-
Notifications
You must be signed in to change notification settings - Fork 628
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ISPN-9841 Non-blocking Hot Rod authentication #6801
ISPN-9841 Non-blocking Hot Rod authentication #6801
Conversation
3 related failures |
3717f60
to
0abfdfd
Compare
Fixed the failures by reordering how we handle "complete" authentication. Before sending the final server response, we obtain the subject from the auth backend. |
There are couple of places where the auth process throws an exception. In the original code this was handled in the server (writing the error response) but I am afraid here it just gets logged and the client does not get any response until it times out. Could you make sure to write some response on any code path? |
@rvansa are you sure ? I'm just wrapping the exceptions into a SecurityException which will then be handled by HotRodDecoder.decode()'s catch |
0abfdfd
to
0c92cfd
Compare
saslServer = Subject.doAs(authenticationConfig.serverSubject(), (PrivilegedExceptionAction<SaslServer>) () -> | ||
ssf.createSaslServer(mech, "hotrod", authenticationConfig.serverName(), | ||
authenticationConfig.mechProperties(), callbackHandler)); | ||
} else { | ||
} catch (PrivilegedActionException e) { | ||
throw new SecurityException(writeException(header, e.getCause())); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are you throwing that here? Can't you just log the PAE, writeException and return
?
saslServer = ssf.createSaslServer(mech, "hotrod", authenticationConfig.serverName(), | ||
authenticationConfig.mechProperties(), callbackHandler); | ||
} catch (SaslException e) { | ||
throw new SecurityException(writeException(header, e)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general I find calling a method with side-effect in exception ctor a bit cryptic (couldn't spot where it is written for a while), though YMMV.
0c92cfd
to
b812337
Compare
Yeah, that was really silly of me. I've changed that @rvansa |
} | ||
writeResponse(header, header.encoder().authResponse(header, server, channel.alloc(), serverChallenge)); | ||
|
||
if (saslServer.isComplete()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't here a race between responding with the authResponse and adding the QOP handler below?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rvansa @tristantarrant isn't this still valid?
throw log.externalMechNotAllowedWithoutSSLClientCert(); | ||
} catch (SSLPeerUnverifiedException e) { | ||
throw log.externalMechNotAllowedWithoutSSLClientCert(); | ||
executor.execute(() -> authInternal(header, mech, response)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While you have handled all the declared exceptions, I would still feel a bit more warm&fuzzy if any unexpected exceptions (NPEs...) would be handled with a response...
b812337
to
b891df7
Compare
b891df7
to
8ebc474
Compare
@rvansa I believe I've addressed everything |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, let's hope the testsuite agrees.
Kicked-off a new CI build as the previous one crashed in core (unrelated to this PR) |
A green build ! |
https://issues.jboss.org/browse/ISPN-9841