[jboss-jira] [JBoss JIRA] (ELY-1186) Elytron - authentication fails when a realm name is not specified for DIGEST-MD5 mechanism on server side

David Lloyd (JIRA) issues at jboss.org
Mon Jun 12 09:40:01 EDT 2017 

    [ https://issues.jboss.org/browse/ELY-1186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13419558#comment-13419558 ] 

David Lloyd commented on ELY-1186:
----------------------------------

What if the mechanism treated the fallback/host-name realm as a "no realm"?

In org.wildfly.security.sasl.digest.DigestServerFactory#createSaslServer we could set a flag that is sent to DigestSaslServer which indicates that only the host-name realm was added, so the javax.security.sasl.RealmCallback should never be called.

This does mean that the server will have to rely on using DigestPasswordAlgorithmSpec to get a realm-specific credential, but I think this is OK in ths case.

WDYT?

> Elytron - authentication fails when a realm name is not specified for DIGEST-MD5 mechanism on server side
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: ELY-1186
>                 URL: https://issues.jboss.org/browse/ELY-1186
>             Project: WildFly Elytron
>          Issue Type: Bug
>            Reporter: Josef Cacek
>            Assignee: Darran Lofthouse
>            Priority: Blocker
>
> When a default configuration is used for DIGEST-MD5 SASL mechanism, then server suggest hostname as a realm name, but authentication fails because ServerAuthenticationContext checks mechanism configuration and fails with following exception:
> {code}
> @Message(id = 1092, value = "Invalid mechanism realm selection \"%s\"")
> IllegalArgumentException invalidMechRealmSelection(String realmName);
> {code}
> *Suggested fix:*
> If the server suggests realm name, then it should be able to consume it. Or if the realm name is really mandatory, then server should not suggest such a default value. IMO allowing such a default and simplifying configuration would have positive impact on user experience.
> The full stacktrace (hidden):
> {noformat}
>  javax.security.sasl.SaslException: ELY05053: [DIGEST-MD5] Callback handler failed for unknown reason [Caused by java.lang.IllegalArgumentException: ELY01092: Invalid mechanism realm selection "localhost"]
>          at org.wildfly.security.sasl.util.AbstractSaslParticipant.tryHandleCallbacks(AbstractSaslParticipant.java:105)
>          at org.wildfly.security.sasl.digest.AbstractDigestMechanism.getPredigestedSaltedPassword(AbstractDigestMechanism.java:482)
>          at org.wildfly.security.sasl.digest.DigestSaslServer.validateDigestResponse(DigestSaslServer.java:259)
>          at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateMessage(DigestSaslServer.java:355)
>          at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
>          at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateResponse(DigestSaslServer.java:328)
>          at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
>          at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
>          at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
>          at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
>          at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
>          at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:470)
>          at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:897)
>          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>          at java.lang.Thread.run(Thread.java:748)
>  Caused by: java.lang.IllegalArgumentException: ELY01092: Invalid mechanism realm selection "localhost"
>          at org.wildfly.security.auth.server.ServerAuthenticationContext$InitialState.setMechanismRealmName(ServerAuthenticationContext.java:1615)
>          at org.wildfly.security.auth.server.ServerAuthenticationContext.setMechanismRealmName(ServerAuthenticationContext.java:712)
>          at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:927)
>          at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:735)
>          at org.wildfly.security.sasl.util.TrustManagerSaslServerFactory.lambda$createSaslServer$0(TrustManagerSaslServerFactory.java:96)
>          at org.wildfly.security.sasl.util.AbstractSaslParticipant.tryHandleCallbacks(AbstractSaslParticipant.java:101)
>          ... 15 more
> {noformat}
> Attached also server configuration and WireShark log.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list