[ELY-2023] Elytron ClientCertAuthenticationMechanism does not work when using a web proxy #1442
Conversation
| /** | ||
| * Indicates if a cached identity was successfully authorized. | ||
| * | ||
| * @return true if the cached identity was successfully authorized. Otherwise, false |
There was a problem hiding this comment.
Just a small comment, I think the two references to "cached" above and the reference to "caches" below can be removed.
There was a problem hiding this comment.
Yep, leftovers from where I copied the class, sorry and done!
| Principal principal = authorizeCallback.getPrincipal(); | ||
| // always re-set the principal to ensure it hasn't changed. | ||
| setAuthenticationPrincipal(principal); | ||
| boolean authorized = authorize(principal); |
There was a problem hiding this comment.
Since the authentication principal has already been set and since the same principal is being used for the authorization check, I think just authorize() could be used here instead.
There was a problem hiding this comment.
Makes sense! Done!
| AuthorizeCallback plainCallback = new AuthorizeCallback(name, name); | ||
| authorizedFunction = plainCallback::isAuthorized; | ||
| authorizeCallBack = plainCallback; | ||
| PrincipalAuthorizeCallback principalCallback = new PrincipalAuthorizeCallback(evidence.getDefaultPrincipal()); |
There was a problem hiding this comment.
Should use evidence.getDecodedPrincipal() instead (getDecodedPrincipal() also takes into account any evidence decoders that have been configured).
|
Changes made, and I tested with the wildfly test and it keeps passing it smoothly. |
| } | ||
|
|
||
| /** | ||
| * Authorizes and caches the given <code>securityIdentity</code>. |
There was a problem hiding this comment.
One last change, this should be reworded since there isn't a securityIdentity being passed here.
There was a problem hiding this comment.
argh! I have changed to use always the word principal.
…en using a web proxy
|
FYI: The cloned JBEAP issue: https://issues.redhat.com/browse/JBEAP-20194 has 3 acks now if that is needed :) |
|
@fjuma Hi Farah, do you think we need a PR to |
|
@gaol Thanks for letting us know that the JBEAP issue has all acks now. That's all that's needed. We'll handle forwarding porting these changes to the 1.x branch and the master branch as part of our release process. Thanks! |
Issue: https://issues.redhat.com/browse/ELY-2023
When the certificate mechanism is used behind a web proxy that injects the certificate and SSL info using headers (no cache available), the mechanism uses a
AuthorizeCallbackthat fails (because it creates aNamePrincipalwhich is different to the originalX500Principal). I decided to create a new callback for authorization but using a principal. Let me know if you see something better.I'm sending the PR against EAP 1.10.x, if you need it against 1.x or other branch please just tell me to do that.
I'm preparing a test PR for wildfly that checks a certificate login using key-store realm.
Wildfly Test PR: wildfly/wildfly#13573