[JBoss JIRA] (ELY-857) Elytron ldap-realm is not able to use LDAP attribute as principal
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/ELY-857?page=com.atlassian.jira.plugin.sy... ]
Jan Kalina edited comment on ELY-857 at 1/10/17 1:45 PM:
---------------------------------------------------------
Not sure but mabe the problem can occure also in FileSystemRealm - if there is user "firstUser", user can log in successfully as "FIRSTUSER" on Windows too - so he can obtain two different principals - realm should normalize it, or better use user input only for search, but the principal obtain from database :(
This is reason, why I think this would be better to solve on higher level - outside of individual realms.
was (Author: honza889):
Not sure but mabe the problem can occure also in FileSystemRealm - if there is user "firstUser", user can log in successfully as "FIRSTUSER" on Windows too - so he can obtain two different principals - realm should normalize it, or better use user input only for search, but the principal obtain from database :(
> Elytron ldap-realm is not able to use LDAP attribute as principal
> -----------------------------------------------------------------
>
> Key: ELY-857
> URL: https://issues.jboss.org/browse/ELY-857
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0.Beta16
> Reporter: Ondrej Lukas
> Assignee: Jan Kalina
> Priority: Blocker
>
> In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute.
> It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication.
> Example:
> It seems that ldap-realm cannot be configured for following scenario: User with credentials {{someUser}}/{{Password}} is authenticated and name {{AuthenticatedUser}} is assigned to them (e.g. when calling {{./jboss-cli.sh -c -u=someUser -p=Password ':whoami'}}, then {{AuthenticatedUser}} should be printed). Following ldif is used:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=someUser,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: someUser
> cn: some User
> sn: AuthenticatedUser
> userPassword: Password
> {code}
> Mentioned ldif works correctly with legacy security solution.
> This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 4 months
[JBoss JIRA] (ELY-857) Elytron ldap-realm is not able to use LDAP attribute as principal
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/ELY-857?page=com.atlassian.jira.plugin.sy... ]
Jan Kalina commented on ELY-857:
--------------------------------
Not sure but mabe the problem can occure also in FileSystemRealm - if there is user "firstUser", user can log in successfully as "FIRSTUSER" on Windows too - so he can obtain two different principals - realm should normalize it, or better use user input only for search, but the principal obtain from database :(
> Elytron ldap-realm is not able to use LDAP attribute as principal
> -----------------------------------------------------------------
>
> Key: ELY-857
> URL: https://issues.jboss.org/browse/ELY-857
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0.Beta16
> Reporter: Ondrej Lukas
> Assignee: Jan Kalina
> Priority: Blocker
>
> In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute.
> It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication.
> Example:
> It seems that ldap-realm cannot be configured for following scenario: User with credentials {{someUser}}/{{Password}} is authenticated and name {{AuthenticatedUser}} is assigned to them (e.g. when calling {{./jboss-cli.sh -c -u=someUser -p=Password ':whoami'}}, then {{AuthenticatedUser}} should be printed). Following ldif is used:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=someUser,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: someUser
> cn: some User
> sn: AuthenticatedUser
> userPassword: Password
> {code}
> Mentioned ldif works correctly with legacy security solution.
> This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 4 months
[JBoss JIRA] (ELY-857) Elytron ldap-realm is not able to use LDAP attribute as principal
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/ELY-857?page=com.atlassian.jira.plugin.sy... ]
Jan Kalina updated ELY-857:
---------------------------
Summary: Elytron ldap-realm is not able to use LDAP attribute as principal (was: Elytron ldap-realm is able to obtain username only from rdn-identifier attribute)
> Elytron ldap-realm is not able to use LDAP attribute as principal
> -----------------------------------------------------------------
>
> Key: ELY-857
> URL: https://issues.jboss.org/browse/ELY-857
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0.Beta16
> Reporter: Ondrej Lukas
> Assignee: Jan Kalina
> Priority: Blocker
>
> In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute.
> It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication.
> Example:
> It seems that ldap-realm cannot be configured for following scenario: User with credentials {{someUser}}/{{Password}} is authenticated and name {{AuthenticatedUser}} is assigned to them (e.g. when calling {{./jboss-cli.sh -c -u=someUser -p=Password ':whoami'}}, then {{AuthenticatedUser}} should be printed). Following ldif is used:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=someUser,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: someUser
> cn: some User
> sn: AuthenticatedUser
> userPassword: Password
> {code}
> Mentioned ldif works correctly with legacy security solution.
> This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 4 months
[JBoss JIRA] (ELY-857) Elytron ldap-realm is able to obtain username only from rdn-identifier attribute
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/ELY-857?page=com.atlassian.jira.plugin.sy... ]
Jan Kalina edited comment on ELY-857 at 1/10/17 1:36 PM:
---------------------------------------------------------
Notes: result of WhoAmIOperation is obtained as:
{code:java}securityIdentity.getPrincipal().getName(){code}
The principal is really output of realm: (see ServerAuthenticationContext class)
{code:java}principal = getSecurityRealm().getRealmIdentity(evidence).getRealmIdentityPrincipal(){code}
But in LdapRealm (and FileSystem and Jdbc too) it is currently hardcoded as username - input of the realm.
*Possible solution:*
a) add mapping from identity attribute to identity principal into LdapRealm (add "username-attribute into ldap-realm and map this identity attribute to NamePrincipal when defined)
b) to use identity attribute instead of special method for principal to add this possibility into all realms at once?
[~dlofthouse] do you think this should be solved for LDAP only, or on higher level?
Not sure but mabe the problem can occure also in FileSystemRealm - if there is user "firstUser", user can log in successfully as "FIRSTUSER" on Windows too - so he can obtain two different principals - realm should normalize it, or better use user input only for search, but the principal obtain from database :(
was (Author: honza889):
Notes: result of WhoAmIOperation is obtained as:
{code:java}securityIdentity.getPrincipal().getName(){code}
The principal is really output of realm: (see ServerAuthenticationContext class)
{code:java}principal = getSecurityRealm().getRealmIdentity(evidence).getRealmIdentityPrincipal(){code}
But in LdapRealm (and FileSystem and Jdbc too) it is currently hardcoded as username - input of the realm.
*Possible solution:*
a) add mapping from identity attribute to identity principal into LdapRealm (add "username-attribute into ldap-realm and map this identity attribute to NamePrincipal when defined)
b) to use identity attribute instead of special method for principal to add this possibility into all realms at once?
[~dlofthouse] do you think this should be solved for LDAP only, or on higher level?
> Elytron ldap-realm is able to obtain username only from rdn-identifier attribute
> --------------------------------------------------------------------------------
>
> Key: ELY-857
> URL: https://issues.jboss.org/browse/ELY-857
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0.Beta16
> Reporter: Ondrej Lukas
> Assignee: Jan Kalina
> Priority: Blocker
>
> In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute.
> It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication.
> Example:
> It seems that ldap-realm cannot be configured for following scenario: User with credentials {{someUser}}/{{Password}} is authenticated and name {{AuthenticatedUser}} is assigned to them (e.g. when calling {{./jboss-cli.sh -c -u=someUser -p=Password ':whoami'}}, then {{AuthenticatedUser}} should be printed). Following ldif is used:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=someUser,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: someUser
> cn: some User
> sn: AuthenticatedUser
> userPassword: Password
> {code}
> Mentioned ldif works correctly with legacy security solution.
> This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 4 months
[JBoss JIRA] (ELY-857) Elytron ldap-realm is able to obtain username only from rdn-identifier attribute
by Darran Lofthouse (JIRA)
[ https://issues.jboss.org/browse/ELY-857?page=com.atlassian.jira.plugin.sy... ]
Darran Lofthouse commented on ELY-857:
--------------------------------------
If we were to map it into an attribute, I wonder if we have any standard way to add a Principal transformer that takes this into account.
> Elytron ldap-realm is able to obtain username only from rdn-identifier attribute
> --------------------------------------------------------------------------------
>
> Key: ELY-857
> URL: https://issues.jboss.org/browse/ELY-857
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0.Beta16
> Reporter: Ondrej Lukas
> Assignee: Jan Kalina
> Priority: Blocker
>
> In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute.
> It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication.
> Example:
> It seems that ldap-realm cannot be configured for following scenario: User with credentials {{someUser}}/{{Password}} is authenticated and name {{AuthenticatedUser}} is assigned to them (e.g. when calling {{./jboss-cli.sh -c -u=someUser -p=Password ':whoami'}}, then {{AuthenticatedUser}} should be printed). Following ldif is used:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=someUser,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: someUser
> cn: some User
> sn: AuthenticatedUser
> userPassword: Password
> {code}
> Mentioned ldif works correctly with legacy security solution.
> This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 4 months
[JBoss JIRA] (ELY-857) Elytron ldap-realm is able to obtain username only from rdn-identifier attribute
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/ELY-857?page=com.atlassian.jira.plugin.sy... ]
Jan Kalina edited comment on ELY-857 at 1/10/17 1:27 PM:
---------------------------------------------------------
Notes: result of WhoAmIOperation is obtained as:
{code:java}securityIdentity.getPrincipal().getName(){code}
The principal is really output of realm: (see ServerAuthenticationContext class)
{code:java}principal = getSecurityRealm().getRealmIdentity(evidence).getRealmIdentityPrincipal(){code}
But in LdapRealm (and FileSystem and Jdbc too) it is currently hardcoded as username - input of the realm.
*Possible solution:*
a) add mapping from identity attribute to identity principal into LdapRealm (add "username-attribute into ldap-realm and map this identity attribute to NamePrincipal when defined)
b) to use identity attribute instead of special method for principal to add this possibility into all realms at once?
[~dlofthouse] do you think this should be solved for LDAP only, or on higher level?
was (Author: honza889):
Notes: result of WhoAmIOperation is obtained as:
{code:java}securityIdentity.getPrincipal().getName(){code}
The principal is really output of realm: (see ServerAuthenticationContext class)
{code:java}principal = getSecurityRealm().getRealmIdentity(evidence).getRealmIdentityPrincipal(){code}
But in LdapRealm it is currently hardcoded as username - input of the realm.
*Possible solution:*
a) add mapping from identity attribute to identity principal into LdapRealm (add "username-attribute into ldap-realm and map this identity attribute to NamePrincipal when defined)
b) to use identity attribute instead of special method for principal to add this possibility into all realms at once?
[~dlofthouse] do you think this should be solved for LDAP only, or on higher level?
> Elytron ldap-realm is able to obtain username only from rdn-identifier attribute
> --------------------------------------------------------------------------------
>
> Key: ELY-857
> URL: https://issues.jboss.org/browse/ELY-857
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0.Beta16
> Reporter: Ondrej Lukas
> Assignee: Jan Kalina
> Priority: Blocker
>
> In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute.
> It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication.
> Example:
> It seems that ldap-realm cannot be configured for following scenario: User with credentials {{someUser}}/{{Password}} is authenticated and name {{AuthenticatedUser}} is assigned to them (e.g. when calling {{./jboss-cli.sh -c -u=someUser -p=Password ':whoami'}}, then {{AuthenticatedUser}} should be printed). Following ldif is used:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=someUser,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: someUser
> cn: some User
> sn: AuthenticatedUser
> userPassword: Password
> {code}
> Mentioned ldif works correctly with legacy security solution.
> This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 4 months
[JBoss JIRA] (ELY-857) Elytron ldap-realm is able to obtain username only from rdn-identifier attribute
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/ELY-857?page=com.atlassian.jira.plugin.sy... ]
Jan Kalina edited comment on ELY-857 at 1/10/17 1:26 PM:
---------------------------------------------------------
Notes: result of WhoAmIOperation is obtained as:
{code:java}securityIdentity.getPrincipal().getName(){code}
The principal is really output of realm: (see ServerAuthenticationContext class)
{code:java}principal = getSecurityRealm().getRealmIdentity(evidence).getRealmIdentityPrincipal(){code}
But in LdapRealm it is currently hardcoded as username - input of the realm.
*Possible solution:*
a) add mapping from identity attribute to identity principal into LdapRealm (add "username-attribute into ldap-realm and map this identity attribute to NamePrincipal when defined)
b) to use identity attribute instead of special method for principal to add this possibility into all realms at once?
[~dlofthouse] do you think this should be solved for LDAP only, or on higher level?
was (Author: honza889):
Notes: result of WhoAmIOperation is obtained as:
{code:java}username = securityIdentity.getPrincipal().getName(){code}
The principal is really output of realm: (see ServerAuthenticationContext class)
{code:java}principal = getSecurityRealm().getRealmIdentity(evidence).getRealmIdentityPrincipal(){code}
> Elytron ldap-realm is able to obtain username only from rdn-identifier attribute
> --------------------------------------------------------------------------------
>
> Key: ELY-857
> URL: https://issues.jboss.org/browse/ELY-857
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0.Beta16
> Reporter: Ondrej Lukas
> Assignee: Jan Kalina
> Priority: Blocker
>
> In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute.
> It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication.
> Example:
> It seems that ldap-realm cannot be configured for following scenario: User with credentials {{someUser}}/{{Password}} is authenticated and name {{AuthenticatedUser}} is assigned to them (e.g. when calling {{./jboss-cli.sh -c -u=someUser -p=Password ':whoami'}}, then {{AuthenticatedUser}} should be printed). Following ldif is used:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=someUser,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: someUser
> cn: some User
> sn: AuthenticatedUser
> userPassword: Password
> {code}
> Mentioned ldif works correctly with legacy security solution.
> This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 4 months
[JBoss JIRA] (WFLY-7872) Servlet Feature Pack Does Not Start in DomainMode
by Darran Lofthouse (JIRA)
Darran Lofthouse created WFLY-7872:
--------------------------------------
Summary: Servlet Feature Pack Does Not Start in DomainMode
Key: WFLY-7872
URL: https://issues.jboss.org/browse/WFLY-7872
Project: WildFly
Issue Type: Bug
Components: Build System
Reporter: Darran Lofthouse
Assignee: Darran Lofthouse
Fix For: 11.0.0.Alpha1
{noformat}
[Host Controller] 18:19:38,464 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
[Host Controller] ("host" => "master"),
[Host Controller] ("core-service" => "management"),
[Host Controller] ("security-realm" => "ApplicationRealm")
[Host Controller] ]) - failure description: {
[Host Controller] "WFLYCTL0412: Required services that are not installed:" => ["jboss.server.path.\"jboss.server.config.dir\""],
[Host Controller] "WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.server.controller.management.security_realm.ApplicationRealm.key-manager is missing [jboss.server.path.\"jboss.server.config.dir\"]"]
[Host Controller] }
{noformat}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 4 months
[JBoss JIRA] (ELY-857) Elytron ldap-realm is able to obtain username only from rdn-identifier attribute
by Jan Kalina (JIRA)
[ https://issues.jboss.org/browse/ELY-857?page=com.atlassian.jira.plugin.sy... ]
Jan Kalina commented on ELY-857:
--------------------------------
Notes: result of WhoAmIOperation is obtained as:
{code:java}username = securityIdentity.getPrincipal().getName(){code}
The principal is really output of realm: (see ServerAuthenticationContext class)
{code:java}principal = getSecurityRealm().getRealmIdentity(evidence).getRealmIdentityPrincipal(){code}
> Elytron ldap-realm is able to obtain username only from rdn-identifier attribute
> --------------------------------------------------------------------------------
>
> Key: ELY-857
> URL: https://issues.jboss.org/browse/ELY-857
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Realms
> Affects Versions: 1.1.0.Beta16
> Reporter: Ondrej Lukas
> Assignee: Jan Kalina
> Priority: Blocker
>
> In Elytron ldap-realm is currently not possible to obtain username from LDAP attribute which is different than rdn-identifier. It means that username of identity is always the same as value of rdn-identifier attribute.
> It can cause issues when ldap-realm is used for authentication and another realm is used for authorization since data for realm authorization can depend on assigned name during authentication.
> Example:
> It seems that ldap-realm cannot be configured for following scenario: User with credentials {{someUser}}/{{Password}} is authenticated and name {{AuthenticatedUser}} is assigned to them (e.g. when calling {{./jboss-cli.sh -c -u=someUser -p=Password ':whoami'}}, then {{AuthenticatedUser}} should be printed). Following ldif is used:
> {code}
> dn: ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: organizationalUnit
> ou: People
> dn: uid=someUser,ou=People,dc=jboss,dc=org
> objectclass: top
> objectclass: person
> objectclass: inetOrgPerson
> uid: someUser
> cn: some User
> sn: AuthenticatedUser
> userPassword: Password
> {code}
> Mentioned ldif works correctly with legacy security solution.
> This missing feature can cause that migration from legacy security solution will not be possible -> we request blocker.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
9 years, 4 months