Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Payara 5.184: Certificate Realm not supporting OID e-mailAddress (1.2.840.113549.1.9.1) anymore. PAYARA-3417 #3547

Closed
KriechelD opened this issue Jan 3, 2019 · 5 comments
Closed

Payara 5.184: Certificate Realm not supporting OID e-mailAddress (1.2.840.113549.1.9.1) anymore. PAYARA-3417 #3547

KriechelD opened this issue Jan 3, 2019 · 5 comments
Labels
Type: Enhancement Label issue as an enhancement request

Comments

@KriechelD
Copy link

KriechelD commented Jan 3, 2019
edited
Loading

Description

When using Client-Certificate Authentication in web.xml:

<login-config>
	<auth-method>CLIENT-CERT</auth-method>
	<realm-name>certificate</realm-name>
</login-config>

In Payara 5.183 our certificate was converted to the principal name:

CN=*.somedomain.de, EMAILADDRESS=somemail@somedomain.de, L=SomeTown, ST=SomeState, OU=Something, O=CompanyName, C=DE

Expected Outcome

In Payara 5.184 there have been some changes under the hood, related to the security implementation such as client certificate authentication: https://blog.payara.fish/new-feature-in-payara-server-5.184-allow-use-of-different-security-providers-via-jce-api

The article states, that there are no more empty spaces (", "), between the certificate propertys, so since Payara 5.184 the expected outcome should be:

CN=*.somedomain.de,EMAILADDRESS=somemail@somedomain.de,L=SomeTown,ST=SomeState,OU=Something,O=CompanyName,C=DE

Thats why @arjantijms changed the javaee7-samples (javaee-samples/javaee7-samples@daf9f87) to match the new payara 5.184 behavior.

Current Outcome

The empty spaces have actually disappeard, but now the new outcome is as follow:

CN=*.somedomain.de,1.2.840.113549.1.9.1=#161a6e65746d616e61676572406c6f74746f2d68657373656e2e6465,L=SomeTown,ST=SomeState,OU=Something,O=CompanyName,C=DE

As you can see, EMAILADDRESS has changed to 1.2.840.113549.1.9.1. This is the OID for e-MailAddress, as you can see here: http://oid-info.com/get/1.2.840.113549.1.9.1

Somehow, the support for this OID is missing in 5.184. Can you please check this and provide me an advice how to get back the old functionality?

Environment

  • Payara Version: 5.184
  • Edition: Full
  • JDK Version: 8u191 - OpenJDK
  • Operating System: Linux
@KriechelD KriechelD mentioned this issue Jan 24, 2019
Merged
@KriechelD
Copy link
Author

@smillidge Can someone please have a look at this issue?

@smillidge
Copy link
Contributor

We welcome PRs.

@KriechelD
Copy link
Author

KriechelD commented Feb 19, 2019
edited
Loading

I would like to provide a PR 😃

But I was not able to track down where exactly this behavioir is coming from. In Payara 5.183 the conversion for OID e-mailAddress (1.2.840.113549.1.9.1) was correct, but I don't know which part of payara is responsible for the handling this.

So if someone directs me on the right location, I like to contribute my part 😁

@OndroMih
Copy link
Contributor

OndroMih commented Mar 1, 2019

We're going to improve this behavior based on a feedback from our customers. Stay tuned for more info soon.

@OndroMih OndroMih added 1:Investigating Type: Enhancement Label issue as an enhancement request labels Mar 1, 2019
@OndroMih OndroMih changed the title Payara 5.184: Certificate Realm not supporting OID e-mailAddress (1.2.840.113549.1.9.1) anymore Payara 5.184: Certificate Realm not supporting OID e-mailAddress (1.2.840.113549.1.9.1) anymore. PAYARA-3417 Mar 1, 2019
@KriechelD
Copy link
Author

The problem was fixed by #4042

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Enhancement Label issue as an enhancement request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@smillidge @OndroMih @fturizo @KriechelD