[jboss-jira] [JBoss JIRA] (WFLY-3626) JAASIdentityManagerImpl reauthenticates on verify(), CallerPrincipal mapping bug

Stuart Douglas (JIRA) issues at jboss.org
Tue Jul 15 01:26:29 EDT 2014 

     [ https://issues.jboss.org/browse/WFLY-3626?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stuart Douglas moved UNDERTOW-273 to WFLY-3626:
-----------------------------------------------

        Project: WildFly  (was: Undertow)
            Key: WFLY-3626  (was: UNDERTOW-273)
     Issue Type: Bug  (was: Feature Request)
    Component/s: Web (Undertow)
                     (was: Security)
       Security: Public


> JAASIdentityManagerImpl reauthenticates on verify(), CallerPrincipal mapping bug
> --------------------------------------------------------------------------------
>
>                 Key: WFLY-3626
>                 URL: https://issues.jboss.org/browse/WFLY-3626
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web (Undertow)
>         Environment: wildfly-8.1.Final
>            Reporter: Juergen H
>            Assignee: Stuart Douglas
>
> cf. forum
> org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(Account) - which is called on every request - results in reauthentication of Account: performance issue, in my case this includes an Ldap bind
> also, if CallerPrincipal mapping is used, the original (ldap) username that was successfully authenticated via ldap bind, gets mapped to an application username. Account verification reauthenticates with the mapped application username not the original ldap username and therefore fails ldap bind and verify.
> So with regards to CallerPrincipal, JAASIdentityManagerImpl.verify(Account) is faulty.
> injection of JAASIdentityManagerImpl cannot be parameterized, nor its verify(Account) behaviour.
> as mentioned in the forum thread, my workaround was to replace JAASIdentityManagerImpl after injection with a delegating IdentityManager that does not reauthenticate on verify().
> Replacement happens via means of io.undertow.servlet.ServletExtension as explained in http://undertow.io/documentation/servlet/using-non-blocking-handlers-with-servlet.html
> Sidenote: org.jboss.as.domain.http.server.security.RealmIdentityManager.verify(Account) simply returns account;



--
This message was sent by Atlassian JIRA
(v6.2.6#6264)

More information about the jboss-jira mailing list