[jboss-jira] [JBoss JIRA] (WFCORE-2615) Attribute allow-sasl-mechanisms is ignored in Elytron Authentication Configuration

David Lloyd (JIRA) issues at jboss.org
Thu Apr 6 09:13:01 EDT 2017 

    [ https://issues.jboss.org/browse/WFCORE-2615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13390183#comment-13390183 ] 

David Lloyd commented on WFCORE-2615:
-------------------------------------

* How is the "list of all known mechanisms" created? It is the list of mechanisms provided by server? Or it is hard coded somewhere in client?

It's derived from all the available mechanism implementations that are detected by the providers on that system.  When a client performs authentication, it starts with the intersection set between the locally available mechanisms and the list of mechanisms offered by the server.

* We understand that allowing some mechanisms which are not supported by configuration can be useful for standalone clients (e.g. CLI can ask user for password), but is there any scenario when it is useful for authentication-configuration in Elytron subsystem?

It's related to outbound authentication, so theoretically any use case on the CLI is also valid here (consider app client for example).  Note that the current behavior is based on one simple criterion: getting the tests to pass.

* Is there any way how to enforce usage of single concrete SASL mechanism?

I think you can only forbid all the other mechanisms right now, meaning you need the full list of them to do it.

* What should be an order of tried SASL mechanism? Is it defined somewhere or is it random? Should SASL mechanisms from allow-sasl-mechanisms have higher priority then other known mechanisms?

The order that clients try SASL mechanisms is currently based on the order that they are presented by the server.  There is no mechanism to reorder them.

> Attribute allow-sasl-mechanisms is ignored in Elytron Authentication Configuration
> ----------------------------------------------------------------------------------
>
>                 Key: WFCORE-2615
>                 URL: https://issues.jboss.org/browse/WFCORE-2615
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 3.0.0.Beta10
>            Reporter: Ondrej Lukas
>            Assignee: Darran Lofthouse
>            Priority: Blocker
>         Attachments: dep.war, wireshark.pcapng
>
>
> In case when attribute allow-sasl-mechanisms from Elytron Authentication Configuration includes some SASL mechanisms then this attribute (and mechanisms configured there) is not taken into account during choosing SASL mechanism. It means that client tries to use all of mechanisms allowed on server side even if client does not allow them. e.g. in case when server side allowed DIGEST-MD5 and JBOSS-LOCAL-USER and client side allows PLAIN, then it tries to use DIGEST-MD5 and JBOSS-LOCAL-USER mechanisms.
> See log from wireshark in attachments. This is log for server configured through "Steps to Reproduce".
> This happens also for using allow-sasl-mechanisms from wildfly config and also for programatically configured client.
> We request blocker since it allows to use some SASL mechanisms even if they are not allowed on client side.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list