]
Jan Kalina moved WFLY-7687 to ELY-905:
--------------------------------------
Project: WildFly Elytron (was: WildFly)
Key: ELY-905 (was: WFLY-7687)
Component/s: HTTP
(was: Security)
Fix Version/s: (was: 11.0.0.Alpha1)
Authentication based on certificates does not work in Elytron with
Undertow
---------------------------------------------------------------------------
Key: ELY-905
URL:
https://issues.jboss.org/browse/ELY-905
Project: WildFly Elytron
Issue Type: Bug
Components: HTTP
Affects Versions: 1.1.0.Beta21
Reporter: Jan Tymel
Assignee: Jan Kalina
Priority: Blocker
Attachments: deployment.war, keystores.zip, standalone-elytron.xml
It is not possible to set up authentication based on certificates. I followed the
community documentation [1,2] to set up 2-way SSL for apps and certificates based auth.
Everything worked as expected until I tried to deploy an app. I got this output
{code}
14:50:29,352 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 65)
MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./deployment:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./deployment:
java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required
mechanism 'CLIENT_CERT' is not available from the HttpAuthenticationFactory.
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The
required mechanism 'CLIENT_CERT' is not available from the
HttpAuthenticationFactory.
at
io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:237)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.IllegalStateException: WFLYUT0085: The required mechanism
'CLIENT_CERT' is not available from the HttpAuthenticationFactory.
at
org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService.lambda$initialSecurityHandler$4(ApplicationSecurityDomainDefinition.java:348)
at java.lang.Iterable.forEach(Iterable.java:75)
at
org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService.initialSecurityHandler(ApplicationSecurityDomainDefinition.java:345)
at
org.wildfly.extension.undertow.ApplicationSecurityDomainDefinition$ApplicationSecurityDomainService.lambda$applyElytronSecurity$0(ApplicationSecurityDomainDefinition.java:293)
at
io.undertow.servlet.core.DeploymentManagerImpl.setupSecurityHandlers(DeploymentManagerImpl.java:404)
at
io.undertow.servlet.core.DeploymentManagerImpl.access$600(DeploymentManagerImpl.java:119)
at
io.undertow.servlet.core.DeploymentManagerImpl$1.call(DeploymentManagerImpl.java:207)
at
io.undertow.servlet.core.DeploymentManagerImpl$1.call(DeploymentManagerImpl.java:172)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1671)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1671)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1671)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1671)
at
io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:235)
... 8 more
14:50:29,356 ERROR [org.jboss.as.controller.management-operation]
(DeploymentScanner-threads - 2) WFLYCTL0013: Operation ("deploy") failed -
address: ([("deployment" => "deployment.war")]) - failure
description: {
"WFLYCTL0080: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./deployment" =>
"org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./deployment:
java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085: The required
mechanism 'CLIENT_CERT' is not available from the HttpAuthenticationFactory.
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: WFLYUT0085:
The required mechanism 'CLIENT_CERT' is not available from the
HttpAuthenticationFactory.
Caused by: java.lang.IllegalStateException: WFLYUT0085: The required mechanism
'CLIENT_CERT' is not available from the HttpAuthenticationFactory."},
"WFLYCTL0412: Required services that are not installed:" =>
["jboss.undertow.deployment.default-server.default-host./deployment"],
"WFLYCTL0180: Services with missing/unavailable dependencies" =>
undefined
{code}
This might be caused by different representation of {{CLIENT-CERT}} attribute within
Elytron and Undertow. It appears that Elytron uses {{CLIENT-CERT}} [3] whereas Undertow
uses {{CLIENT_CERT}} [4]
[1]
https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem#Us...
[2]
https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem#Us...
[3]
https://github.com/wildfly-security/wildfly-elytron/blob/master/src/main/...
[4]
https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io...