[jboss-jira] [JBoss JIRA] (ELY-913) Incorrect username is passed to principal when principal-transformers are enabled

David Lloyd (JIRA) issues at jboss.org
Fri Feb 3 07:22:00 EST 2017 

    [ https://issues.jboss.org/browse/ELY-913?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13358265#comment-13358265 ] 

David Lloyd commented on ELY-913:
---------------------------------

This is intentional. The domain principal is meant to be unique per domain, whereas the realm principal need only be unique per realm. So if I have two realms, for example one for customers and one for employees, and they both contain an identity with the same name, I can use post-realm rewriters to disambiguate them.

Example 1: "David/cust" -> map to customer realm -> "David"
Example 2: "David/emp" -> map to employee realm -> "David"

> Incorrect username is passed to principal when principal-transformers are enabled
> ---------------------------------------------------------------------------------
>
>                 Key: ELY-913
>                 URL: https://issues.jboss.org/browse/ELY-913
>             Project: WildFly Elytron
>          Issue Type: Bug
>    Affects Versions: 1.1.0.Beta21
>            Reporter: Ondrej Lukas
>            Assignee: Darran Lofthouse
>            Priority: Critical
>
> In case when some principal-transformers are used for transforming principal in security domain then final username which is used for authentication and later for authorization is: input_username transformed by pre-realm-principal-transformer, post-realm-principal-transformer and realm principal-transformer. However Principal assigned to SecurityIdentity uses only name input_username transformed by pre-realm-principal-transformer.
> It seems it is caused by passing {{preRealmPrincipal}} as fourth parameter in https://github.com/wildfly-security/wildfly-elytron/blob/7b5c89c437d27fec60ec441986b5f830bb111283/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java#L1011
> Value of SecurityIdentity.getPrincipal() can be seen when trace log is enabled due to https://github.com/wildfly-security/wildfly-elytron/blob/7b5c89c437d27fec60ec441986b5f830bb111283/src/main/java/org/wildfly/security/auth/server/SecurityDomain.java#L451
> Since it seems there is currently no documentation related to this topic I cannot say whether it is real bug. [~dlofthouse] could you please provide some clarification?
> Log (see Steps to Reproduce for more details about configuration):
> {code}
> TRACE [org.wildfly.security] (default task-3) Principal assigning: [user], pre-realm rewritten: [user1], realm name: [ApplicationRealm], post realm rewritten: [user12], realm rewritten: [user123]
> TRACE [org.wildfly.security] (default task-3) Attempting to authenticate account user123 using LegacyPropertiesSecurityRealm.
> ...
> TRACE [org.wildfly.security] (default task-3) Role mapping: principal [user1] -> decoded roles [JBossAdmin] -> realm mapped roles [JBossAdmin] -> domain mapped roles [JBossAdmin]
> {code}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list