[JBoss JIRA] (WFLY-8125) Programatically set Elytron AuthenticationContext does not work in application server modules
5:58 a.m.
[
https://issues.jboss.org/browse/WFLY-8125?page=com.atlassian.jira.plugin....
]
Ondrej Lukas closed WFLY-8125.
------------------------------
Resolution: Rejected
After deeper look at the issue described in this Jira we find out an issue in our test.
Closing this issue as not a bug.
Programatically set Elytron AuthenticationContext does not work in
application server modules
---------------------------------------------------------------------------------------------
Key: WFLY-8125
URL: https://issues.jboss.org/browse/WFLY-8125
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Ondrej Lukas
Assignee: David Lloyd
Priority: Blocker
Attachments: module-without-wildfly-config-xml-dep.war,
module-without-wildfly-config-xml.jar
In case when code inside of any module in aplication server executes management operation
through programatically configured AuthenticationContext then it is not work correctly.
According to server log it seems that for some reason it at the first authenticate
correctly through programatically configured AuthenticationContext, but then it try to
reauthenticate through AuthenticationContext obtained from application server (if
default-authentication-context is set then it is used; otherwise reauthenticate fails
completetly).
The same type of behavior occurs also when {{wildfly.config.url}} property is used.
Request blocker flag because this issue breaks RFE.
Server log (when default-authentication-context is set, see Steps to Reproduce):
{code}
2017-02-15 13:43:30,584 TRACE [org.wildfly.security] (default task-2)
getAuthenticationConfiguration uri=remote+http://localhost:9990, protocolDefaultPort=-1,
abstractType=null, abstractTypeAuthority=null, purpose=null, MatchRule=[no
user,host=localhost],
AuthenticationConfiguration=[TrustManager,NamePrincipal=user2,Credentials,realm=ManagementRealm,host=localhost,port=9990]
2017-02-15 13:43:30,585 TRACE [org.wildfly.security] (default task-2)
getAuthenticationConfiguration uri=remote+http://localhost:9990, protocolDefaultPort=-1,
abstractType=null, abstractTypeAuthority=null, purpose=connect, MatchRule=[no user],
AuthenticationConfiguration=[TrustManager,NamePrincipal=user2,Credentials,realm=ManagementRealm,host=localhost,port=9990]
2017-02-15 13:43:30,596 TRACE [org.wildfly.security] (management I/O-2) Handling
MechanismInformationCallback
2017-02-15 13:43:30,597 TRACE [org.wildfly.security] (management I/O-2) Handling
MechanismInformationCallback
2017-02-15 13:43:30,598 TRACE [org.wildfly.security] (management I/O-2) Handling
AvailableRealmsCallback: realms = [ManagementRealm]
2017-02-15 13:43:30,607 TRACE [org.wildfly.security] (management task-10) Handling
RealmCallback: selected = [ManagementRealm]
2017-02-15 13:43:30,608 TRACE [org.wildfly.security] (management task-10) Handling
NameCallback: authenticationName = user2
2017-02-15 13:43:30,610 TRACE [org.wildfly.security] (management task-10) Principal
assigning: [user2], pre-realm rewritten: [user2], realm name: [ManagementRealm], post
realm rewritten: [user2], realm rewritten: [user2]
2017-02-15 13:43:30,614 TRACE [org.wildfly.security] (management task-10) Handling
CredentialCallback: obtained successfully
2017-02-15 13:43:30,615 TRACE [org.wildfly.security] (management task-10) Role mapping:
principal [user2] -> decoded roles [] -> realm mapped roles [] -> domain mapped
roles []
2017-02-15 13:43:30,616 TRACE [org.wildfly.security] (management task-10) Authorizing
principal user2.
2017-02-15 13:43:30,616 TRACE [org.wildfly.security] (management task-10) Authorizing
against the following attributes: [groups] => []
2017-02-15 13:43:30,617 TRACE [org.wildfly.security] (management task-10) Permission
mapping: identity [user2] with roles [] implies
("org.wildfly.security.auth.permission.LoginPermission" "") = true
2017-02-15 13:43:30,617 TRACE [org.wildfly.security] (management task-10) Authorization
succeed
2017-02-15 13:43:30,617 TRACE [org.wildfly.security] (management task-10) RunAs
authorization succeed - the same identity
2017-02-15 13:43:30,617 TRACE [org.wildfly.security] (management task-10) Handling
AuthorizeCallback: authenticationID = user2 authorizationID = user2 authorized = true
2017-02-15 13:43:30,618 TRACE [org.wildfly.security] (management task-10) Handling
AuthenticationCompleteCallback: succeed
2017-02-15 13:43:30,618 TRACE [org.wildfly.security] (management task-10) Handling
SecurityIdentityCallback: identity =
org.wildfly.security.auth.server.SecurityIdentity@9b7d11
2017-02-15 13:43:30,640 TRACE [org.wildfly.security] (default task-2)
getAuthenticationConfiguration uri=remote+http://localhost:9990, protocolDefaultPort=-1,
abstractType=null, abstractTypeAuthority=null, purpose=null, MatchRule=[no
user,host=localhost],
AuthenticationConfiguration=[TrustManager,NamePrincipal=user1,realm=ManagementRealm,FilterSaslMechanism
allow=true,name=[ DIGEST-MD5 ],Credentials,host=localhost,port=9990]
2017-02-15 13:43:30,641 TRACE [org.wildfly.security] (default task-2)
getAuthenticationConfiguration uri=remote+http://localhost:9990, protocolDefaultPort=-1,
abstractType=null, abstractTypeAuthority=null, purpose=connect, MatchRule=[no user],
AuthenticationConfiguration=[TrustManager,NamePrincipal=user1,realm=ManagementRealm,FilterSaslMechanism
allow=true,name=[ DIGEST-MD5 ],Credentials,host=localhost,port=9990]
2017-02-15 13:43:30,652 TRACE [org.wildfly.security] (management I/O-1) Handling
MechanismInformationCallback
2017-02-15 13:43:30,653 TRACE [org.wildfly.security] (management I/O-1) Handling
MechanismInformationCallback
2017-02-15 13:43:30,653 TRACE [org.wildfly.security] (management I/O-1) Handling
AvailableRealmsCallback: realms = [ManagementRealm]
2017-02-15 13:43:30,656 TRACE [org.wildfly.security] (management task-6) Handling
RealmCallback: selected = [ManagementRealm]
2017-02-15 13:43:30,656 TRACE [org.wildfly.security] (management task-6) Handling
NameCallback: authenticationName = user1
2017-02-15 13:43:30,656 TRACE [org.wildfly.security] (management task-6) Principal
assigning: [user1], pre-realm rewritten: [user1], realm name: [ManagementRealm], post
realm rewritten: [user1], realm rewritten: [user1]
2017-02-15 13:43:30,656 TRACE [org.wildfly.security] (management task-6) Handling
CredentialCallback: obtained successfully
2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) Role mapping:
principal [user1] -> decoded roles [] -> realm mapped roles [] -> domain mapped
roles []
2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) Authorizing
principal user1.
2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) Authorizing
against the following attributes: [groups] => []
2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) Permission
mapping: identity [user1] with roles [] implies
("org.wildfly.security.auth.permission.LoginPermission" "") = true
2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) Authorization
succeed
2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) RunAs
authorization succeed - the same identity
2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) Handling
AuthorizeCallback: authenticationID = user1 authorizationID = user1 authorized = true
2017-02-15 13:43:30,657 TRACE [org.wildfly.security] (management task-6) Handling
AuthenticationCompleteCallback: succeed
2017-02-15 13:43:30,658 TRACE [org.wildfly.security] (management task-6) Handling
SecurityIdentityCallback: identity =
org.wildfly.security.auth.server.SecurityIdentity@53367941
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
3315
days inactive
3315
days old
0 comments
1 participants
participants (1)
-
Ondrej Lukas (JIRA)