[jboss-jira] [JBoss JIRA] (ELY-1822) security domain with multiple realms

Christopher Willems (Jira) issues at jboss.org
Thu May 30 09:55:00 EDT 2019 

     [ https://issues.jboss.org/browse/ELY-1822?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Christopher Willems updated ELY-1822:
-------------------------------------
    Attachment: config-jwt-elytron.cli
                config-jwtnw-elytron.cli
                config-jwtnw-elytron.cli.txt
                D95_J00_VM-DEV95-LS01
                D95_J00_VM-DEV95-LS01.1
                D95_J00_VM-DEV95-LS01.2
                D95_SCS01_VM-DEV95-LS01
                DEFAULT.PFL
                defaultTrace_00.8
                defaultTrace_00.8.trc
                defaultTracehana.txt
                demofile.txt
                editingactivitieswithnestedactivities.txt
                HistorianMIIActionBlock - Shortcut.lnk
                HistorianMIIActionBlock.zip
                inxites.be~inx~veri95.ejb.jar
                jboss-ejb3.xml
                jboss-ejb-client.properties
                jboss-web.xml
                MaterialLotServicesMII.java
                MovilitasFileHandling.zip
                public.txt
                server.log


> security domain with multiple realms 
> -------------------------------------
>
>                 Key: ELY-1822
>                 URL: https://issues.jboss.org/browse/ELY-1822
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Authentication Server
>    Affects Versions: 1.8.0.Final
>         Environment: windows mssql 
>            Reporter: Christopher Willems
>            Priority: Major
>         Attachments: D95_J00_VM-DEV95-LS01, D95_J00_VM-DEV95-LS01.1, D95_J00_VM-DEV95-LS01.2, D95_SCS01_VM-DEV95-LS01, DEFAULT.PFL, HistorianMIIActionBlock - Shortcut.lnk, HistorianMIIActionBlock.zip, MaterialLotServicesMII.java, MovilitasFileHandling.zip, config-jwt-elytron.cli, config-jwtnw-elytron.cli, config-jwtnw-elytron.cli.txt, defaultTrace_00.8, defaultTrace_00.8.trc, defaultTracehana.txt, demofile.txt, editingactivitieswithnestedactivities.txt, inxites.be~inx~veri95.ejb.jar, jboss-ejb-client.properties, jboss-ejb3.xml, jboss-ejb3.xml, jboss-web.xml, jboss-web.xml, public.txt, server.log, standalone.xml
>
>
> we have an ear file with 2 war files and one ejb jar . Purpose of the war files is to allow for different authentication mechanisms, one for jwt (BEARER_TOKEN) the other one jdbc (BASIC) .
> After the authentication we have a call to the ejb layer which we expect to have the principal of the authentication.
> Everything works fine for one realm, the default realm. The other realm will return unauthorized . With no default nothing works. The relevant information from the standalone xml is pasted below and others are attached.  
>    <subsystem xmlns="urn:jboss:domain:ejb3:5.0">
>             <default-security-domain value="other"/>
>             <application-security-domains>
>                 <application-security-domain name="war-domain" security-domain="war-domain"/>
>             </application-security-domains>
>             <default-missing-method-permissions-deny-access value="false"/>
>            
>         <subsystem xmlns="urn:wildfly:elytron:6.0" 
>       <security-domain name="war-domain" default-realm="jdbc-realm" permission-mapper="default-permission-mapper" outflow-security-domains="ApplicationDomain">
>                     <realm name="jdbc-realm"/>
>                     <realm name="jwt-realm"/>
>                 </security-domain>
>     
>     <http-authentication-factory name="war-http-authentication" security-domain="war-domain" http-server-mechanism-factory="global">
>                     <mechanism-configuration>
>                         <mechanism mechanism-name="BEARER_TOKEN">
>                             <mechanism-realm realm-name="jwt-realm"/>
>                         </mechanism>
>                         <mechanism mechanism-name="BASIC">
>                             <mechanism-realm realm-name="jdbc-realm"/>
>                         </mechanism>
>                     </mechanism-configuration>
>                 </http-authentication-factory>
> below the exert from the log on using the jdbc realm when jwt is the default 
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security.http.servlet] (default task-1) No AuthConfigProvider for layer=HttpServlet, appContext=default-host /veri95web
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security.http.servlet] (default task-1) JASPIC Unavailable, using HTTP authentication.
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) No CachedIdentity to restore.
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1 at 1505d380] for mechanism [BASIC]
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='BASIC' host-name='localhost' protocol='http'
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Handling AvailableRealmsCallback: realms = [jdbc-realm]
> 2019-05-30 15:28:05,290 DEBUG [org.wildfly.security.http.password] (default task-1) Username authentication. Realm: [jdbc-realm], Username: [user1].
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [jdbc-realm]
> 2019-05-30 15:28:05,291 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = user1
> 2019-05-30 15:28:05,291 TRACE [org.wildfly.security] (default task-1) Principal assigning: [user1], pre-realm rewritten: [user1], realm name: [jwt-realm], post-realm rewritten: [user1], realm rewritten: [user1]
> 2019-05-30 15:28:05,291 DEBUG [org.wildfly.security.http.basic] (default task-1) User user1 authentication failed.
> 2019-05-30 15:28:05,291 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: fail
> 2019-05-30 15:28:05,291 DEBUG [io.undertow.request.security] (default task-1) Authentication failed with message ELY06002: An authentication attempt for user 'user1' failed validation using mechanism 'BASIC'. and mechanism BASIC for HttpServerExchange{ POST /veri95web/rest/Xml/process/Equipment request {Accept=[*/*], Postman-Token=[9bba6216-81a7-4048-aa24-ec110d677e4a], Cache-Control=[no-cache], accept-encoding=[gzip, deflate], User-Agent=[PostmanRuntime/7.13.0], Connection=[keep-alive], Authorization=[Basic dXNlcjE6MGZmZDkzNDkyNzgzNzE5YQ==], Content-Type=[application/xml], cookie=[ACCESS- [^config-jwt-elytron.cli]  [^config-jwtnw-elytron.cli]  [^config-jwtnw-elytron.cli.txt]  [^D95_J00_VM-DEV95-LS01]  [^D95_J00_VM-DEV95-LS01.1]  [^D95_J00_VM-DEV95-LS01.2]  [^D95_SCS01_VM-DEV95-LS01]  [^DEFAULT.PFL]  [^defaultTrace_00.8]  [^defaultTrace_00.8.trc]  [^defaultTracehana.txt]  [^demofile.txt]  [^editingactivitieswithnestedactivities.txt]  [^HistorianMIIActionBlock - Shortcut.lnk]  [^HistorianMIIActionBlock.zip]  [^inxites.be~inx~veri95.ejb.jar]  [^jbos-ejb-client.properties.txt]  [^jboss-ejb3.xml]  [^jboss-ejb-client.properties]  [^jboss-web.xml]  [^MaterialLotServicesMII.java]  [^MovilitasFileHandling.zip]  [^public.txt]  [^server.log] 



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list