[jboss-jira] [JBoss JIRA] (WFCORE-2898) Unable to define realm-mapping for TrustManager based auth

Jan Kalina (JIRA) issues at jboss.org
Thu Jun 1 12:56:00 EDT 2017 

     [ https://issues.jboss.org/browse/WFCORE-2898?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kalina moved JBEAP-11285 to WFCORE-2898:
--------------------------------------------

              Project: WildFly Core  (was: JBoss Enterprise Application Platform)
                  Key: WFCORE-2898  (was: JBEAP-11285)
             Workflow: GIT Pull Request workflow   (was: CDW with loose statuses v1)
          Component/s: Security
                           (was: Security)
    Affects Version/s: 3.0.0.Beta23
                           (was: 7.1.0.DR19)


> Unable to define realm-mapping for TrustManager based auth
> ----------------------------------------------------------
>
>                 Key: WFCORE-2898
>                 URL: https://issues.jboss.org/browse/WFCORE-2898
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 3.0.0.Beta23
>            Reporter: Jan Kalina
>            Assignee: Jan Kalina
>            Priority: Blocker
>
> For SASL and HTTP mechanisms it is possible to define *realm-mapping* as part of **-authentication-factory*. But this cannot be used for EXTERNAL/CLIENT_CERT mechanism, because *ServerAuthenticationContext* is not constructed by mechanism but by *SecurityDomainTrustManager* - without relation to any **-authentication-factory*.
> It can be misleading for user, that *EXTERNAL* mechanism is present in *sasl-authentication-factory*, but if *realm-mapper* is defined here, it is ignored: (because SSL authentication finish before any SASL is initiated)
> {code:xml}
> <sasl-authentication-factory name="client-cert-digest" sasl-server-factory="configured" security-domain="client-cert-domain">
>     <mechanism-configuration>
>         <mechanism mechanism-name="EXTERNAL" realm-mapper="key-store-realm"/>
>     </mechanism-configuration>
> </sasl-authentication-factory>
> {code}
> Should be considered adding way how to pass *realm-mapper* into SSL authentication - maybe add *realm-mapper* attribute into *server-ssl-context* definition?



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list