[jboss-jira] [JBoss JIRA] (WFLY-8961) Elytron in JMS: Unable to use authenticate with JBOSS-LOCAL-USER

Josef Cacek (JIRA) issues at jboss.org
Mon Jun 19 17:00:00 EDT 2017 

Josef Cacek created WFLY-8961:
---------------------------------

             Summary: Elytron in JMS: Unable to use authenticate with JBOSS-LOCAL-USER
                 Key: WFLY-8961
                 URL: https://issues.jboss.org/browse/WFLY-8961
             Project: WildFly
          Issue Type: Bug
          Components: JMS, Security
            Reporter: Josef Cacek
            Assignee: Jeff Mesnil
            Priority: Critical


I'm not able to authenticate to JMS when using JBOSS-LOCAL-USER SASL mechanism. {{ConnectionFactory.createContext()}} call and the client call fails with:
{noformat}
javax.jms.JMSSecurityRuntimeException: AMQ119031: Unable to validate user
{noformat}

This issue is similar to JBEAP-10527, but for JBOSS-LOCAL-USER mechanism (compared to DIGEST-MD5 for instance) we don't have a username or password. This problem can be in other SASL mechanisms too (e.g. EXTERNAL - where we authenticate a user with client certificate).

Code used for testing:
{code:java}
        AuthenticationContext.empty()
                .with(MatchRule.ALL,
                        AuthenticationConfiguration.empty().useProvidersFromClassLoader(getClass().getClassLoader())
                                .setSaslMechanismSelector(SaslMechanismSelector.fromString("JBOSS-LOCAL-USER")))
                .run(() ->  {
            try {
            // ... initialize naming etc. here
            ConnectionFactory connectionFactory = (ConnectionFactory) namingContext
                    .lookup("jms/RemoteConnectionFactory");
            JMSContext context = connectionFactory.createContext();
            } catch (NamingException e) {
                // ...
            }
        });
{code}

Server log contains:
{noformat}
2017-06-08 15:00:07,076 TRACE [org.wildfly.security] (default I/O-4) Handling MechanismInformationCallback type='SASL' name='JBOSS-LOCAL-USER' host-name='localhost' protocol='remote'
2017-06-08 15:00:07,077 TRACE [org.wildfly.security] (default I/O-4) Handling MechanismInformationCallback type='SASL' name='JBOSS-LOCAL-USER' host-name='localhost' protocol='remote'
2017-06-08 15:00:07,077 TRACE [org.wildfly.security] (default I/O-4) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1 at 55b75111] for mechanism [JBOSS-LOCAL-USER]
2017-06-08 15:00:07,083 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = $local
2017-06-08 15:00:07,083 TRACE [org.wildfly.security] (default task-2) Principal assigning: [$local], pre-realm rewritten: [$local], realm name: [local], post-realm rewritten: [$local], realm rewritten: [$local]
2017-06-08 15:00:07,084 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [$local] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles [guest]
2017-06-08 15:00:07,084 TRACE [org.wildfly.security] (default task-2) Authorizing principal $local.
2017-06-08 15:00:07,084 TRACE [org.wildfly.security] (default task-2) Authorizing against the following attributes: [] => []
2017-06-08 15:00:07,084 TRACE [org.wildfly.security] (default task-2) Permission mapping: identity [$local] with roles [guest] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
2017-06-08 15:00:07,095 TRACE [org.wildfly.security] (default task-2) Authorization succeed
2017-06-08 15:00:07,095 TRACE [org.wildfly.security] (default task-2) RunAs authorization succeed - the same identity
2017-06-08 15:00:07,095 TRACE [org.wildfly.security] (default task-2) Handling AuthorizeCallback: authenticationID = $local  authorizationID = $local  authorized = true
2017-06-08 15:00:07,095 TRACE [org.wildfly.security] (default task-2) Handling AuthenticationCompleteCallback: succeed
2017-06-08 15:00:07,099 TRACE [org.wildfly.security] (default task-2) Handling SecurityIdentityCallback: identity = SecurityIdentity{principal=$local, securityDomain=org.wildfly.security.auth.server.SecurityDomain at 24c5501a, authorizationIdentity=EMPTY, realmInfo=RealmInfo{name='local', securityRealm=org.wildfly.security.auth.realm.SimpleMapBackedSecurityRealm at 426b003b}, creationTime=2017-06-08T13:00:07.083Z}
2017-06-08 15:00:07,142 INFO  [org.wildfly.naming] (default task-4) WildFly Naming version 1.0.0.Beta16
2017-06-08 15:00:07,908 TRACE [org.wildfly.security] (default I/O-3) Permission mapping: identity [anonymous] with roles [guest] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = false
2017-06-08 15:00:07,920 DEBUG [org.apache.activemq.artemis.core.postoffice.impl.PostOfficeImpl] (default I/O-3) Couldn't find any bindings for address=activemq.notifications on message=ServerMessage[messageID=25,durable=true,userID=null,priority=0, bodySize=512, timestamp=0,expiration=0, durable=true, address=activemq.notifications,properties=TypedProperties[_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_NotifTimestamp=1496926807920]]@1825253250
2017-06-08 15:00:07,920 DEBUG [org.apache.activemq.artemis.core.postoffice.impl.PostOfficeImpl] (default I/O-3) Message ServerMessage[messageID=25,durable=true,userID=null,priority=0, bodySize=512, timestamp=0,expiration=0, durable=true, address=activemq.notifications,properties=TypedProperties[_AMQ_NotifType=SECURITY_AUTHENTICATION_VIOLATION,_AMQ_NotifTimestamp=1496926807920]]@1825253250 is not going anywhere as it didn't have a binding on address:activemq.notifications
2017-06-08 15:00:07,924 ERROR [org.apache.activemq.artemis.core.server] (default I/O-3) AMQ224018: Failed to create session: ActiveMQSecurityException[errorType=SECURITY_EXCEPTION message=AMQ119031: Unable to validate user]
	at org.apache.activemq.artemis.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:144)
	at org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl.createSession(ActiveMQServerImpl.java:1283)
	at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.handleCreateSession(ActiveMQPacketHandler.java:156)
	at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQPacketHandler.handlePacket(ActiveMQPacketHandler.java:81)
	at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.handlePacket(ChannelImpl.java:623)
	at org.apache.activemq.artemis.core.protocol.core.impl.RemotingConnectionImpl.doBufferReceived(RemotingConnectionImpl.java:379)
	at org.apache.activemq.artemis.core.protocol.core.impl.RemotingConnectionImpl.bufferReceived(RemotingConnectionImpl.java:362)
	at org.apache.activemq.artemis.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:621)
	at org.apache.activemq.artemis.core.remoting.impl.netty.ActiveMQChannelHandler.channelRead(ActiveMQChannelHandler.java:69)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:293)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:267)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
	at org.xnio.netty.transport.AbstractXnioSocketChannel$ReadListener.handleEvent(AbstractXnioSocketChannel.java:443)
	at org.xnio.netty.transport.AbstractXnioSocketChannel$ReadListener.handleEvent(AbstractXnioSocketChannel.java:379)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:571)
{noformat}

[~dlofthouse], [~jmesnil], Is there another way to use these SASL mechanisms (without username and password) to create JMSContext? If not then we should change priority to blocker.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list