The method org.jboss.as.domain.http.server.security.DigestAuthenticator.HeaderParser.next() doesn't move correctly position pointer (pos member variable) when the parsed value contains delimiter character (comma). Reproducer (doesn't use add-user utility because of bug 1150020): 1) add the new user to mgmt-users.properties echo 'uid\=jduke,ou\=Users,dc\=jboss,dc\=org=theduke' >> standalone/configuration/mgmt-users.properties 2) allow plain passwords & reload server ./jboss-cli.sh -c <<EOT /core-service=management/security-realm=ManagementRealm/authentication=properties:write-attribute(name=plain-text,value=true) reload EOT 3) try to authenticate to HTTP management interface e.g. http://127.0.0.1:9990/management?operation=attribute&name=server-state and use following credentials: Username: uid=jduke,ou=Users,dc=jboss,dc=org Password: theduke Browser reports connection reset.
I am setting to assigned so that I can investigate further - however I do not agree that in any way this can be considered a blocker. If there was a critical need for usernames in this form we would have heard about it already.
This could help: diff --git a/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java b/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthent index 30551fb..6c8b30b 100644 --- a/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java +++ b/domain-http/interface/src/main/java/org/jboss/as/domain/http/server/security/DigestAuthenticator.java @@ -387,7 +387,7 @@ public class DigestAuthenticator extends Authenticator { response.value = message.substring(pos + 1, endQuote); // Move pos after DELIMITER. - int nextDelimeter = message.indexOf(DELIMITER, pos); + int nextDelimeter = message.indexOf(DELIMITER, endQuote); if (nextDelimeter > 0) { pos = nextDelimeter + 1; }
The fix is not sufficient. There is another problem with backslash (\) as a last character in the value. Parser then takes it as a escape character for ending quote. It's wrong, because the backslash itself is escaped in the value - "\\". Use steps from comment 0 to reproduce, just add a new user to mgmt-users.properties: ab\\=anil And authenticate with "ab\", "anil" credentials.
Stuart Douglas <stuart.w.douglas> updated the status of jira WFLY-3969 to Resolved
It's not a blocker.