]
Darran Lofthouse commented on ELY-1822:
---------------------------------------
[~i015101] If you are interested you can also join our chat server at
- the WildFly Elytron engineers tend to be in a stream
called #wildfly-elytron - it is good for us to hear about issues as they are being worked
through so hopefully we can use the feedback to plan our next steps.
security domain with multiple realms
-------------------------------------
Key: ELY-1822
URL:
https://issues.jboss.org/browse/ELY-1822
Project: WildFly Elytron
Issue Type: Clarification
Components: Authentication Server
Affects Versions: 1.8.0.Final
Environment: windows mssql
Reporter: Christopher Willems
Priority: Optional
Attachments: D95_J00_VM-DEV95-LS01, D95_J00_VM-DEV95-LS01.1,
D95_J00_VM-DEV95-LS01.2, D95_SCS01_VM-DEV95-LS01, DEFAULT.PFL, HistorianMIIActionBlock -
Shortcut.lnk, HistorianMIIActionBlock.zip, MaterialLotServicesMII.java,
MovilitasFileHandling.zip, config-jwt-elytron.cli, config-jwtnw-elytron.cli,
config-jwtnw-elytron.cli.txt, defaultTrace_00.8, defaultTrace_00.8.trc,
defaultTracehana.txt, demofile.txt, editingactivitieswithnestedactivities.txt,
inxites.be~inx~veri95.ejb.jar, jboss-ejb-client.properties, jboss-ejb3.xml,
jboss-ejb3.xml, jboss-web.xml, jboss-web.xml, public.txt, server.log, standalone.xml
we have an ear file with 2 war files and one ejb jar . Purpose of the war files is to
allow for different authentication mechanisms, one for jwt (BEARER_TOKEN) the other one
jdbc (BASIC) .
After the authentication we have a call to the ejb layer which we expect to have the
principal of the authentication.
Everything works fine for one realm, the default realm. The other realm will return
unauthorized . With no default nothing works. The relevant information from the standalone
xml is pasted below and others are attached.
<subsystem xmlns="urn:jboss:domain:ejb3:5.0">
<default-security-domain value="other"/>
<application-security-domains>
<application-security-domain name="war-domain"
security-domain="war-domain"/>
</application-security-domains>
<default-missing-method-permissions-deny-access
value="false"/>
<subsystem xmlns="urn:wildfly:elytron:6.0"
<security-domain name="war-domain"
default-realm="jdbc-realm"
permission-mapper="default-permission-mapper"
outflow-security-domains="ApplicationDomain">
<realm name="jdbc-realm"/>
<realm name="jwt-realm"/>
</security-domain>
<http-authentication-factory name="war-http-authentication"
security-domain="war-domain"
http-server-mechanism-factory="global">
<mechanism-configuration>
<mechanism mechanism-name="BEARER_TOKEN">
<mechanism-realm realm-name="jwt-realm"/>
</mechanism>
<mechanism mechanism-name="BASIC">
<mechanism-realm realm-name="jdbc-realm"/>
</mechanism>
</mechanism-configuration>
</http-authentication-factory>
below the exert from the log on using the jdbc realm when jwt is the default
2019-05-30 15:28:05,290 TRACE [org.wildfly.security.http.servlet] (default task-1) No
AuthConfigProvider for layer=HttpServlet, appContext=default-host /veri95web
2019-05-30 15:28:05,290 TRACE [org.wildfly.security.http.servlet] (default task-1) JASPIC
Unavailable, using HTTP authentication.
2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) No CachedIdentity
to restore.
2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Created
HttpServerAuthenticationMechanism
[org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1@1505d380] for
mechanism [BASIC]
2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Handling
MechanismInformationCallback type='HTTP' name='BASIC'
host-name='localhost' protocol='http'
2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Handling
AvailableRealmsCallback: realms = [jdbc-realm]
2019-05-30 15:28:05,290 DEBUG [org.wildfly.security.http.password] (default task-1)
Username authentication. Realm: [jdbc-realm], Username: [user1].
2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Handling
RealmCallback: selected = [jdbc-realm]
2019-05-30 15:28:05,291 TRACE [org.wildfly.security] (default task-1) Handling
NameCallback: authenticationName = user1
2019-05-30 15:28:05,291 TRACE [org.wildfly.security] (default task-1) Principal
assigning: [user1], pre-realm rewritten: [user1], realm name: [jwt-realm], post-realm
rewritten: [user1], realm rewritten: [user1]
2019-05-30 15:28:05,291 DEBUG [org.wildfly.security.http.basic] (default task-1) User
user1 authentication failed.
2019-05-30 15:28:05,291 TRACE [org.wildfly.security] (default task-1) Handling
AuthenticationCompleteCallback: fail
2019-05-30 15:28:05,291 DEBUG [io.undertow.request.security] (default task-1)
Authentication failed with message ELY06002: An authentication attempt for user
'user1' failed validation using mechanism 'BASIC'. and mechanism BASIC for
HttpServerExchange{ POST /veri95web/rest/Xml/process/Equipment request {Accept=[*/*],
Postman-Token=[9bba6216-81a7-4048-aa24-ec110d677e4a], Cache-Control=[no-cache],
accept-encoding=[gzip, deflate], User-Agent=[PostmanRuntime/7.13.0],
Connection=[keep-alive], Authorization=[Basic dXNlcjE6MGZmZDkzNDkyNzgzNzE5YQ==],
Content-Type=[applicati
[^server.log]