[jboss-jira] [JBoss JIRA] (WFLY-7349) configurable-sasl-server-factory cannot set mechanism information

Jan Kalina (JIRA) issues at jboss.org
Wed Oct 19 11:11:00 EDT 2016 

     [ https://issues.jboss.org/browse/WFLY-7349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kalina updated WFLY-7349:
-----------------------------
    Description: 
sasl-authentication-factory and sasl-server-factory creates chain of SaslServerFactories - for example ServerNameSaslServerFactory only delegates creating to following factory in chain but with rewriting of the server name.
In this chain is also *SetMechanismInformationSaslServerFactory*, which call callback handler to send MechanismInformation into ServerAuthenticationContext - there it will cause state change from InactiveState to InitialState.

*The problem is,* if the configurable-sasl-server-factory is used, the *SetMechanismInformationSaslServerFactory* is in chain twice. The first occurence (by sasl-authentication-factory) will cause change state to InitialState, but before the serverName+protocol is overriden by SaslServerFactories following in chain. The second occurence (by configurable-sasl-server-factory) already have serverName+protocol set, but because the ServerAuthenticationContext is already in InitialState, the exception "Too late to set" is thrown and createSaslServer returns null - fail completely.

The chain of SaslServerFactories:
{code:java}
AuthenticationTimeoutSSF
TrustManagerSSF
AuthenticationCompleteSSF
SetMechanismInformationSSF => cbh => InactiveState -> InitialState(undefined, null)
ServerNameSSF
ProtocolSSF
SetMechanismInformationSSF => cbh => "Too late to set" => return null
SecurityProviderSSF
{code}

Will have to discuss yet how to correctly solve this... (maybe consider allowing of multiple MechanismInformation setting? In current design the sasl-authentication-factory cannot detect the configurable-sasl-server-factory WILL change the MechanismInformation yet...)

  was:
sasl-authentication-factory and sasl-server-factory creates chain of SaslServerFactories - for example ServerNameSaslServerFactory only delegates creating to following with rewriting of the server name.
In this chain is also *SetMechanismInformationSaslServerFactory*, which only call callback handler to send MechanismInformation into ServerAuthenticationContext - there it will cause state change from InactiveState to InitialState.

*The problem is,* if the configurable-sasl-server-factory is used, the *SetMechanismInformationSaslServerFactory* is in chain twice. The first occurence (by sasl-authentication-factory) will cause change state to InitialState, but before the serverName+protocol is overriden by SaslServerFactories following in chain. The second occurence (by configurable-sasl-server-factory) already have serverName+protocol set, but because the ServerAuthenticationContext is already in InitialState, the exception "Too late to set" is thrown and createSaslServer returns null - fail completely.

The chain of SaslServerFactories:
{code:java}
AuthenticationTimeoutSSF
TrustManagerSSF
AuthenticationCompleteSSF
SetMechanismInformationSSF => cbh => InactiveState -> InitialState(undefined, null)
ServerNameSSF
ProtocolSSF
SetMechanismInformationSSF => cbh => "Too late to set" => return null
SecurityProviderSSF
{code}

Will have to discuss yet how to correctly solve this... (maybe consider allowing of multiple MechanismInformation setting? In current design the sasl-authentication-factory cannot detect the configurable-sasl-server-factory WILL change the MechanismInformation yet...)



> configurable-sasl-server-factory cannot set mechanism information
> -----------------------------------------------------------------
>
>                 Key: WFLY-7349
>                 URL: https://issues.jboss.org/browse/WFLY-7349
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>            Reporter: Jan Kalina
>            Assignee: Jan Kalina
>         Attachments: sasl-test.xml, SaslTestCase.java
>
>
> sasl-authentication-factory and sasl-server-factory creates chain of SaslServerFactories - for example ServerNameSaslServerFactory only delegates creating to following factory in chain but with rewriting of the server name.
> In this chain is also *SetMechanismInformationSaslServerFactory*, which call callback handler to send MechanismInformation into ServerAuthenticationContext - there it will cause state change from InactiveState to InitialState.
> *The problem is,* if the configurable-sasl-server-factory is used, the *SetMechanismInformationSaslServerFactory* is in chain twice. The first occurence (by sasl-authentication-factory) will cause change state to InitialState, but before the serverName+protocol is overriden by SaslServerFactories following in chain. The second occurence (by configurable-sasl-server-factory) already have serverName+protocol set, but because the ServerAuthenticationContext is already in InitialState, the exception "Too late to set" is thrown and createSaslServer returns null - fail completely.
> The chain of SaslServerFactories:
> {code:java}
> AuthenticationTimeoutSSF
> TrustManagerSSF
> AuthenticationCompleteSSF
> SetMechanismInformationSSF => cbh => InactiveState -> InitialState(undefined, null)
> ServerNameSSF
> ProtocolSSF
> SetMechanismInformationSSF => cbh => "Too late to set" => return null
> SecurityProviderSSF
> {code}
> Will have to discuss yet how to correctly solve this... (maybe consider allowing of multiple MechanismInformation setting? In current design the sasl-authentication-factory cannot detect the configurable-sasl-server-factory WILL change the MechanismInformation yet...)



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list