[jboss-jira] [JBoss JIRA] (ELY-1275) x509-credential-mapper in ldap-realm does not work correctly with server-ssl-context
Ondrej Lukas (JIRA)
issues at jboss.org
Fri Jun 30 09:18:00 EDT 2017
[ https://issues.jboss.org/browse/ELY-1275?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ondrej Lukas updated ELY-1275:
------------------------------
Affects Version/s: 1.1.0.Beta52
> x509-credential-mapper in ldap-realm does not work correctly with server-ssl-context
> ------------------------------------------------------------------------------------
>
> Key: ELY-1275
> URL: https://issues.jboss.org/browse/ELY-1275
> Project: WildFly Elytron
> Issue Type: Bug
> Affects Versions: 1.1.0.Beta52
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Critical
>
> When {{ldap-realm}} with {{x509-credential-mapper}} is used in {{security-domain}} which is referenced from {{server-ssl-context}} then authorization fails. It seems it is caused by using {{ServerAuthenticationContext.NameAssignedState}} in [1] which fails in [2] due to [3]. This issue causes that {{x509-credential-mapper}} cannot work in {{server-ssl-context}}.
> Server log:
> {code}
> 2017-06-30 15:01:22,019 TRACE [org.wildfly.security] (default task-2) X500 principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as name [clientSubjectDn] (attribute values: [clientSubjectDn])
> 2017-06-30 15:01:22,022 TRACE [org.wildfly.security] (default task-2) Principal assigning: [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ], pre-realm rewritten: [clientSubjectDn], realm name: [ldap-realm-subject-dn], post-realm rewritten: [clientSubjectDn], realm rewritten: [clientSubjectDn]
> 2017-06-30 15:01:22,023 DEBUG [org.wildfly.security] (default task-2) Obtaining lock for identity [clientSubjectDn]...
> 2017-06-30 15:01:22,028 DEBUG [org.wildfly.security] (default task-2) Obtained lock for identity [clientSubjectDn].
> 2017-06-30 15:01:22,044 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
> 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]]
> 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple]
> 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://localhost:10389]
> 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000]
> 2017-06-30 15:01:22,045 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false]
> 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
> 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [uid=admin,ou=system]
> 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore]
> 2017-06-30 15:01:22,046 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
> 2017-06-30 15:01:22,081 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext at 6ca3ef32] successfully created. Connection established to LDAP server.
> 2017-06-30 15:01:22,084 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn].
> 2017-06-30 15:01:22,086 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [null]. Binary attributes are [null].
> 2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
> 2017-06-30 15:01:22,152 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
> 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext at 6ca3ef32] was closed. Connection closed or just returned to the pool.
> 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
> 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]]
> 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple]
> 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://localhost:10389]
> 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000]
> 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false]
> 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
> 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [uid=admin,ou=system]
> 2017-06-30 15:01:22,153 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore]
> 2017-06-30 15:01:22,154 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
> 2017-06-30 15:01:22,179 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext at 75395ba6] successfully created. Connection established to LDAP server.
> 2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn].
> 2017-06-30 15:01:22,180 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary attributes are [].
> 2017-06-30 15:01:22,195 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
> 2017-06-30 15:01:22,197 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
> 2017-06-30 15:01:22,198 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext at 75395ba6] was closed. Connection closed or just returned to the pool.
> 2017-06-30 15:01:22,200 TRACE [org.wildfly.security] (default task-2) X500 principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ] decoded as name [clientSubjectDn] (attribute values: [clientSubjectDn])
> 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Creating [class javax.naming.directory.InitialDirContext] with environment:
> 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.credentials] with value [[s, e, c, r, e, t]]
> 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.authentication] with value [simple]
> 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.provider.url] with value [ldap://localhost:10389]
> 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.read.timeout] with value [60000]
> 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.pool] with value [false]
> 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [com.sun.jndi.ldap.connect.timeout] with value [5000]
> 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.security.principal] with value [uid=admin,ou=system]
> 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.referral] with value [ignore]
> 2017-06-30 15:01:22,205 DEBUG [org.wildfly.security] (default task-2) Property [java.naming.factory.initial] with value [com.sun.jndi.ldap.LdapCtxFactory]
> 2017-06-30 15:01:22,212 DEBUG [org.wildfly.security] (default task-2) [javax.naming.ldap.InitialLdapContext at 22d42495] successfully created. Connection established to LDAP server.
> 2017-06-30 15:01:22,213 DEBUG [org.wildfly.security] (default task-2) Trying to create identity for principal [clientSubjectDn].
> 2017-06-30 15:01:22,214 DEBUG [org.wildfly.security] (default task-2) Executing search [(uid={0})] in context [o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org] with arguments [clientSubjectDn]. Returning attributes are [businessCategory]. Binary attributes are [].
> 2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Found entry [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
> 2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Identity for principal [clientSubjectDn] found at [uid=clientSubjectDn,ou=People,o=X509CredentialMapperTestCasec588011e,o=primary,dc=jboss,dc=org].
> 2017-06-30 15:01:22,227 TRACE [org.wildfly.security] (default task-2) X509 client certificate accepted by X509EvidenceVerifier
> 2017-06-30 15:01:22,227 DEBUG [org.wildfly.security] (default task-2) Context [javax.naming.ldap.InitialLdapContext at 22d42495] was closed. Connection closed or just returned to the pool.
> 2017-06-30 15:01:22,228 TRACE [org.wildfly.security] (default task-2) Authentication succeed for principal [CN=clientSubjectDn, OU=EAP QE, O=Red Hat, L=Brno, ST=Czech Republic, C=CZ]
> 2017-06-30 15:01:22,240 ERROR [org.xnio.nio] (default I/O-4) XNIO000011: Task io.undertow.protocols.ssl.SslConduit$5$1 at 46b65284 failed with an exception: java.lang.RuntimeException: ELY01112: Authentication cannot succeed; not authorized
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1429)
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
> at io.undertow.protocols.ssl.ALPNHackSSLEngine.unwrap(ALPNHackSSLEngine.java:265)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
> at io.undertow.server.protocol.http.ALPNLimitingSSLEngine.unwrap(ALPNLimitingSSLEngine.java:73)
> at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:749)
> at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:646)
> at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
> at io.undertow.protocols.ssl.SslConduit$5$1.run(SslConduit.java:1046)
> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:592)
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:472)
> Caused by: java.lang.IllegalStateException: ELY01112: Authentication cannot succeed; not authorized
> at org.wildfly.security.auth.server.ServerAuthenticationContext$NameAssignedState.succeed(ServerAuthenticationContext.java:1947)
> at org.wildfly.security.auth.server.ServerAuthenticationContext.succeed(ServerAuthenticationContext.java:492)
> at org.wildfly.security.ssl.SecurityDomainTrustManager.doClientTrustCheck(SecurityDomainTrustManager.java:123)
> at org.wildfly.security.ssl.SecurityDomainTrustManager.checkClientTrusted(SecurityDomainTrustManager.java:72)
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1869)
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
> at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1034)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> {code}
> Since there is no documentation for this scenario it is possible that this is just a configuration issue - in that case please provide valid configuration for this scenario.
> [1] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/ssl/SecurityDomainTrustManager.java#L120
> [2] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/ssl/SecurityDomainTrustManager.java#L122
> [3] https://github.com/wildfly-security/wildfly-elytron/blob/889b2a5d3ed4fbcc759418105535cd4735c46d90/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java#L1943
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list