]
Jan Kalina reassigned ELY-1275:
-------------------------------
Assignee: Jan Kalina (was: Darran Lofthouse)
x509-credential-mapper in ldap-realm does not work correctly with
server-ssl-context
------------------------------------------------------------------------------------
Key: ELY-1275
URL:
https://issues.jboss.org/browse/ELY-1275
Project: WildFly Elytron
Issue Type: Bug
Affects Versions: 1.1.0.Beta52
Reporter: Ondrej Lukas
Assignee: Jan Kalina
Priority: Critical
When {{ldap-realm}} with {{x509-credential-mapper}} is used in {{security-domain}} which
is referenced from {{server-ssl-context}} then authorization fails. It seems it is caused
by using {{ServerAuthenticationContext.NameAssignedState}} in [1] which fails in [2] due
to [3]. This issue causes that {{x509-credential-mapper}} cannot work in
{{server-ssl-context}}.
Server log:
{code}
2017-06-30 15:01:22,019 TRACE [org.wildfly.security] (default task-2) X500 principal
[CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as
name [clientSubjectDn] (attribute values: [clientSubjectDn])
2017-06-30 15:01:22,022 TRACE [org.wildfly.security] (default task-2) Principal
assigning: [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ],
pre-realm rewritten: [clientSubjectDn], realm name: [ldap-realm-subject-dn], post-realm
rewritten: [clientSubjectDn], realm rewritten: [clientSubjectDn]
2017-06-30 15:01:22,023 DEBUG [org.wildfly.security] (default task-2) Obtaining lock for
identity [clientSubjectDn]...
2017-06-30 15:01:22,028 DEBUG [org.wildfly.security] (default task-2) Obtained lock for
identity [clientSubjectDn].
2017-06-30 15:01:22,044 DEBUG [org.wildfly.security] (default task-2) Creating [class
javax.naming.directory.InitialDirContext] with environment:
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.security.credentials] with value [[s, e, c, r, e, t]]
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.security.authentication] with value [simple]
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.provider.url] with value [ldap://localhost:10389]
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property
[com.sun.jndi.ldap.read.timeout] with value [60000]
2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property
[com.sun.jndi.ldap.connect.pool] with value [false]
2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property
[com.sun.jndi.ldap.connect.timeout] with value [5000]
2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.security.principal] with value [uid=admin,ou=system]
2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.referral] with value [ignore]
2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
2017-06-30 15:01:22,081 DEBUG [org.wildfly.security] (default task-2)
[javax.naming.ldap.InitialLdapContext@6ca3ef32] successfully created. Connection
established to LDAP server.
2017-06-30 15:01:22,084 DEBUG [org.wildfly.security] (default task-2) Trying to create
identity for principal [clientSubjectDn].
2017-06-30 15:01:22,086 DEBUG [org.wildfly.security] (default task-2) Executing search
[(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]
with arguments [clientSubjectDn]. Returning attributes are [null]. Binary attributes are
[null].
2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Found entry
[uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Identity for
principal [clientSubjectDn] found at
[uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Context
[javax.naming.ldap.InitialLdapContext@6ca3ef32] was closed. Connection closed or just
returned to the pool.
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Creating [class
javax.naming.directory.InitialDirContext] with environment:
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.security.credentials] with value [[s, e, c, r, e, t]]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.security.authentication] with value [simple]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.provider.url] with value [ldap://localhost:10389]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property
[com.sun.jndi.ldap.read.timeout] with value [60000]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property
[com.sun.jndi.ldap.connect.pool] with value [false]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property
[com.sun.jndi.ldap.connect.timeout] with value [5000]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.security.principal] with value [uid=admin,ou=system]
2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.referral] with value [ignore]
2017-06-30 15:01:22,154 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
2017-06-30 15:01:22,179 DEBUG [org.wildfly.security] (default task-2)
[javax.naming.ldap.InitialLdapContext@75395ba6] successfully created. Connection
established to LDAP server.
2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Trying to create
identity for principal [clientSubjectDn].
2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Executing search
[(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]
with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary
attributes are [].
2017-06-30 15:01:22,195 DEBUG [org.wildfly.security] (default task-2) Found entry
[uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,197 DEBUG [org.wildfly.security] (default task-2) Identity for
principal [clientSubjectDn] found at
[uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,198 DEBUG [org.wildfly.security] (default task-2) Context
[javax.naming.ldap.InitialLdapContext@75395ba6] was closed. Connection closed or just
returned to the pool.
2017-06-30 15:01:22,200 TRACE [org.wildfly.security] (default task-2) X500 principal
[CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as
name [clientSubjectDn] (attribute values: [clientSubjectDn])
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Creating [class
javax.naming.directory.InitialDirContext] with environment:
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.security.credentials] with value [[s, e, c, r, e, t]]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.security.authentication] with value [simple]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.provider.url] with value [ldap://localhost:10389]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property
[com.sun.jndi.ldap.read.timeout] with value [60000]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property
[com.sun.jndi.ldap.connect.pool] with value [false]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property
[com.sun.jndi.ldap.connect.timeout] with value [5000]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.security.principal] with value [uid=admin,ou=system]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.referral] with value [ignore]
2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property
[java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
2017-06-30 15:01:22,212 DEBUG [org.wildfly.security] (default task-2)
[javax.naming.ldap.InitialLdapContext@22d42495] successfully created. Connection
established to LDAP server.
2017-06-30 15:01:22,213 DEBUG [org.wildfly.security] (default task-2) Trying to create
identity for principal [clientSubjectDn].
2017-06-30 15:01:22,214 DEBUG [org.wildfly.security] (default task-2) Executing search
[(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org]
with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary
attributes are [].
2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Found entry
[uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Identity for
principal [clientSubjectDn] found at
[uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
2017-06-30 15:01:22,227 TRACE [org.wildfly.security] (default task-2) X509 client
certificate accepted by X509EvidenceVerifier
2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Context
[javax.naming.ldap.InitialLdapContext@22d42495] was closed. Connection closed or just
returned to the pool.
2017-06-30 15:01:22,228 TRACE [org.wildfly.security] (default task-2) Authentication
succeed for principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech
Republic, C=CZ]
2017-06-30 15:01:22,240 ERROR [org.xnio.nio] (default I/O-4) XNIO000011: Task
io.undertow.protocols.ssl.SslConduit$5$1@46b65284 failed with an exception:
java.lang.RuntimeException: ELY01112: Authentication cannot succeed; not authorized
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:265)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at
io.undertow.server.protocol.http.ALPNLimitingSSLEngine.unwrap(ALPNLimitingSSLEngine.java:73)
at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:749)
at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:646)
at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1046)
at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:592)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:472)
Caused by: java.lang.IllegalStateException: ELY01112: Authentication cannot succeed; not
authorized
at
org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.succeed(ServerAuthenticationContext.java:1947)
at
org.wildfly.security.auth.server.ServerAuthenticationContext.succeed(ServerAuthenticationContext.java:492)
at
org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:123)
at
org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72)
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
{code}
Since there is no documentation for this scenario it is possible that this is just a
configuration issue - in that case please provide valid configuration for this scenario.
[1]
https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc...
[2]
https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc...
[3]
https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc...