Elytron in JMS: Unable to use authenticate with JBOSS-LOCAL-USER ---------------------------------------------------------------- Key: WFLY-8961 URL: https://issues.jboss.org/browse/WFLY-8961 Project: WildFly Issue Type: Feature Request Components: JMS, Security Reporter: Josef Cacek Priority: Major Labels: eap7.1.0-to-prd I'm not able to authenticate to JMS when using JBOSS-LOCAL-USER SASL mechanism. {{ConnectionFactory.createContext()}} call and the client call fails with: {noformat} javax.jms.JMSSecurityRuntimeException: AMQ119031: Unable to validate user {noformat} This issue is similar to JBEAP-10527, but for JBOSS-LOCAL-USER mechanism (compared to DIGEST-MD5 for instance) we don't have a username or password. This problem can be in other SASL mechanisms too (e.g. EXTERNAL - where we authenticate a user with client certificate). Code used for testing: {code:java} AuthenticationContext.empty() .with(MatchRule.ALL, AuthenticationConfiguration.empty().useProvidersFromClassLoader(getClass().getClassLoader()) .setSaslMechanismSelector(SaslMechanismSelector.fromString("JBOSS-LOCAL-USER"))) .run(() -> { try { // ... initialize naming etc. here ConnectionFactory connectionFactory = (ConnectionFactory) namingContext .lookup("jms/RemoteConnectionFactory"); JMSContext context = connectionFactory.createContext(); } catch (NamingException e) { // ... } }); {code} Server log contains: {noformat} 2017-06-08 15:00:07,076 TRACE [org.wildfly.security] (default I/O-4) Handling MechanismInformationCallback type='SASL' name='JBOSS-LOCAL-USER' host-name='localhost' protocol='remote' 2017-06-08 15:00:07,077 TRACE [org.wildfly.security] (default I/O-4) Handling MechanismInformationCallback type='SASL' name='JBOSS-LOCAL-USER' host-name='localhost' protocol='remote' 2017-06-08 15:00:07,077 TRACE [org.wildfly.security] (default I/O-4) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@55b75111] for mechanism [JBOSS-LOCAL-USER] 2017-06-08 15:00:07,083 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = $local 2017-06-08 15:00:07,083 TRACE [org.wildfly.security] (default task-2) Principal assigning: [$local], pre-realm rewritten: [$local], realm name: [local], post-realm rewritten: [$local], realm rewritten: [$local] 2017-06-08 15:00:07,084 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [$local] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles [guest] 2017-06-08 15:00:07,084 TRACE [org.wildfly.security] (default task-2) Authorizing principal $local. 2017-06-08 15:00:07,084 TRACE [org.wildfly.security] (default task-2) Authorizing against the following attributes: [] => [] 2017-06-08 15:00:07,084 TRACE [org.wildfly.security] (default task-2) Permission mapping: identity [$local] with roles [guest] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true 2017-06-08 15:00:07,095 TRACE [org.wildfly.security] (default task-2) Authorization succeed 2017-06-08 15:00:07,095 TRACE [org.wildfly.security] (default task-2) RunAs authorization succeed - the same identity 2017-06-08 15:00:07,095 TRACE [org.wildfly.security] (default task-2) Handling AuthorizeCallback: authenticationID = $local authorizationID = $local authorized = true 2017-06-08 15:00:07,095 TRACE [org.wildfly.security] (default task-2) Handling AuthenticationCompleteCallback: succeed 2017-06-08 15:00:07,099 TRACE [org.wildfly.security] (default task-2) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=$local, securityDomain=org.wildfly.security.auth.server.SecurityDomain@24c5501a, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='local', securityRealm=org.wildfly.security.auth.realm.SimpleMapBackedSecurityRealm@426b003b}, creationTime=2017-06-08T13:00:07.083Z} 2017-06-08 15:00:07,142 INFO [org.wildfly.naming] (default task-4) WildFly Naming version 1.0.0.Beta16 2017-06-08 15:00:07,908 TRACE [org.wildfly.security] (default I/O-3) Permission mapping: identity [anonymous] with roles [guest] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = false 2017-06-08 15:00:07,920 DEBUG [org.apache.activemq.artemis.core.postoffice.impl.PostOfficeImpl] (default I/O-3) Couldn't find any bindings for address=activemq.notifications on message=ServerMessage[messageID=25,durable=true,userID=null,priority=0, bodySize=512, timestamp=0,expiration=0, durable=true, address=activemq.notifications,properties=TypedProperties[_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_NotifTimestamp=1496926807920]]@1825253250 2017-06-08 15:00:07,920 DEBUG [org.apache.activemq.artemis.core.postoffice.impl.PostOfficeImpl] (default I/O-3) Message ServerMessage[messageID=25,durable=true,userID=null,priority=0, bodySize=512, timestamp=0,expiration=0, durable=true, address=activemq.notifications,properties=TypedProperties[_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_NotifTimestamp=1496926807920]]@1825253250 is not going anywhere as it didn't have a binding on address:activemq.notifications 2017-06-08 15:00:07,924 ERROR [org.apache.activemq.artemis.core.server] (default I/O-3) AMQ224018: Failed to create session: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ119031: Unable to validate user] at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:144) at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1283) at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.handleCreateSession(ActiveMQPacketHandler.java:156) at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.handlePacket(ActiveMQPacketHandler.java:81) at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.handlePacket(ChannelImpl.java:623) at org.apache.activemq.artemis.core.protocol.core.impl.RemotingConnectionImpl.doBufferReceived(RemotingConnectionImpl.java:379) at org.apache.activemq.artemis.core.protocol.core.impl.RemotingConnectionImpl.bufferReceived(RemotingConnectionImpl.java:362) at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:621) at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:69) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293) at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) at org.xnio.netty.transport.AbstractXnioSocketChannel$ReadListener.handleEvent(AbstractXnioSocketChannel.java:443) at org.xnio.netty.transport.AbstractXnioSocketChannel$ReadListener.handleEvent(AbstractXnioSocketChannel.java:379) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89) at org.xnio.nio.WorkerThread.run(WorkerThread.java:571) {noformat} [~dlofthouse], [~jmesnil], Is there another way to use these SASL mechanisms (without username and password) to create JMSContext? If not then we should change priority to blocker.