[jboss-jira] [JBoss JIRA] (ELY-978) MechanismInformationCallback blocks certificate based authn (Undertow with Elytron)
Ondrej Kotek (JIRA)
issues at jboss.org
Thu Feb 23 08:32:00 EST 2017
[ https://issues.jboss.org/browse/ELY-978?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ondrej Kotek moved JBEAP-9074 to ELY-978:
-----------------------------------------
Project: WildFly Elytron (was: JBoss Enterprise Application Platform)
Key: ELY-978 (was: JBEAP-9074)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: HTTP
(was: Security)
Affects Version/s: 1.1.0.Beta26
(was: 7.1.0.DR12)
> MechanismInformationCallback blocks certificate based authn (Undertow with Elytron)
> -----------------------------------------------------------------------------------
>
> Key: ELY-978
> URL: https://issues.jboss.org/browse/ELY-978
> Project: WildFly Elytron
> Issue Type: Bug
> Components: HTTP
> Affects Versions: 1.1.0.Beta26
> Reporter: Ondrej Kotek
> Priority: Blocker
> Labels: authentication, eap71_alpha, http, ssl
>
> It is not possible to set up authentication based on certificates. Following the community documentation [1,2] to set up 2-way SSL for apps and certificates based auth. Everything works as expected until a client with {{client}} certificate tries to access protected resource that should be accessible. Such resource returns 403 Forbidden instead of 200 OK. Trace log:
> {noformat}
> 13:31:15,565 TRACE [org.wildfly.security] (default task-33) Evidence verification: evidence = org.wildfly.security.evidence.X509PeerCertificateChainEvidence at 42d7e114 evidencePrincipal = CN=client
> 13:31:15,566 TRACE [org.wildfly.security] (default task-33) X500 principal [CN=client] decoded as name [client] (attribute values: [client])
> 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Principal assigning: [CN=client], pre-realm rewritten: [client], realm name: [ksRealm], post realm rewritten: [client], realm rewritten: [client]
> 13:31:15,566 TRACE [org.wildfly.security] (default task-33) X500 principal [CN=client] decoded as name [client] (attribute values: [client])
> 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Evidence verification succeed for alias [client]
> 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Role mapping: principal [client] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles [Guest, Admin]
> 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authorizing principal client.
> 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authorizing against the following attributes: [] => []
> 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Permission mapping: identity [client] with roles [Guest, Admin] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
> 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authorization succeed
> 13:31:15,566 TRACE [org.wildfly.security] (default task-33) Authentication succeed for principal [CN=client]
> 13:31:15,573 TRACE [org.wildfly.security] (default task-34) Handling MechanismInformationCallback
> 13:31:15,574 TRACE [org.wildfly.security] (default task-34) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='CLIENT_CERT', hostName='localhost', protocol='https'.
> {noformat}
> The last message comes from {{ServerAuthenticationContext}} [3].
> [1] https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem#UsingtheElytronSubsystem-EnableTwoWaySSL%2FTLSinWildFlyforApplications
> [2] https://docs.jboss.org/author/display/WFLY/Using+the+Elytron+Subsystem#UsingtheElytronSubsystem-ConfigureAuthenticationwithCertificates
> [3] https://github.com/wildfly-security/wildfly-elytron/blob/6e4dad322ab0421522979448ea18801c2832791c/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java#L904
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list