-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ELY-2359] Support HTTP Digest when fronted by load balancer #1909
base: 2.x
Are you sure you want to change the base?
Conversation
4db7996
to
3bdc975
Compare
@fjuma This can be reviewed, tests are in the wilfdly PR as they need to setup clustering. Thank you! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @Skyllarr! I've added some initial comments.
@@ -51,6 +51,7 @@ private HttpConstants() { | |||
|
|||
public static final String CONFIG_VALIDATE_DIGEST_URI = CONFIG_BASE + ".validate-digest-uri"; | |||
public static final String CONFIG_SKIP_CERTIFICATE_VERIFICATION = CONFIG_BASE + ".skip-certificate-verification"; | |||
public static final String CONFIG_SESSION_DIGEST = CONFIG_BASE + ".session-digest"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be good to make it more clear that this is a boolean value. Maybe something like use-digest-session-based-nonce-manager
or use-digest-session-nonce-manager
or use-session-digest
, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fjuma Thank you! Fixed to be use-session-based-digest-nonce-manager
@@ -146,6 +148,9 @@ public MechanismRealmConfiguration getMechanismRealmConfiguration(String realmNa | |||
return mechanismRealms.get(realmName); | |||
} | |||
|
|||
public boolean getSessionDigest() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a minor comment on naming, since this is returning a boolean value, we could rename this to something like isUseSessionDigest
or getUseSessionDigest
(or something else depending on the property name you go with).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fjuma Fixed
@@ -271,6 +277,12 @@ public Builder setServerCredentialSource(final CredentialSource serverCredential | |||
return this; | |||
} | |||
|
|||
public Builder setSessionDigest(final Boolean sessionDigest) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, would be good to rename this too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
Object configSessionDigest = properties.get(CONFIG_SESSION_DIGEST); | ||
String sessionDigest = configSessionDigest instanceof String ? (String) configSessionDigest : null; | ||
if (Boolean.parseBoolean(sessionDigest)) { | ||
nonceManager = new PersistentNonceManager(300000, 900000, true, 20, SHA256, ElytronMessages.httpDigest); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be good to make these parameter values constants so they can be shared with the default NonceManager too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fjuma Thank you! fixed by placing the constants to the NonceManagerUtils
http/digest/src/main/java/org/wildfly/security/http/digest/NonceManager.java
Show resolved
Hide resolved
} catch (GeneralSecurityException e) { | ||
throw new IllegalStateException(e); | ||
} | ||
return NonceManagerUtils.generateNonce(salt, algorithm, nonceCounter, privateKey ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Totally minor, there's an extra space before the closing bracket.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, thanks!
* @param algorithm the message digest algorithm to use when creating the digest portion of the nonce. | ||
*/ | ||
|
||
@Deprecated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to check, why is this deprecated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fjuma This constructor was deprecated because its associated parent constructor is deprecated. I will remove this constructor instead of adding it as deprecated
@@ -1,6 +1,6 @@ | |||
/* | |||
* JBoss, Home of Professional Open Source. | |||
* Copyright 2018 Red Hat, Inc., and individual contributors | |||
* Copyright 2023 Red Hat, Inc., and individual contributors |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just curious why this is change is needed. I don't seem to see other updates in this file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, thanks!
if (request.getScope(Scope.SESSION) == null || !request.getScope(Scope.SESSION).exists()) { | ||
request.getScope(Scope.SESSION).create(); | ||
} | ||
PersistentNonceManager persistentNonceManager = (PersistentNonceManager) request.getScope(Scope.SESSION).getAttachment("persistentNonceManager"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be good to make the "persistentNonceManager" key a constant.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, thanks!
http/digest/src/main/java/org/wildfly/security/http/digest/PersistentNonceManager.java
Outdated
Show resolved
Hide resolved
* | ||
* @param persistentNonceManager PersistentNonceManager instance to update the attributes from | ||
*/ | ||
void refreshInfoFromSessionNonceManager(PersistentNonceManager persistentNonceManager) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just so I understand better, would you be able to provide some details on why this is needed? Wondering if it's possible to make use of the nonce manager from the session directly rather than updating the attributes of another instance.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fjuma The nonceManager
in DigestAuthenticationmechanism, where this method is being used, is a final variable. I need to be retrieving the nonce manager with each request, but I cannot assign to a final variable. So I am assigning only its attributes instead. Should I change the nonceManager to be non final so I can assign to it with every request?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed the final
from the nonceManager and removed this method. It is now being assigned directly instead of updating specific attributes
@darranl Please review, thanks! |
} else if (properties.get(CONFIG_SESSION_BASED_DIGEST_NONCE_MANAGER) != null) { | ||
Object configSessionDigest = properties.get(CONFIG_SESSION_BASED_DIGEST_NONCE_MANAGER); | ||
String sessionDigest = configSessionDigest instanceof String ? (String) configSessionDigest : null; | ||
if (Boolean.parseBoolean(sessionDigest)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think Boolean.parseBoolean((String) properties.get(CONFIG_SESSION_BASED_DIGEST_NONCE_MANAGER))
could be used here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated, thanks!
* @param log mechanism specific logger. | ||
*/ | ||
PersistentNonceManager(long validityPeriod, long nonceSessionTime, boolean singleUse, int keySize, String algorithm, ElytronMessages log) { | ||
this.validityPeriodNano = validityPeriod * 1000000; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just minor but looks like this constructor could just call the one below with customExecutor
set to null
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
private long nonceSessionTime; | ||
private boolean singleUse; | ||
private String algorithm; | ||
private volatile ElytronMessages log; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this volatile?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fjuma Not sure why this was volatile, I removed it, thanks!
@darranl When you get a chance, please review, thanks! |
4605226
to
12b892a
Compare
@darranl Please review, thank you! |
@darranl Please review this one when you get a chance, thank you! |
@darranl Please review this one when you get a chance, thank you! |
I am trying to unravel some of the history regarding the NonceManager, firstly I think I would say in this case we probably don't need to read too much into the variable being final - if at the time these classes were implemented we were setting it once and never changing it we would have set it to final more to allow the compiler to verify we set it to comething and will not change it - not that it is final so we can never change it. It looks like the package is considered private API so I think this has the option to do what we want here rather than constrain ourselves with the past. I see Ashley's changes also added the option to pass in a NonceManager but searching the code I can't find us using this yet. So maybe we could go a few steps further:
|
auth/server/base/src/main/java/org/wildfly/security/auth/server/MechanismInformation.java
Outdated
Show resolved
Hide resolved
auth/server/base/src/main/java/org/wildfly/security/auth/server/MechanismConfiguration.java
Outdated
Show resolved
Hide resolved
809be95
to
414d36f
Compare
Just to post an update here - since this will be persisted within the HTTP session the backwards compatibility will need to be kept in mind |
I added some TODOs in the code. The remaining points to address are from Darran above:
|
FYI I am going to be picking up this one to continue, we can keep this PR here for now but I will likely create a new one to target specific branches. |
https://issues.redhat.com/browse/ELY-2359