[jboss-jira] [JBoss JIRA] (WFCORE-4803) EJB Client authentication does not work using SASL DIGEST-MD5 and EXTERNAL mechanisms in Legacy security

EJB Client authentication does not work using SASL DIGEST-MD5 and EXTERNAL mechanisms in Legacy security -------------------------------------------------------------------------------------------------------- Key: WFCORE-4803 URL: https://issues.redhat.com/browse/WFCORE-4803 Project: WildFly Core Issue Type: Bug Components: Security Affects Versions: 11.0.0.Beta7 Reporter: Ricardo Martin Camarero Assignee: Ricardo Martin Camarero Priority: Major Labels: downstream_dependency Fix For: 12.0.0.Beta1 The application does not working when use the DIGEST-MD5 mechanism in the legacy security. This this the configuration on standalone.xml: {code:java} <subsystem xmlns="urn:jboss:domain:remoting:4.0"> <http-connector name="http-remoting-connector" connector-ref="https" security-realm="ApplicationRealm"> <sasl> <include-mechanisms value="DIGEST-MD5"/> <qop value="auth"/> <strength value="medium"/> <server-auth value="false"/> <reuse-session value="false"/> <policy> <forward-secrecy value="true"/> <no-active value="false"/> <no-anonymous value="false"/> <no-dictionary value="true"/> <no-plain-text value="false"/> <pass-credentials value="true"/> </policy> </sasl> </http-connector> </subsystem> {code} Using this configuration I have seen this exception in the application: {code:java} 019-12-16 09:08:44,132 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [RemotingRealm] 2019-12-16 09:08:44,132 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = stubejbclient 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Principal assigning: [stubejbclient], pre-realm rewritten: [stubejbclient@RemotingRealm], realm name: [DIGEST-MD5], post-realm rewritten: [stubejbclient@RemotingRealm], realm rewritten: [stubejbclient@RemotingRealm] 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: failed to obtain credential 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [RemotingRealm] 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = stubejbclient 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: failed to obtain credential 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [RemotingRealm] 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = stubejbclient 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling PasswordCallback: PasswordCredential may not be supported 2019-12-16 09:08:44,133 TRACE [org.jboss.remoting.remote.server] (default task-1) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05051: Callback handler does not support credential acquisition [Caused by org.wildfly.security.auth.callback.FastUnsupportedCallbackException: javax.security.auth.callback.PasswordCallback@1cf94092] at org.wildfly.security.mechanism.digest.PasswordDigestObtainer.getSaltedPasswordFromPasswordCallback(PasswordDigestObtainer.java:295) at org.wildfly.security.mechanism.digest.PasswordDigestObtainer.handleUserRealmPasswordCallbacks(PasswordDigestObtainer.java:112) at org.wildfly.security.sasl.digest.AbstractDigestMechanism.handleUserRealmPasswordCallbacks(AbstractDigestMechanism.java:195) at org.wildfly.security.sasl.digest.DigestSaslServer.validateDigestResponse(DigestSaslServer.java:264) at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateMessage(DigestSaslServer.java:363) at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:199) at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateResponse(DigestSaslServer.java:336) at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58) at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106) at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:59) at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245) at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217) at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486) at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:991) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) Caused by: org.wildfly.security.auth.callback.FastUnsupportedCallbackException: javax.security.auth.callback.PasswordCallback@1cf94092 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: fail 2019-12-16 09:08:44,133 TRACE [org.jboss.remoting.remote.server] (default task-1) No more authentication attempts allowed, closing the connection {code} It works to EAP 7.0.x but is not working to EAP 7.2.x. The same configuration works on JBoss EAP 7.0.z. I'm attaching the EJB client, EJB service and standalone.xm.