[jboss-jira] [JBoss JIRA] (WFCORE-3963) Fix of WFCORE-3826 breaks plain authentication for ejbs using legacy configuration

Jiri Ondrusek (JIRA) issues at jboss.org
Thu Aug 9 07:10:00 EDT 2018 

    [ https://issues.jboss.org/browse/WFCORE-3963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13616945#comment-13616945 ] 

Jiri Ondrusek edited comment on WFCORE-3963 at 8/9/18 7:09 AM:
---------------------------------------------------------------

[~dehort] I've tested following configuration (with JAAS)

{quote} <security-realm name="ApplicationRealm">
                <server-identities>
                    <ssl>
                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <jaas name="ima_jaas_sec_domain"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>{quote}

{quote}<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm">
                <properties>
                    <property name="SASL_MECHANISMS" value="ANONYMOUS,PLAIN"/>
                    <property name="SASL_POLICY_NOANONYMOUS" value="false"/>
                </properties>
            </http-connector>{quote}

As you can see, I've defined JAAS as you suggested. (Whole file is attached as standalone2.xml)
With this configuration, authentication *works*.

I've noticed only one possible problem during configuration. If password is hashed in *.properties file. You have to add appropriate hash algorithm into login module:

{quote}<security-domain name="ima_jaas_sec_domain" cache-type="default">
		  <authentication>
		      <login-module code="UsersRoles" flag="required">
			<module-option name="usersProperties" value="file:///\${jboss.server.config.dir}/application-users.properties"/>
			<module-option name="rolesProperties" value="file:///\${jboss.server.config.dir}/application-roles.properties"/>
			<module-option name="hashAlgorithm" value="MD5"/>
		      </login-module>
		  </authentication>{quote}


was (Author: jondruse):
[~dehort] I've tested following configuration (with JAAS)

{quote} <security-realm name="ApplicationRealm">
                <server-identities>
                    <ssl>
                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
                    </ssl>
                </server-identities>
                <authentication>
                    <jaas name="ima_jaas_sec_domain"/>
                </authentication>
                <authorization>
                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>{quote}

{quote}<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm">
                <properties>
                    <property name="SASL_MECHANISMS" value="ANONYMOUS,PLAIN"/>
                    <property name="SASL_POLICY_NOANONYMOUS" value="false"/>
                </properties>
            </http-connector>{quote}

As you can see, I've defined JAAS as you suggested. (Whole file is attached as standalone2.xml)
With this configuration, authentication *works*.

I've noticed only one possible problem during configuration. If password is hashed in *.properties file. You have to add appropriate hash algorithm into login module:

{quote}<security-domain name="ima_jaas_sec_domain" cache-type="default">
		  <authentication>
		      <login-module code="UsersRoles" flag="required">
			<module-option name="usersProperties" value="file:///${jboss.server.config.dir}/application-users.properties"/>
			<module-option name="rolesProperties" value="file:///${jboss.server.config.dir}/application-roles.properties"/>
			<module-option name="hashAlgorithm" value="MD5"/>
		      </login-module>
		  </authentication>{quote}

> Fix of WFCORE-3826 breaks plain authentication for ejbs using legacy configuration
> ----------------------------------------------------------------------------------
>
>                 Key: WFCORE-3963
>                 URL: https://issues.jboss.org/browse/WFCORE-3963
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 6.0.0.Alpha3
>            Reporter: Jiri Ondrusek
>            Assignee: Jiri Ondrusek
>              Labels: Regression
>             Fix For: 6.0.0.Alpha5
>
>         Attachments: standalone-for-node01.xml, standalone2.xml
>
>
> Fix https://issues.jboss.org/browse/WFCORE-3826 fixes anonymous authentication but breaks authenticated mode (for example PLAIN mode with username/password). See https://issues.jboss.org/browse/JBEAP-14647 for more details.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list