Bug 4665 – Identity authorization fails with emailAddress and E in DNs.

Bug 4665 - Identity authorization fails with emailAddress and E in DNs.

Summary:

Identity authorization fails with emailAddress and E in DNs.

Status:	NEW

Product:	Java WS Security
Component:	Authorization
Version:	4.0.2
Platform:	PC Windows XP

Importance:	P3 normal
Target Milestone:	4.2.0
Assigned To:	Rachana Ananthakrishnan

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2006-08-17 12:12 by Rachana Ananthakrishnan
Modified:	2006-09-27 14:54 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Rachana Ananthakrishnan 2006-08-17 12:12:00

One thing I do notice is that the environment variable CAS_SERVER_IDENTITY
needs to contain "E=" as opposed to "emailAddress=".
If it doesn't have this I get the following error when I try to perform cas
admin commands:

bin/cas-group-admin -m msg user create superUserGroup testUGp
2006-08-16 13:48:47,986 WARN  authorization.BasicSubjectAuthorization
[main,authorize:122] Authorization failed: expected principals
[/C=UK/O=eScience/OU=QUB/L=BESC/CN=cas/csklou01.cs.qub.ac.uk/emailAddress=k.loughran@qub.ac.uk],
peer principals
[/C=UK/O=eScience/OU=QUB/L=BESC/CN=cas/csklou01.cs.qub.ac.uk/E=k.loughran@qub.ac.uk]
2006-08-16 13:48:47,991 ERROR wssec.WSSecurityClientHandler
[main,handleResponse:90]
org.globus.wsrf.security.authorization.AuthorizationException:
Authorization
failed.; nested exception is:
        javax.xml.rpc.soap.SOAPFaultException: Authorization failed.

------- Comment #1 From Tom Scavo 2006-08-17 13:04:04 -------

Where is the E attribute specified?  I don't find it in RFC 1779, RFC 2253, or
RFC 3280.  In regard to the EmailAddress attribute, does the following quote
from RFC 3280 have any bearing on this issue?

4.1.2.6  Subject

   ...
   Conforming implementations generating new certificates with
   electronic mail addresses MUST use the rfc822Name in the subject
   alternative name field (section 4.2.1.7) to describe such identities.
   Simultaneous inclusion of the EmailAddress attribute in the subject
   distinguished name to support legacy implementations is deprecated
   but permitted.