Giters

wso2 / micro-integrator

The cloud-native configuration driven runtime that helps developers implement composite microservices.

Home Page:https://wso2.com/integration/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

WS-Policy wont work when the Role name is CaseSenstive

isurul28 opened this issue · comments

commented

Hi Team,

In the MI 4.2.0 version, we are using a proxy secured with WS-policy. In the WS-polciy we have defined the allowed role. When the allowed role is CaseSenstive we are getting 401. We have checked the MI code base.
At the method [1], we check whether the user possesses a role listed in the allowed roles.
At [2], we verify if the user's role exists in the list of allowed roles.
Notably, we utilize a List structure for this comparison. When employing the contains method, the comparison becomes case-sensitive by default, meaning the role names must match exactly in terms of casing.

But In EI 6.x version we could see that we are ignoring the case sensitive and matching the allowed role and the user's role.

Please note we are using an LDAP userstore in both use-cases.

Steps to reproduce the Issue :

  1. Get update MI 4.2.0 pack
  2. Configure MI with a LDAP userstore (can use IS 5.11 as the LDAP server)
  3. Create a User as "testuser"
  4. Create a Role as "Myrole" and assign that role to "testuser"
  5. Now invoke the proxy service via SOAP UI with testuser. You will see that you are getting a 401 error because in the WS-Policy the allowed role name is in simple case "myrole"

Error :

[2024-04-22 12:39:54,664] ERROR {ServerWorker} - Error processing POST request for : /services/pizza.pizzaHttpSoap11Endpoint org.apache.axis2.AxisFault: The security token could not be authenticated or authorized
at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:194)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:96)
at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
at org.apache.axis2.engine.Phase.invoke(Phase.java:313)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:490)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:206)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: org.apache.ws.security.WSSecurityException: The security token could not be authenticated or authorized; nested exception is:
javax.security.auth.callback.UnsupportedCallbackException: Check failed : System error
org.wso2.micro.integrator.security.callback.AbstractPasswordCallback.handle(AbstractPasswordCallback.java:97)
org.apache.rampart.TokenCallbackHandler.handle(TokenCallbackHandler.java:118)
org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:168)
org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:61)
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:371)
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:287)
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:236)
org.apache.rampart.RampartEngine.process(RampartEngine.java:222)
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:93)
org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
org.apache.axis2.engine.Phase.invoke(Phase.java:313)
org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:490)
org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:206)
org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
java.base/java.lang.Thread.run(Thread.java:840)

at org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:181)
at org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:61)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:371)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:287)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:236)
at org.apache.rampart.RampartEngine.process(RampartEngine.java:222)
at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:93)
... 10 more
Caused by: javax.security.auth.callback.UnsupportedCallbackException: Check failed : System error
org.wso2.micro.integrator.security.callback.AbstractPasswordCallback.handle(AbstractPasswordCallback.java:97)
org.apache.rampart.TokenCallbackHandler.handle(TokenCallbackHandler.java:118)
org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:168)
org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:61)
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:371)
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:287)
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:236)
org.apache.rampart.RampartEngine.process(RampartEngine.java:222)
org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:93)
org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
org.apache.axis2.engine.Phase.invoke(Phase.java:313)
org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261)
org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167)
org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:490)
org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:206)
org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
java.base/java.lang.Thread.run(Thread.java:840)

at org.wso2.micro.integrator.security.callback.AbstractPasswordCallback.handle(AbstractPasswordCallback.java:106)
at org.apache.rampart.TokenCallbackHandler.handle(TokenCallbackHandler.java:118)
at org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:168)
... 16 more

Testing the same use-case in EI 6.6.0

  1. Now get an Updated EI 6.6.0 pack and configure same LDAP server as userstore
  2. Deploy the same CAR in EI 6.6.0
  3. Invoke the same proxy with "testuser" and you will see that proxy service is getting invoked without any issue

[1].

micro-integrator/components/org.wso2.micro.integrator.security/src/main/java/org/wso2/micro/integrator/security/callback/AbstractPasswordCallback.java

Line 184 in 102833b

return isAuthenticated && hasAllowedRole(usernameWithDomain);

[2].

micro-integrator/components/org.wso2.micro.integrator.security/src/main/java/org/wso2/micro/integrator/security/callback/AbstractPasswordCallback.java

Line 221 in 102833b

if (allowedRoles.contains(existingRole)) {