]
Darran Lofthouse commented on ELY-1186:
---------------------------------------
I think it is in one of the RFCs if you have no real assume the server name - but we do
need to fix with with Elytron as I think we should be able to avoid that.
Elytron - authentication fails when a realm name is not specified for
DIGEST-MD5 mechanism on server side
---------------------------------------------------------------------------------------------------------
Key: ELY-1186
URL:
https://issues.jboss.org/browse/ELY-1186
Project: WildFly Elytron
Issue Type: Bug
Reporter: Josef Cacek
Assignee: Darran Lofthouse
Priority: Blocker
When a default configuration is used for DIGEST-MD5 SASL mechanism, then server suggest
hostname as a realm name, but authentication fails because ServerAuthenticationContext
checks mechanism configuration and fails with following exception:
{code}
@Message(id = 1092, value = "Invalid mechanism realm selection
\"%s\"")
IllegalArgumentException invalidMechRealmSelection(String realmName);
{code}
*Suggested fix:*
If the server suggests realm name, then it should be able to consume it. Or if the realm
name is really mandatory, then server should not suggest such a default value. IMO
allowing such a default and simplifying configuration would have positive impact on user
experience.
The full stacktrace (hidden):
{noformat}
javax.security.sasl.SaslException: ELY05053: [DIGEST-MD5] Callback handler failed for
unknown reason [Caused by java.lang.IllegalArgumentException: ELY01092: Invalid mechanism
realm selection "localhost"]
at
org.wildfly.security.sasl.util.AbstractSaslParticipant.tryHandleCallbacks(AbstractSaslParticipant.java:105)
at
org.wildfly.security.sasl.digest.AbstractDigestMechanism.getPredigestedSaltedPassword(AbstractDigestMechanism.java:482)
at
org.wildfly.security.sasl.digest.DigestSaslServer.validateDigestResponse(DigestSaslServer.java:259)
at
org.wildfly.security.sasl.digest.DigestSaslServer.evaluateMessage(DigestSaslServer.java:355)
at
org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
at
org.wildfly.security.sasl.digest.DigestSaslServer.evaluateResponse(DigestSaslServer.java:328)
at
org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
at
org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
at
org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
at
org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:470)
at
org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:897)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: ELY01092: Invalid mechanism realm
selection "localhost"
at
org.wildfly.security.auth.server.ServerAuthenticationContext$InitialState.setMechanismRealmName(ServerAuthenticationContext.java:1615)
at
org.wildfly.security.auth.server.ServerAuthenticationContext.setMechanismRealmName(ServerAuthenticationContext.java:712)
at
org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:927)
at
org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:735)
at
org.wildfly.security.sasl.util.TrustManagerSaslServerFactory.lambda$createSaslServer$0(TrustManagerSaslServerFactory.java:96)
at
org.wildfly.security.sasl.util.AbstractSaslParticipant.tryHandleCallbacks(AbstractSaslParticipant.java:101)
... 15 more
{noformat}
Attached also server configuration and WireShark log.