[jboss-jira] [JBoss JIRA] (ELY-1151) Empty authorization name for Digest mechanism causes authentication fail

Jan Kalina (JIRA) issues at jboss.org
Wed May 31 04:37:00 EDT 2017 

    [ https://issues.jboss.org/browse/ELY-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13414139#comment-13414139 ] 

Jan Kalina commented on ELY-1151:
---------------------------------

PR 810: client side NameCallback
PR 848: server side AuthorizationCallback

> Empty authorization name for Digest mechanism causes authentication fail
> ------------------------------------------------------------------------
>
>                 Key: ELY-1151
>                 URL: https://issues.jboss.org/browse/ELY-1151
>             Project: WildFly Elytron
>          Issue Type: Bug
>    Affects Versions: 1.1.0.Beta38
>            Reporter: Ondrej Lukas
>            Assignee: Jan Kalina
>            Priority: Blocker
>             Fix For: 1.1.0.Beta44
>
>
> SASL specification says about Authorization Identity String [1]:
> {quote}
> If the authorization identity string is absent, the client is requesting to act as the identity the server associates with the client's credentials. *An empty string is equivalent to an absent authorization identity.*
> {quote}
> In case when authentication configuration includes empty name for authorization name then authentication fail. In correct behavior authentication name should be used if authorization name is empty string. 
> It is caused by passing empty {{defaultName}} to {{NameCallback}} constructor which results to {{IllegalArgumentException}}. Condition in [2] checks only non-null value of {{authorizationId}} but it seems it should also check empty name.
> It can be reproduced with correctly set wildfly-config.xml (i.e. configuration where authentication succeed) - in case {{set-authorization-name}} element with empty string is added to this configuration file then authentication starts to fail.
> The same issue can occurs for every supported SASL mechanism. In needs to be revisited.
> We request blocker flag since current behavior violates SASL specification.
> [1] https://tools.ietf.org/html/rfc4422#section-3.4.1
> [2] https://github.com/wildfly-security/wildfly-elytron/blob/596f25e853c8fbae088ff562708def3a43480aeb/src/main/java/org/wildfly/security/sasl/digest/DigestSaslClient.java#L223



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list