[jboss-jira] [JBoss JIRA] Commented: (JBAS-5815) Bug in DomainServerSocketFactory - SSL clientAuth

Stefan Guilhen (JIRA) jira-events at lists.jboss.org
Tue Sep 23 12:42:24 EDT 2008 

    [ https://jira.jboss.org/jira/browse/JBAS-5815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12430838#action_12430838 ] 

Stefan Guilhen commented on JBAS-5815:
--------------------------------------

Extending RMISSLServerSocketFactory would never be a solution because this factory internally uses the DomainServerSocketFactory as a delegate. The real issue here is that when you do

<mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
      name="jboss:service=invoker,type=jrmp,socketType=SSLSocketFactory,wantsClientAuth=true">
      <attribute name="RMIObjectPort">0</attribute>
      <attribute name="RMIClientSocketFactory">org.jboss.security.ssl.RMISSLClientSocketFactory
      </attribute>
      <attribute name="RMIServerSocketFactoryBean"
         attributeClass="org.jboss.security.ssl.RMISSLServerSocketFactory"
         serialDataType="javaBean">
        <property name="bindAddress">${jboss.bind.address}</property>
        <property name="securityDomain">java:/jaas/rmi-ssl</property>
        <property name="wantsClientAuth">true</property>
        <property name="needsClientAuth">true</property>
        <property name="CiperSuites">TLS_DHE_DSS_WITH_AES_128_CBC_SHA</property>
        <property name="Protocols">SSLv2Hello,SSLv3,TLSv1</property>
      </attribute>
   </mbean>

the securityDomain property must be handled by the SecurityDomainEditor. Absence of this editor will cause the security domain to be null and this is the root of the NPE that has been reported. In other words, when a JRMPInvoker is configured using SSL, the SecurityDomainEditor must be available. However, this doesn't happen when the configuration of the JRMPInvoker is done in conf/jboss-service.xml. Reason:

- SecurityDomainEditor is installed by JaasSecurityManagerService's startService() method. This MBean is located in conf/jboss-service.xml.
- The MBeans configured in this file are first instantiated, and then started according to their dependencies.
- When the JRMPInvoker is instantiated, it tries to use the SecurityDomainEditor to get to the SecurityDomain instace that must be used. This editor is not yet available because JaasSecManagerService has been instantiated but not yet started. As a result, a null security domain is set in RMISSLServerSocketFactory.

A workaround for this would be to configure the JRMPInvoker somewhere else, like deploy/jrmp-invoker-service.xml. This works because when this file gets processed, JaasSecurityManagerService will already have been created and started - and consequently, SecurityDomainEditor will have been installed.

> Bug in DomainServerSocketFactory - SSL clientAuth 
> --------------------------------------------------
>
>                 Key: JBAS-5815
>                 URL: https://jira.jboss.org/jira/browse/JBAS-5815
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>            Reporter: Scott M Stark
>            Assignee: Stefan Guilhen
>             Fix For: JBossAS-5.0.0.GA
>
>
> Daniel Straub <ds at ctrlaltdel.de>  reports:
> I had to enable some settings on the RMISSLServerSocketFactory, but the solution for this - shown in wiki.jboss.org/wiki/JRMPInvoker or JBAS-1983 doesn't work. This ends with a nullpointer exception because the the initialization of securityDomain failed.
> To deal with this, I derive a class from the RMISSLServerSocketFactory like this
> public class ServerSocketFactory extends RMISSLServerSocketFactory {
>    public ServerSocketFactory() {
>        super();
>        setNeedsClientAuth(true);
>        //setWantsClientAuth(false);
>    }
> }
> and use this as RMIServerSocketFactory of the JRMPInvoker. But this solution also doesn't work ;-(
> There is another problem in the DomainServerSocketFactory :
> public ServerSocket createServerSocket(int port, int backlog, InetAddress ifAddress)
>      throws IOException
>   {
>      initSSLContext();
>      SSLServerSocketFactory factory = sslCtx.getServerSocketFactory();
>      SSLServerSocket socket = (SSLServerSocket) factory.createServerSocket(port, backlog, ifAddress);
>      SSLSessionContext ctx = sslCtx.getServerSessionContext();
>      System.out.println(ctx);
>      if( log.isTraceEnabled() )
>      {
>         String[] supportedProtocols = socket.getSupportedProtocols();
>         log.debug("Supported protocols: " + Arrays.asList(supportedProtocols));
>         String[] supportedCipherSuites = socket.getSupportedCipherSuites();
>         log.debug("Supported CipherSuites: " + Arrays.asList(supportedCipherSuites));
>      }
>      socket.setNeedClientAuth(needsClientAuth);
>      socket.setWantClientAuth(wantsClientAuth);
>      ...
> - to make a long story short, the "bug" is in the implementation of SSLServerSocket.
> This class uses only one instance variable to store the setting of clientAuth ("doClientAuth").
> socket.setNeedClientAuth(needsClientAuth) set these to the value "2". fine.
> but the next call socket.setWantClientAuth(wantsClientAuth) set these to "1" if wantsClientAuth is true, otherwise to "0".
> in both cases, the first call is override. bad.
> Here is the decompiled class (com.sun.net.ssl.internal.ssl. SSLServerSocketImpl) :
>   ...
>   public void setNeedClientAuth(boolean flag) {
>        doClientAuth = ((byte)(flag ? 2 : 0));
>    }
>    public boolean getNeedClientAuth() {
>        return doClientAuth == 2;
>    }
>    public void setWantClientAuth(boolean flag) {
>        doClientAuth = ((byte)(flag ? 1 : 0));
>    }
>    public boolean getWantClientAuth() {
>        return doClientAuth == 1;
>    }
>    ...
> well, what for a strange implementation ...
> I modified my ServerSockeFactory >
>   @Override
>   public ServerSocket createServerSocket(int port) throws IOException {
>        SSLServerSocket sslSocket = (SSLServerSocket) super.createServerSocket(port);
>        sslSocket.setNeedClientAuth(true);
>        return sslSocket;
>    }
> and now the client authentification works. But can we provide a fix for this problems (initialization of RMISSLServerSocketFactory and SSLServerSocket - e.g if needsClientAuth, why set also wantsClientAuth) ?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list