[jboss-jira] [JBoss JIRA] (ELY-1191) Undertow CLIENT_CERT via Elytron and HTTP/2 does not work

Darran Lofthouse (JIRA) issues at jboss.org
Wed May 24 05:18:00 EDT 2017 

     [ https://issues.jboss.org/browse/ELY-1191?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated ELY-1191:
----------------------------------
    Fix Version/s: 1.1.0.Beta47


> Undertow CLIENT_CERT via Elytron and HTTP/2 does not work
> ---------------------------------------------------------
>
>                 Key: ELY-1191
>                 URL: https://issues.jboss.org/browse/ELY-1191
>             Project: WildFly Elytron
>          Issue Type: Bug
>            Reporter: Stuart Douglas
>            Assignee: Stuart Douglas
>            Priority: Blocker
>             Fix For: 1.1.0.Beta47
>
>
> When I setup CLIENT_CERT authentication for an application (see Steps to Reproduce) and utilize HTTP/2 protocol, I get always 403 Forbidden even in case I use correct client certificate that should allow me access to a secured content.
> I can see following TRACE messages in server.log:
> {code}
> 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) X500 principal [CN=client] decoded as name [client] (attribute values: [client])
> 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) Principal assigning: [CN=client], pre-realm rewritten: [client], realm name: [ksRealm], post-realm rewritten: [client], realm rewritten: [client]
> 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) Role mapping: principal [client] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles [gooduser]
> 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) Authorizing principal client.
> 2017-05-23 10:58:31,110 TRACE [org.wildfly.security] (default task-7) Authorizing against the following attributes: [] => []
> 2017-05-23 10:58:31,111 TRACE [org.wildfly.security] (default task-7) Permission mapping: identity [client] with roles [gooduser] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
> 2017-05-23 10:58:31,111 TRACE [org.wildfly.security] (default task-7) Authorization succeed
> 2017-05-23 10:58:31,111 TRACE [org.wildfly.security] (default task-7) Authentication succeed for principal [CN=client]
> 2017-05-23 10:58:31,117 TRACE [org.wildfly.security] (default task-10) Handling MechanismInformationCallback type='HTTP' name='CLIENT_CERT' host-name='localhost' protocol='https'
> 2017-05-23 10:58:31,117 TRACE [org.wildfly.security] (default task-10) CLIENT-CERT no SSL session
> {code}
> Authentication seems that it succeed just fine. But notice the last line - {{CLIENT-CERT no SSL session}}.
> When I disable 'http2' in https-listener:
> {code}
> /subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=enable-http2,value=false)
> reload
> {code}
> I can now access secured content as expected. Also trace log contains different (more healthy) messages now.
> This happens both when I utilize HTTP/2 with EAP 'alpn-hack' mechanism and also with ALPN provided by OpenSSL library.
> As described in JBEAP-9803, Undertow needs to write into ssl-context when HTTP/2 with ALPN is utilized. Maybe this might be the source of this problem?



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list