang.NullPointerException at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$SubjectDnCertificateVerifier.verifyCertificate(X509EvidenceVerifier.java:125) at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$1.verifyEvidence(X509EvidenceVerifier.java:225) at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.verifyEvidence(LdapSecurityRealm.java:618) at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1937) at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:730) at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:121) at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72) at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

[JBoss JIRA] (ELY-1273) Internal NPE when any attribute from x509-credential-mapper in ldap-realm is missing in LDAP

by Ondrej Lukas (JIRA)

[ https://issues.jboss.org/browse/ELY-1273?page=com.atlassian.jira.plugin.s... ] Ondrej Lukas updated ELY-1273: ------------------------------ Affects Version/s: 1.1.0.Beta52 > Internal NPE when any attribute from x509-credential-mapper in ldap-realm is missing in LDAP > -------------------------------------------------------------------------------------------- > > Key: ELY-1273 > URL: https://issues.jboss.org/browse/ELY-1273 > Project: WildFly Elytron > Issue Type: Bug > Affects Versions: 1.1.0.Beta52 > Reporter: Ondrej Lukas > Assignee: Darran Lofthouse > Priority: Critical > > When any of attribute {{digest-from}}, {{certificate-from}}, {{serial-number-from}}, {{subject-dn-from}} from {{x509-credential-mapper}} in {{ldap-realm}} includes attribute which does not occur in searched entry in LDAP then internal NPE is thrown. It is caused by missing null checks. > Thrown exception for {{digest-from}}: > {code} > java.lang.NullPointerException > at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$DigestCertificateVerifier.verifyCertificate(X509EvidenceVerifier.java:153) > at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$1.verifyEvidence(X509EvidenceVerifier.java:225) > at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.verifyEvidence(LdapSecurityRealm.java:618) > at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1937) > at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:730) > at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:121) > at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72) > at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869) > at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) > at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > {code} > Thrown exception for {{certificate-from}}: > {code} > java.lang.NullPointerException > at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$EncodedCertificateVerifier.verifyCertificate(X509EvidenceVerifier.java:190) > at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$1.verifyEvidence(X509EvidenceVerifier.java:225) > at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.verifyEvidence(LdapSecurityRealm.java:618) > at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1937) > at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:730) > at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:121) > at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72) > at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869) > at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) > at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > {code} > Thrown exception for {{serial-number-from}}: > {code} > java.lang.NullPointerException > at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$SerialNumberCertificateVerifier.verifyCertificate(X509EvidenceVerifier.java:98) > at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$1.verifyEvidence(X509EvidenceVerifier.java:225) > at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.verifyEvidence(LdapSecurityRealm.java:618) > at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1937) > at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:730) > at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:121) > at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72) > at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869) > at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) > at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > {code} > Thrown exception for {{subject-dn-from}}: > {code} > java.lang.NullPointerException > at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$SubjectDnCertificateVerifier.verifyCertificate(X509EvidenceVerifier.java:125) > at org.wildfly.security.auth.realm.ldap.X509EvidenceVerifier$1.verifyEvidence(X509EvidenceVerifier.java:225) > at org.wildfly.security.auth.realm.ldap.LdapSecurityRealm$LdapRealmIdentity.verifyEvidence(LdapSecurityRealm.java:618) > at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.verifyEvidence(ServerAuthenticationContext.java:1937) > at org.wildfly.security.auth.server.ServerAuthenticationContext.verifyEvidence(ServerAuthenticationContext.java:730) > at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:121) > at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72) > at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869) > at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) > at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) > at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

8 years, 10 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira June 2017