Bug 953200

Summary: (6.4.0) EJB/remoting configuration does not propagate the certificate as credentials for authentication if mutual auth SSL was used for the connection
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: EJBAssignee: Darran Lofthouse <darran.lofthouse>
Status: CLOSED CURRENTRELEASE QA Contact: Jan Martiska <jmartisk>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0.1CC: ahoffer, bbaranow, cpariz, darran.lofthouse, david.lloyd, dehort, istudens, jmartisk, jsightle, kkhan
Target Milestone: DR9   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1123505 (view as bug list) Environment:
Last Closed: 2019-08-19 12:38:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1149618    
Bug Blocks: 1123505, 1129602    

Description Derek Horton 2013-04-17 15:37:58 UTC 
Description of problem:
EJB/remoting configuration does not propagate the certificate as credentials for authentication if mutual auth SSL was used for the connection.  This makes it impossible to use the BaseCertLoginModule for authentication with SSL protected EJBs.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Derek Horton 2013-04-17 15:47:30 UTC 
Configure the 'ApplicationRealm' security-realm to have a keystore for its server-identity and using a truststore in the authentication section to force mutual authentication:

    <security-realm name="ApplicationRealm">
       <server-identities>
           <ssl>
               <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="123456"/>
           </ssl>
       </server-identities>
        <authentication>
           <truststore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="123456"/>
        </authentication>
    </security-realm>

This forces ssl with mutual auth.

Configure the security-domain that is protecting the EJB to use the Remoting and CertificateRoles login module.

               <security-domain name="jmx-console" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="CertificateRoles" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="securityDomain" value="jmx-console"/>
                            <module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
                            <module-option name="rolesProperties" value="/home/dehort/dev/java/jboss-eap-6.0.1/standalone/configuration/roles.properties"/>
                            <module-option name="defaultRolesProperties" value="/home/dehort/dev/java/jboss-eap-6.0.1/standalone/configuration/defaultRoles.properties"/>
                        </login-module>
                    </authentication>
                    <jsse keystore-password="123456" keystore-url="${jboss.server.config.dir}/server.truststore" truststore-password="123456" truststore-url="${jboss.server.config.dir}/server.truststore"/>
               </security-domain>

The issue is that the Remoting login module does not get the certficate from the connection and store it as the users credentials.  This causes the CertificateRoles login module to attempt to retrieve the certificate using a callback but that fails as well.
Comment 3 Jan Martiska 2014-07-02 10:30:26 UTC 
Hi Derek, can you confirm that this is still an issue in 6.3 and needs to be addressed in 6.4 or in a 6.3.CP release? I'm trying to get rid of old unresolved EJB bugs. If this is not needed anymore, you may close it. Thanks.
Comment 4 Derek Horton 2014-07-03 13:45:03 UTC 
It looks like this issue still exists.
Comment 5 Jan Martiska 2014-07-07 12:12:41 UTC 
Proposing for EAP 6.4
Comment 6 Andrea Hoffer 2014-07-21 21:55:15 UTC 
Strategic customer is asking for this to be included in a 6.3 CP release.
Comment 7 Darran Lofthouse 2014-07-22 09:15:24 UTC 
Please liaise with GSS on how to clone BZs for 6.3.x - this BZ is for 6.4.0 only.
Comment 8 JBoss JIRA Server 2014-08-19 17:12:39 UTC 
Darran Lofthouse <darran.lofthouse> updated the status of jira WFLY-3580 to Coding In Progress
Comment 9 Kabir Khan 2014-08-22 15:37:42 UTC 
Should be solved by remoting 3.3.3 upgrade https://bugzilla.redhat.com/show_bug.cgi?id=1129602, so setting to MODIFIED
Comment 10 Ivo Studensky 2014-09-24 14:18:04 UTC 
It looks like it needs remoting upgrade to 3.3.4, see [1].

https://issues.jboss.org/browse/REM3-192
Comment 11 Darran Lofthouse 2014-09-24 14:32:55 UTC 
That is correct, a Remoting upgrade is also required.
Comment 19 Jan Martiska 2014-11-14 08:54:12 UTC 
Verified in EAP 6.4.0.DR9