[jboss-jira] [JBoss JIRA] (WFCORE-4803) EJB Client authentication does not work using SASL DIGEST-MD5 and EXTERNAL mechanisms in Legacy security

Ricardo Martin Camarero (Jira) issues at jboss.org
Mon Jan 20 11:47:32 EST 2020 

     [ https://issues.redhat.com/browse/WFCORE-4803?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ricardo Martin Camarero moved JBEAP-18530 to WFCORE-4803:
---------------------------------------------------------

              Project: WildFly Core  (was: JBoss Enterprise Application Platform)
                  Key: WFCORE-4803  (was: JBEAP-18530)
             Workflow: GIT Pull Request workflow   (was: CDW with loose statuses v1)
          Component/s: Security
                           (was: EJB)
                           (was: Security)
    Affects Version/s: 11.0.0.Beta7
                           (was: 7.2.5.GA)
     QE Test Coverage:   (was: +)
        Fix Version/s:     (was: 7.2.8.GA)


> EJB Client authentication does not work using SASL DIGEST-MD5 and EXTERNAL mechanisms in Legacy security
> --------------------------------------------------------------------------------------------------------
>
>                 Key: WFCORE-4803
>                 URL: https://issues.redhat.com/browse/WFCORE-4803
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 11.0.0.Beta7
>            Reporter: Ricardo Martin Camarero
>            Assignee: Ricardo Martin Camarero
>            Priority: Major
>
> The application does not working when use the DIGEST-MD5 mechanism in the legacy security. This this the configuration on standalone.xml:
> {code:java}
> <subsystem xmlns="urn:jboss:domain:remoting:4.0">
>             <http-connector name="http-remoting-connector" connector-ref="https" security-realm="ApplicationRealm">
>                 <sasl>
>                     <include-mechanisms value="DIGEST-MD5"/>
>                     <qop value="auth"/>
>                     <strength value="medium"/>
>                     <server-auth value="false"/>
>                     <reuse-session value="false"/>
>                     <policy>
>                         <forward-secrecy value="true"/>
>                         <no-active value="false"/>
>                         <no-anonymous value="false"/>
>                         <no-dictionary value="true"/>
>                         <no-plain-text value="false"/>
>                         <pass-credentials value="true"/>
>                     </policy>
>                 </sasl>
>             </http-connector>
>         </subsystem>
> {code}
> Using this configuration I have seen this exception in the application:
> {code:java}
> 019-12-16 09:08:44,132 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [RemotingRealm]
> 2019-12-16 09:08:44,132 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = stubejbclient
> 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Principal assigning: [stubejbclient], pre-realm rewritten: [stubejbclient at RemotingRealm], realm name: [DIGEST-MD5], post-realm rewritten: [stubejbclient at RemotingRealm], realm rewritten: [stubejbclient at RemotingRealm]
> 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: failed to obtain credential
> 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [RemotingRealm]
> 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = stubejbclient
> 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling CredentialCallback: failed to obtain credential
> 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [RemotingRealm]
> 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = stubejbclient
> 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling PasswordCallback: PasswordCredential may not be supported
> 2019-12-16 09:08:44,133 TRACE [org.jboss.remoting.remote.server] (default task-1) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05051: Callback handler does not support credential acquisition [Caused by org.wildfly.security.auth.callback.FastUnsupportedCallbackException: javax.security.auth.callback.PasswordCallback at 1cf94092]
>         at org.wildfly.security.mechanism.digest.PasswordDigestObtainer.getSaltedPasswordFromPasswordCallback(PasswordDigestObtainer.java:295)
>         at org.wildfly.security.mechanism.digest.PasswordDigestObtainer.handleUserRealmPasswordCallbacks(PasswordDigestObtainer.java:112)
>         at org.wildfly.security.sasl.digest.AbstractDigestMechanism.handleUserRealmPasswordCallbacks(AbstractDigestMechanism.java:195)
>         at org.wildfly.security.sasl.digest.DigestSaslServer.validateDigestResponse(DigestSaslServer.java:264)
>         at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateMessage(DigestSaslServer.java:363)
>         at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:199)
>         at org.wildfly.security.sasl.digest.DigestSaslServer.evaluateResponse(DigestSaslServer.java:336)
>         at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
>         at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
>         at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:59)
>         at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
>         at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
>         at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
>         at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:991)
>         at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>         at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>         at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>         at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>         at java.lang.Thread.run(Thread.java:748)
> Caused by: org.wildfly.security.auth.callback.FastUnsupportedCallbackException: javax.security.auth.callback.PasswordCallback at 1cf94092
> 2019-12-16 09:08:44,133 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: fail
> 2019-12-16 09:08:44,133 TRACE [org.jboss.remoting.remote.server] (default task-1) No more authentication attempts allowed, closing the connection
> {code}
> It works to EAP 7.0.x but is not working to EAP 7.2.x.
> The same configuration works on JBoss EAP 7.0.z. I'm attaching the EJB client, EJB service and standalone.xm.



--
This message was sent by Atlassian Jira
(v7.13.8#713008)

More information about the jboss-jira mailing list