[jboss-jira] [JBoss JIRA] (ELY-1217) Unable to define realm-mapping for TrustManager based auth

Jan Kalina (JIRA) issues at jboss.org
Thu Jun 1 12:52:00 EDT 2017 

     [ https://issues.jboss.org/browse/ELY-1217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kalina moved JBEAP-11284 to ELY-1217:
-----------------------------------------

              Project: WildFly Elytron  (was: JBoss Enterprise Application Platform)
                  Key: ELY-1217  (was: JBEAP-11284)
             Workflow: GIT Pull Request workflow   (was: CDW with loose statuses v1)
          Component/s: SSL
                           (was: Security)
    Affects Version/s: 1.1.0.Beta48
                           (was: 7.1.0.DR19)


> Unable to define realm-mapping for TrustManager based auth
> ----------------------------------------------------------
>
>                 Key: ELY-1217
>                 URL: https://issues.jboss.org/browse/ELY-1217
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SSL
>    Affects Versions: 1.1.0.Beta48
>            Reporter: Jan Kalina
>            Assignee: Jan Kalina
>            Priority: Blocker
>
> For SASL and HTTP mechanisms it is possible to define *realm-mapping* as part of **-authentication-factory*. But this cannot be used for EXTERNAL/CLIENT_CERT mechanism, because *ServerAuthenticationContext* is not constructed by mechanism but by *SecurityDomainTrustManager* - without relation to any **-authentication-factory*.
> It can be misleading for user, that *EXTERNAL* mechanism is present in *sasl-authentication-factory*, but if *realm-mapper* is defined here, it is ignored: (because SSL authentication finish before any SASL is initiated)
> {code:xml}
> <sasl-authentication-factory name="client-cert-digest" sasl-server-factory="configured" security-domain="client-cert-domain">
>     <mechanism-configuration>
>         <mechanism mechanism-name="EXTERNAL" realm-mapper="key-store-realm"/>
>     </mechanism-configuration>
> </sasl-authentication-factory>
> {code}
> Should be considered adding way how to pass *realm-mapper* into SSL authentication - maybe add *realm-mapper* attribute into *server-ssl-context* definition?



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list