[jboss-jira] [JBoss JIRA] (WFLY-10914) Ldaps tests failing on IBM
Martin Choma (JIRA)
issues at jboss.org
Fri Aug 24 02:47:00 EDT 2018
[ https://issues.jboss.org/browse/WFLY-10914?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13623592#comment-13623592 ]
Martin Choma commented on WFLY-10914:
-------------------------------------
There is SSLHandshake Exception during ldaps connection
{code}
test3
08:12:49,257 TRACE [org.jboss.security] (default task-1) PBOX00354: Setting security roles ThreadLocal: null
08:12:49,259 TRACE [org.jboss.security] (default task-1) PBOX00354: Setting security roles ThreadLocal: null
08:12:49,260 TRACE [org.jboss.security] (default task-1) PBOX00200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal at 41a318e9, cache entry: null
08:12:49,261 TRACE [org.jboss.security] (default task-1) PBOX00209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal at 41a318e9
08:12:49,261 TRACE [org.jboss.security] (default task-1) PBOX00221: Begin getAppConfigurationEntry(test-DEP3), size: 13
08:12:49,261 TRACE [org.jboss.security] (default task-1) PBOX00224: End getAppConfigurationEntry(test-DEP3), AuthInfo: AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.negotiation.AdvancedLdapLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=java.naming.factory.initial, value=com.sun.jndi.ldap.LdapCtxFactory
name=java.naming.provider.url, value=ldaps://127.0.0.1:10636
name=referralUserAttributeIDToCheck, value=member
name=rolesCtxDN, value=ou=Roles,o=example3,dc=jboss,dc=org
name=roleFilter, value=(|(objectClass=referral)(member={1}))
name=roleAttributeID, value=cn
name=java.naming.security.authentication, value=simple
name=bindDN, value=uid=admin,ou=system
name=bindCredential, value=****
name=java.naming.referral, value=follow
name=baseCtxDN, value=ou=People,o=example3,dc=jboss,dc=org
name=throwValidateError, value=true
name=baseFilter, value=(|(objectClass=referral)(cn={0}))
08:12:49,261 TRACE [org.jboss.security] (default task-1) PBOX00236: Begin initialize method
08:12:49,261 WARN [org.jboss.security] (default task-1) PBOX00234: Invalid or misspelled module option: throwValidateError
08:12:49,261 TRACE [org.jboss.security] (default task-1) PBOX00240: Begin login method
08:12:49,261 TRACE [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-1) Identity - Java Duke
08:12:49,261 TRACE [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-1) Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=follow, java.naming.security.principal=uid=admin,ou=system, baseCtxDN=ou=People,o=example3,dc=jboss,dc=org, roleAttributeID=cn, roleFilter=(|(objectClass=referral)(member={1})), rolesCtxDN=ou=Roles,o=example3,dc=jboss,dc=org, referralUserAttributeIDToCheck=member, baseFilter=(|(objectClass=referral)(cn={0})), jboss.security.security_domain=test-DEP3, throwValidateError=true, java.naming.provider.url=ldaps://127.0.0.1:10636, bindDN=uid=admin,ou=system, java.naming.security.authentication=simple, bindCredential=***, java.naming.security.credentials=***}
08:12:49,425 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-1) Login failed: javax.security.auth.login.LoginException: Unable to create new InitialLdapContext
at org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext(AdvancedLdapLoginModule.java:499)
at org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:386)
at org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:981)
at org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:331)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:788)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:196)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
at java.security.AccessController.doPrivileged(AccessController.java:696)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:696)
at javax.security.auth.login.LoginContext.login(LoginContext.java:597)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:94)
at io.undertow.security.impl.BasicAuthenticationMechanism.authenticate(BasicAuthenticationMechanism.java:167)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:268)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$733.00000000680A1620.call(Unknown Source)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$734.00000000680A2680.call(Unknown Source)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$734.00000000680A2680.call(Unknown Source)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$734.00000000680A2680.call(Unknown Source)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$734.00000000680A2680.call(Unknown Source)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:811)
Caused by: javax.naming.CommunicationException: 127.0.0.1:10636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:250)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:149)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1627)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2761)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:331)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:204)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:222)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:165)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:95)
at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:116)
at org.jboss.as.naming.InitialContext.init(InitialContext.java:101)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:165)
at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:91)
at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:43)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:324)
at javax.naming.InitialContext.init(InitialContext.java:255)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:165)
at org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext(AdvancedLdapLoginModule.java:495)
... 69 more
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at com.ibm.jsse2.k.a(k.java:15)
at com.ibm.jsse2.av.a(av.java:531)
at com.ibm.jsse2.D.a(D.java:68)
at com.ibm.jsse2.D.a(D.java:628)
at com.ibm.jsse2.E.a(E.java:803)
at com.ibm.jsse2.E.a(E.java:447)
at com.ibm.jsse2.D.r(D.java:139)
at com.ibm.jsse2.D.a(D.java:485)
at com.ibm.jsse2.av.a(av.java:717)
at com.ibm.jsse2.av.i(av.java:869)
at com.ibm.jsse2.av.a(av.java:19)
at com.ibm.jsse2.av.startHandshake(av.java:672)
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:406)
at com.sun.jndi.ldap.Connection.<init>(Connection.java:227)
... 87 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
at com.ibm.jsse2.util.b.b(b.java:104)
at com.ibm.jsse2.util.b.a(b.java:88)
at com.ibm.jsse2.aD.a(aD.java:165)
at com.ibm.jsse2.aD.a(aD.java:168)
at com.ibm.jsse2.aD.a(aD.java:211)
at com.ibm.jsse2.aD.checkServerTrusted(aD.java:162)
at com.ibm.jsse2.E.a(E.java:831)
... 96 more
{code}
which reminds me latest jdk ldaps change: https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html#JDK-8200666
Setting -Dcom.sun.jndi.ldap.object.disableEndpointIdentification on server really helped. Strange is it does not occure on oracle jdk though.
> Ldaps tests failing on IBM
> --------------------------
>
> Key: WFLY-10914
> URL: https://issues.jboss.org/browse/WFLY-10914
> Project: WildFly
> Issue Type: Bug
> Components: Test Suite
> Affects Versions: 14.0.0.Beta2
> Reporter: Martin Choma
> Assignee: Martin Choma
>
> * org.jboss.as.test.integration.security.loginmodules.LdapExtLikeAdvancedLdapLMTestCase.test3
> * org.jboss.as.test.integration.security.loginmodules.LdapExtLikeAdvancedLdapLMTestCase.test4
> * org.jboss.as.test.integration.security.loginmodules.LdapExtLoginModuleTestCase.test2
> * org.jboss.as.test.integration.security.loginmodules.LdapExtLoginModuleTestCase.test3
> * org.jboss.as.test.integration.security.loginmodules.LdapExtLoginModuleTestCase.test4
> * org.jboss.as.test.integration.security.loginmodules.LdapExtLoginModuleTestCase.test2throw
> * org.jboss.as.test.integration.security.loginmodules.LdapLoginModuleTestCase.testLdaps
> * org.jboss.as.test.manualmode.security.OutboundLdapConnectionClientCertTestCase.test
> * org.jboss.as.test.manualmode.security.OutboundLdapConnectionTestCase.test
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list