[jboss-jira] [JBoss JIRA] (ELY-255) Mechanisms using only AuthorizeCallback give an IllegalStateException

Kabir Khan (JIRA) issues at jboss.org
Wed Aug 5 07:47:05 EDT 2015 

Kabir Khan created ELY-255:
------------------------------

             Summary: Mechanisms using only AuthorizeCallback give an IllegalStateException
                 Key: ELY-255
                 URL: https://issues.jboss.org/browse/ELY-255
             Project: WildFly Elytron
          Issue Type: Feature Request
          Components: SASL
            Reporter: Kabir Khan
            Assignee: Kabir Khan
             Fix For: 1.0.0.Alpha4


Trying to port the Gs2Test to use the CBH from ServerAuthenticationContext

{code}
		javax.security.sasl.SaslException: ELY05053: [GS2-KRB5] Callback handler failed for unknown reason [Caused by java.lang.IllegalStateException: ELY01003: No authentication is in progress]
		at org.wildfly.security.sasl.util.AbstractSaslParticipant.tryHandleCallbacks(AbstractSaslParticipant.java:102)
		at org.wildfly.security.sasl.util.AbstractSaslParticipant.handleCallbacks(AbstractSaslParticipant.java:83)
		at org.wildfly.security.sasl.gs2.Gs2SaslServer.checkAuthorizationID(Gs2SaslServer.java:291)
		at org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:210)
		at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:177)
		at org.wildfly.security.sasl.util.AbstractSaslServer.evaluateResponse(AbstractSaslServer.java:52)
		at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
		at org.wildfly.security.sasl.gs2.Gs2Test$5.run(Gs2Test.java:564)
		at org.wildfly.security.sasl.gs2.Gs2Test$5.run(Gs2Test.java:562)
		at java.security.AccessController.doPrivileged(Native Method)
		at javax.security.auth.Subject.doAs(Subject.java:422)
		at org.wildfly.security.sasl.gs2.Gs2Test.evaluateResponse(Gs2Test.java:562)
		at org.wildfly.security.sasl.gs2.Gs2Test.testKrb5AuthenticationWithoutChannelBinding(Gs2Test.java:204)
		at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
		at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
		at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
		at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
		at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
		at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
		at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
		at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
		at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
		at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
		at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
		at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
		at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
		at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
		at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
		at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
		at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
		at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
		at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
		at org.junit.runner.JUnitCore.run(JUnitCore.java:160)
		at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:68)
		Caused by: java.lang.IllegalStateException: ELY01003: No authentication is in progress
		at org.wildfly.security.auth.server.ServerAuthenticationContext.authorize(ServerAuthenticationContext.java:341)
		at org.wildfly.security.auth.server.ServerAuthenticationContext$2.handleOne(ServerAuthenticationContext.java:542)
		at org.wildfly.security.auth.server.ServerAuthenticationContext$2.handle(ServerAuthenticationContext.java:531)
		at org.wildfly.security.sasl.util.AbstractSaslParticipant.tryHandleCallbacks(AbstractSaslParticipant.java:98)
		... 36 more
{code}

		Basically the authorize() call does not happen in the test CBH
		and the state machine is in the wrong state
		all that is passed in is an AuthorizeCallback
		not sure what it should really be doing
		so unless you know of the top of your head, I'll ask her
[12:48] Darran Lofthouse: Farah worked through the specs on that one - GSSAPI may also have a similar issue
[12:49] Darran Lofthouse: Off the top of my head - I think we are going to have to cope with just an AuthorizeCallback - if we receive that when no NameCallback has been provided then we need to pull the authentication name from the AuthorizeCallback
		I don't think we can force mechanisms to pass in a NameCallback if they don't need it
[12:50] Kabir Khan: So the NameCallback is what would normally put it in the right state?
[12:50] Darran Lofthouse: yeah - but I don't think it is correct to force the mech to use that
		I think this is just a case the CBH is going to have to handle
		non Elytron mechanisms could be used and there is no guarantee they would pass in a NameCallback
[12:51] Kabir Khan: ok, so in ServerAuthenticationContext, if it is in the wrong state, do whatever NameCallback does to put it in the right state, and then try again?
[12:52] Darran Lofthouse: essentially yeah I think that is the best approach - the name you want is the authentication ID from the callback - that is the same as the one in the NameCallback generally anyway



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

More information about the jboss-jira mailing list