[jboss-jira] [JBoss JIRA] (ELY-1976) Elytron provider not being used with credential store and SASL authentication
Sonia Zaldana (Jira)
issues at jboss.org
Mon Jun 1 11:59:01 EDT 2020
[ https://issues.redhat.com/browse/ELY-1976?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sonia Zaldana updated ELY-1976:
-------------------------------
Description:
Trying to configure an ejb client with Sasl authentication using a credential store causes an "Invalid algorithm clear" error as follows:
{code:java}
Suppressed: javax.security.sasl.SaslException: ELY05053: Callback handler failed for unknown reason [Caused by java.io.IOException: ELY01030: Unable to read credential]
at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:160)
at org.wildfly.security.mechanism._private.MechanismUtil.getPasswordCredential(MechanismUtil.java:102)
at org.wildfly.security.mechanism.scram.ScramClient.handleInitialChallenge(ScramClient.java:245)
at org.wildfly.security.sasl.scram.ScramSaslClient.evaluateMessage(ScramSaslClient.java:75)
at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:219)
at org.wildfly.security.sasl.util.AbstractSaslClient.evaluateChallenge(AbstractSaslClient.java:98)
at org.wildfly.security.sasl.util.AbstractDelegatingSaslClient.evaluateChallenge(AbstractDelegatingSaslClient.java:54)
at org.wildfly.security.sasl.util.PrivilegedSaslClient.lambda$evaluateChallenge$0(PrivilegedSaslClient.java:55)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.wildfly.security.sasl.util.PrivilegedSaslClient.evaluateChallenge(PrivilegedSaslClient.java:55)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Authentication.lambda$handleEvent$0(ClientConnectionOpenListener.java:649)
at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:991)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.io.IOException: ELY01030: Unable to read credential
at org.wildfly.security.credential.source.impl.CredentialStoreCredentialSource.getCredential(CredentialStoreCredentialSource.java:92)
at org.wildfly.security.credential.source.CredentialSource$1.getCredential(CredentialSource.java:207)
at org.wildfly.security.auth.client.AuthenticationConfiguration$ClientCallbackHandler.handle(AuthenticationConfiguration.java:1841)
at org.wildfly.security.sasl.util.LocalPrincipalSaslClientFactory$ClientPrincipalQueryCallbackHandler.handle(LocalPrincipalSaslClientFactory.java:93)
at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:156)
... 16 more
Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09504: Cannot acquire a credential from the credential store
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.retrieve(KeyStoreCredentialStore.java:683)
at org.wildfly.security.credential.store.CredentialStore.retrieve(CredentialStore.java:303)
at org.wildfly.security.credential.store.CredentialStore.retrieve(CredentialStore.java:287)
at org.wildfly.security.credential.source.impl.CredentialStoreCredentialSource.getCredential(CredentialStoreCredentialSource.java:88)
... 20 more
Caused by: java.security.NoSuchAlgorithmException: ELY08028: Invalid algorithm "clear"
at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:122)
at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:76)
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.retrieve(KeyStoreCredentialStore.java:679)
... 23 more
{code}
Here is my wildfly-config.xml where the credential-store-reference has been configured.
{code:java}
<configuration>
<authentication-client xmlns="urn:elytron:client:1.5">
<credential-stores>
<credential-store name="mycredstore">
<attributes>
<attribute name="keyStoreType" value="JCEKS"/>
<attribute name="location" value="/home/szcalles/Wildfly/wildfly/build/target/wildfly-20.0.0.Final-SNAPSHOT/standalone/configuration/mycredstore.cs"></attribute>
</attributes>
<protection-parameter-credentials>
<clear-password password="StorePassword"/>
</protection-parameter-credentials>
</credential-store>
</credential-stores>
<authentication-rules>
<rule use-configuration="default-config"/>
</authentication-rules>
<authentication-configurations>
<configuration name="default-config">
<set-user-name name="quickstartUser"/>
<credentials>
<credential-store-reference store="mycredstore" alias="quickstartUser"/>
</credentials>
<sasl-mechanism-selector selector="SCRAM-SHA-512"/>
<providers>
<use-service-loader />
</providers>
</configuration>
</authentication-configurations>
</authentication-client>
</configuration>
{code}
The provider configuration in wildfly-config.xml is specified correctly:
```
<providers>
<use-service-loader />
</providers>
```
The problem seems to be in ```PasswordFactory.getInstance()``` in ```KeyStoreCredentialStore``` where we aren't setting the providers we have configured. Instead, it seems to use ```INSTALLED_PROVIDERS``` which does not have the Elytron providers.
was:
Trying to configure an ejb client with Sasl authentication using a credential store causes an "Invalid algorithm clear" error as follows:
{code:java}
Suppressed: javax.security.sasl.SaslException: ELY05053: Callback handler failed for unknown reason [Caused by java.io.IOException: ELY01030: Unable to read credential]
at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:160)
at org.wildfly.security.mechanism._private.MechanismUtil.getPasswordCredential(MechanismUtil.java:102)
at org.wildfly.security.mechanism.scram.ScramClient.handleInitialChallenge(ScramClient.java:245)
at org.wildfly.security.sasl.scram.ScramSaslClient.evaluateMessage(ScramSaslClient.java:75)
at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:219)
at org.wildfly.security.sasl.util.AbstractSaslClient.evaluateChallenge(AbstractSaslClient.java:98)
at org.wildfly.security.sasl.util.AbstractDelegatingSaslClient.evaluateChallenge(AbstractDelegatingSaslClient.java:54)
at org.wildfly.security.sasl.util.PrivilegedSaslClient.lambda$evaluateChallenge$0(PrivilegedSaslClient.java:55)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at org.wildfly.security.sasl.util.PrivilegedSaslClient.evaluateChallenge(PrivilegedSaslClient.java:55)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Authentication.lambda$handleEvent$0(ClientConnectionOpenListener.java:649)
at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:991)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.io.IOException: ELY01030: Unable to read credential
at org.wildfly.security.credential.source.impl.CredentialStoreCredentialSource.getCredential(CredentialStoreCredentialSource.java:92)
at org.wildfly.security.credential.source.CredentialSource$1.getCredential(CredentialSource.java:207)
at org.wildfly.security.auth.client.AuthenticationConfiguration$ClientCallbackHandler.handle(AuthenticationConfiguration.java:1841)
at org.wildfly.security.sasl.util.LocalPrincipalSaslClientFactory$ClientPrincipalQueryCallbackHandler.handle(LocalPrincipalSaslClientFactory.java:93)
at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:156)
... 16 more
Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09504: Cannot acquire a credential from the credential store
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.retrieve(KeyStoreCredentialStore.java:683)
at org.wildfly.security.credential.store.CredentialStore.retrieve(CredentialStore.java:303)
at org.wildfly.security.credential.store.CredentialStore.retrieve(CredentialStore.java:287)
at org.wildfly.security.credential.source.impl.CredentialStoreCredentialSource.getCredential(CredentialStoreCredentialSource.java:88)
... 20 more
Caused by: java.security.NoSuchAlgorithmException: ELY08028: Invalid algorithm "clear"
at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:122)
at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:76)
at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.retrieve(KeyStoreCredentialStore.java:679)
... 23 more
{code}
Here is my wildfly-config.xml where the credential-store-reference has been configured.
```
<configuration>
<authentication-client xmlns="urn:elytron:client:1.5">
<credential-stores>
<credential-store name="mycredstore">
<attributes>
<attribute name="keyStoreType" value="JCEKS"/>
<attribute name="location" value="/home/szcalles/Wildfly/wildfly/build/target/wildfly-20.0.0.Final-SNAPSHOT/standalone/configuration/mycredstore.cs"></attribute>
</attributes>
<protection-parameter-credentials>
<clear-password password="StorePassword"/>
</protection-parameter-credentials>
</credential-store>
</credential-stores>
<authentication-rules>
<rule use-configuration="default-config"/>
</authentication-rules>
<authentication-configurations>
<configuration name="default-config">
<set-user-name name="quickstartUser"/>
<credentials>
<credential-store-reference store="mycredstore" alias="quickstartUser"/>
</credentials>
<sasl-mechanism-selector selector="SCRAM-SHA-512"/>
<providers>
<use-service-loader />
</providers>
</configuration>
</authentication-configurations>
</authentication-client>
</configuration>
```
The provider configuration in wildfly-config.xml is specified correctly:
```
<providers>
<use-service-loader />
</providers>
```
The problem seems to be in ```PasswordFactory.getInstance()``` in ```KeyStoreCredentialStore``` where we aren't setting the providers we have configured. Instead, it seems to use ```INSTALLED_PROVIDERS``` which does not have the Elytron providers.
> Elytron provider not being used with credential store and SASL authentication
> -----------------------------------------------------------------------------
>
> Key: ELY-1976
> URL: https://issues.redhat.com/browse/ELY-1976
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Authentication Client
> Reporter: Sonia Zaldana
> Assignee: Sonia Zaldana
> Priority: Major
>
> Trying to configure an ejb client with Sasl authentication using a credential store causes an "Invalid algorithm clear" error as follows:
> {code:java}
> Suppressed: javax.security.sasl.SaslException: ELY05053: Callback handler failed for unknown reason [Caused by java.io.IOException: ELY01030: Unable to read credential]
> at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:160)
> at org.wildfly.security.mechanism._private.MechanismUtil.getPasswordCredential(MechanismUtil.java:102)
> at org.wildfly.security.mechanism.scram.ScramClient.handleInitialChallenge(ScramClient.java:245)
> at org.wildfly.security.sasl.scram.ScramSaslClient.evaluateMessage(ScramSaslClient.java:75)
> at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:219)
> at org.wildfly.security.sasl.util.AbstractSaslClient.evaluateChallenge(AbstractSaslClient.java:98)
> at org.wildfly.security.sasl.util.AbstractDelegatingSaslClient.evaluateChallenge(AbstractDelegatingSaslClient.java:54)
> at org.wildfly.security.sasl.util.PrivilegedSaslClient.lambda$evaluateChallenge$0(PrivilegedSaslClient.java:55)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at org.wildfly.security.sasl.util.PrivilegedSaslClient.evaluateChallenge(PrivilegedSaslClient.java:55)
> at org.jboss.remoting3.remote.ClientConnectionOpenListener$Authentication.lambda$handleEvent$0(ClientConnectionOpenListener.java:649)
> at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:991)
> at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
> at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
> at java.base/java.lang.Thread.run(Thread.java:834)
> Caused by: java.io.IOException: ELY01030: Unable to read credential
> at org.wildfly.security.credential.source.impl.CredentialStoreCredentialSource.getCredential(CredentialStoreCredentialSource.java:92)
> at org.wildfly.security.credential.source.CredentialSource$1.getCredential(CredentialSource.java:207)
> at org.wildfly.security.auth.client.AuthenticationConfiguration$ClientCallbackHandler.handle(AuthenticationConfiguration.java:1841)
> at org.wildfly.security.sasl.util.LocalPrincipalSaslClientFactory$ClientPrincipalQueryCallbackHandler.handle(LocalPrincipalSaslClientFactory.java:93)
> at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:156)
> ... 16 more
> Caused by: org.wildfly.security.credential.store.CredentialStoreException: ELY09504: Cannot acquire a credential from the credential store
> at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.retrieve(KeyStoreCredentialStore.java:683)
> at org.wildfly.security.credential.store.CredentialStore.retrieve(CredentialStore.java:303)
> at org.wildfly.security.credential.store.CredentialStore.retrieve(CredentialStore.java:287)
> at org.wildfly.security.credential.source.impl.CredentialStoreCredentialSource.getCredential(CredentialStoreCredentialSource.java:88)
> ... 20 more
> Caused by: java.security.NoSuchAlgorithmException: ELY08028: Invalid algorithm "clear"
> at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:122)
> at org.wildfly.security.password.PasswordFactory.getInstance(PasswordFactory.java:76)
> at org.wildfly.security.credential.store.impl.KeyStoreCredentialStore.retrieve(KeyStoreCredentialStore.java:679)
> ... 23 more
> {code}
> Here is my wildfly-config.xml where the credential-store-reference has been configured.
> {code:java}
> <configuration>
> <authentication-client xmlns="urn:elytron:client:1.5">
> <credential-stores>
> <credential-store name="mycredstore">
> <attributes>
> <attribute name="keyStoreType" value="JCEKS"/>
> <attribute name="location" value="/home/szcalles/Wildfly/wildfly/build/target/wildfly-20.0.0.Final-SNAPSHOT/standalone/configuration/mycredstore.cs"></attribute>
> </attributes>
> <protection-parameter-credentials>
> <clear-password password="StorePassword"/>
> </protection-parameter-credentials>
> </credential-store>
> </credential-stores>
> <authentication-rules>
> <rule use-configuration="default-config"/>
> </authentication-rules>
> <authentication-configurations>
> <configuration name="default-config">
> <set-user-name name="quickstartUser"/>
> <credentials>
> <credential-store-reference store="mycredstore" alias="quickstartUser"/>
> </credentials>
> <sasl-mechanism-selector selector="SCRAM-SHA-512"/>
> <providers>
> <use-service-loader />
> </providers>
> </configuration>
> </authentication-configurations>
> </authentication-client>
> </configuration>
> {code}
> The provider configuration in wildfly-config.xml is specified correctly:
> ```
> <providers>
> <use-service-loader />
> </providers>
> ```
> The problem seems to be in ```PasswordFactory.getInstance()``` in ```KeyStoreCredentialStore``` where we aren't setting the providers we have configured. Instead, it seems to use ```INSTALLED_PROVIDERS``` which does not have the Elytron providers.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the jboss-jira
mailing list