[jboss-jira] [JBoss JIRA] (WFCORE-2503) Legacy security domain used as Elytron security realm does not work in authorization part of aggregate-realm
Ondrej Lukas (JIRA)
issues at jboss.org
Wed Mar 8 07:27:00 EST 2017
[ https://issues.jboss.org/browse/WFCORE-2503?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ondrej Lukas updated WFCORE-2503:
---------------------------------
Steps to Reproduce:
1) create property files /tmp/users.properties and /tmp/roles.properties
/tmp/users.properties:
{code}
admin=admin
{code}
/roles.properties:
{code}
admin=JBossAdmin
{code}
2) Through add-user.sh add user admin with some password and role Admin for ApplicationRealm
3) add legacy configuration to application server
{code}
<security-domain name="legacyDomain" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="/tmp/users.properties"/>
<module-option name="rolesProperties" value="/tmp/roles.properties"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="SimpleRoles" type="role">
<module-option name="admin" value="User"/>
</mapping-module>
</mapping>
</security-domain>
...
<elytron-integration>
<security-realms>
<elytron-realm name="exportedDomain" legacy-jaas-config="legacyDomain"/>
</security-realms>
</elytron-integration>
{code}
4) setup Elytron part:
{code}
/subsystem=elytron/simple-role-decoder=roles-decoder:add(attribute=Roles)
/subsystem=elytron/aggregate-realm=pbauthz:add(authentication-realm=ApplicationRealm,authorization-realm=exportedDomain)
/subsystem=elytron/security-domain=elytronDomain:add(default-realm=pbauthz,permission-mapper=default-permission-mapper,realms=[{realm=pbauthz,role-decoder=roles-decoder}])
/subsystem=elytron/http-authentication-factory=elytron-http-auth:add(http-server-mechanism-factory=global,security-domain=elytronDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Exported Realm"}]}])
/subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=elytron-http-auth)
{code}
5) Deploy application for printing roles (see attachments)
6) Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=User&role=JBossAdmin&role=Admin and login with admin/admin - no roles are assigned (HTTP status cod 403 is returned)
was:
1) create property files /tmp/users.properties and /tmp/roles.properties
/tmp/users.properties:
{code}
admin=admin
{code}
/roles.properties:
{code}
admin=JBossAdmin
{code}
2) Through add-user.sh add user admin with some password and role Admin
3) add legacy configuration to application server
{code}
<security-domain name="legacyDomain" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="/tmp/users.properties"/>
<module-option name="rolesProperties" value="/tmp/roles.properties"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="SimpleRoles" type="role">
<module-option name="admin" value="User"/>
</mapping-module>
</mapping>
</security-domain>
...
<elytron-integration>
<security-realms>
<elytron-realm name="exportedDomain" legacy-jaas-config="legacyDomain"/>
</security-realms>
</elytron-integration>
{code}
4) setup Elytron part:
{code}
/subsystem=elytron/simple-role-decoder=roles-decoder:add(attribute=Roles)
/subsystem=elytron/aggregate-realm=pbauthz:add(authentication-realm=ApplicationRealm,authorization-realm=exportedDomain)
/subsystem=elytron/security-domain=elytronDomain:add(default-realm=pbauthz,permission-mapper=default-permission-mapper,realms=[{realm=pbauthz,role-decoder=roles-decoder}])
/subsystem=elytron/http-authentication-factory=elytron-http-auth:add(http-server-mechanism-factory=global,security-domain=elytronDomain,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name="Exported Realm"}]}])
/subsystem=undertow/application-security-domain=print-roles:add(http-authentication-factory=elytron-http-auth)
{code}
5) Deploy application for printing roles (see attachments)
6) Access http://127.0.0.1:8080/print-roles/protected/printRoles?role=User&role=JBossAdmin&role=Admin and login with admin/admin - no roles are assigned (HTTP status cod 403 is returned)
> Legacy security domain used as Elytron security realm does not work in authorization part of aggregate-realm
> ------------------------------------------------------------------------------------------------------------
>
> Key: WFCORE-2503
> URL: https://issues.jboss.org/browse/WFCORE-2503
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Reporter: Ondrej Lukas
> Assignee: Darran Lofthouse
> Priority: Critical
> Attachments: print-roles.war
>
>
> In case when legacy security domain is used as Elytron security realm and is added as authorization realm to aggregate-realm then no roles are assigned to authenticated user.
> I tried to use following legacy security domain:
> {code}
> <security-domain name="legacyDomain" cache-type="default">
> <authentication>
> <login-module code="UsersRoles" flag="required">
> <module-option name="usersProperties" value="/tmp/users.properties"/>
> <module-option name="rolesProperties" value="/tmp/roles.properties"/>
> </login-module>
> </authentication>
> <mapping>
> <mapping-module code="SimpleRoles" type="role">
> <module-option name="admin" value="User"/>
> </mapping-module>
> </mapping>
> </security-domain>
> {code}
> Roles should be assigned from mapping. Since it seems that there is no documentation related to this topic I am not sure whether roles should be assigned also from rolesProperties of UsersRoles login module - it needs to be clarified by developers.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list