[jboss-jira] [JBoss JIRA] (ELY-869) Elytron security realms cannot be used only for authorization

Jan Kalina (JIRA) issues at jboss.org
Fri Jan 13 05:12:00 EST 2017 

    [ https://issues.jboss.org/browse/ELY-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13347738#comment-13347738 ] 

Jan Kalina commented on ELY-869:
--------------------------------

To be able full use of AggregationRealm we need to allow authorization (obtaining roles) for users, which does not exists in given realm - when the user exists in JDBCRealm and in LdapRealm we have groups (with usernames in member-like attribute), we need to be able obtain the groups.
But current design of Realm interface say, we need to have authentication identity (RealmIdentity) before we can obtain authorization identity - we cannot obtain identity attributes when getRealmIdentity() say the identity does not exists.
a) Should not this be redesigned?
b) For now I can workaround it for LdapRealm - when user will not define search-dn/name-filter, user entity will not be searched (will be supposed it exists) and only filtered attributes will be possible to obtain from LDAP - would you agree with that solution of this issue?

> Elytron security realms cannot be used only for authorization
> -------------------------------------------------------------
>
>                 Key: ELY-869
>                 URL: https://issues.jboss.org/browse/ELY-869
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Realms
>    Affects Versions: 1.1.0.Beta18
>            Reporter: Ondrej Lukas
>            Assignee: Jan Kalina
>            Priority: Blocker
>         Attachments: print-roles.war
>
>
> Scenario: I try to configure application server for scenario when different identity stores are used for authentication and authorization (e.g. username/password are stored in LDAP and roles are assigned from Database).
> In case when authentication and authorization is handled by different security realms in Elytron (i.e. aggregate realm is used) then authorization works only in case, when identity store for realm used for authorization includes the username also for authentication. See Steps to Reproduce for more details.
> We request blocker since using different identity stores for authentication and authorization is common scenario which should be provided by Elytron. Even out documentation explicitly mentioned that scenarios [1]: 
> ??Consider the case where users are managed in a central LDAP server and application-specific roles are stored in the application’s relational database.??
> I tried this scenario with Properties and Filesystem Realms for authentication and Properties and Ldap Realms for authorization.
> [1] https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/security-architecture/



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list