[jboss-jira] [JBoss JIRA] (ELY-1822) security domain with multiple realms

Darran Lofthouse (Jira) issues at jboss.org
Fri May 31 05:47:00 EDT 2019 

    [ https://issues.jboss.org/browse/ELY-1822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13740840#comment-13740840 ] 

Darran Lofthouse commented on ELY-1822:
---------------------------------------

This looks like something that would be be a better topic in the user forums, we tend to use jira one we have reached a bug that requires working on or a request for a new feature.

As you have two mechanisms each using a specific realm the piece I believe that is missing is that in each mechanism-configuration you also need to reference a realm-mapper that references a constant-realm-mapper to select the appropriate realm for that mechanism.

As you can see the configuration gets quite verbose at this point so this issue could remain for us to look into that.  For situations like this where a 1:1 mapping is highly likely i.e. Mechanism:Realm it would make more sense if we add an attribute here that allows the realm to specified without an intermediate realm mapper.  Internally our architecture would use a realm mapper but as a user you shouldn't be forced to need to see that.


> security domain with multiple realms 
> -------------------------------------
>
>                 Key: ELY-1822
>                 URL: https://issues.jboss.org/browse/ELY-1822
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Authentication Server
>    Affects Versions: 1.8.0.Final
>         Environment: windows mssql 
>            Reporter: Christopher Willems
>            Priority: Major
>         Attachments: D95_J00_VM-DEV95-LS01, D95_J00_VM-DEV95-LS01.1, D95_J00_VM-DEV95-LS01.2, D95_SCS01_VM-DEV95-LS01, DEFAULT.PFL, HistorianMIIActionBlock - Shortcut.lnk, HistorianMIIActionBlock.zip, MaterialLotServicesMII.java, MovilitasFileHandling.zip, config-jwt-elytron.cli, config-jwtnw-elytron.cli, config-jwtnw-elytron.cli.txt, defaultTrace_00.8, defaultTrace_00.8.trc, defaultTracehana.txt, demofile.txt, editingactivitieswithnestedactivities.txt, inxites.be~inx~veri95.ejb.jar, jboss-ejb-client.properties, jboss-ejb3.xml, jboss-ejb3.xml, jboss-web.xml, jboss-web.xml, public.txt, server.log, standalone.xml
>
>
> we have an ear file with 2 war files and one ejb jar . Purpose of the war files is to allow for different authentication mechanisms, one for jwt (BEARER_TOKEN) the other one jdbc (BASIC) .
> After the authentication we have a call to the ejb layer which we expect to have the principal of the authentication.
> Everything works fine for one realm, the default realm. The other realm will return unauthorized . With no default nothing works. The relevant information from the standalone xml is pasted below and others are attached.  
>    <subsystem xmlns="urn:jboss:domain:ejb3:5.0">
>             <default-security-domain value="other"/>
>             <application-security-domains>
>                 <application-security-domain name="war-domain" security-domain="war-domain"/>
>             </application-security-domains>
>             <default-missing-method-permissions-deny-access value="false"/>
>            
>         <subsystem xmlns="urn:wildfly:elytron:6.0" 
>       <security-domain name="war-domain" default-realm="jdbc-realm" permission-mapper="default-permission-mapper" outflow-security-domains="ApplicationDomain">
>                     <realm name="jdbc-realm"/>
>                     <realm name="jwt-realm"/>
>                 </security-domain>
>     
>     <http-authentication-factory name="war-http-authentication" security-domain="war-domain" http-server-mechanism-factory="global">
>                     <mechanism-configuration>
>                         <mechanism mechanism-name="BEARER_TOKEN">
>                             <mechanism-realm realm-name="jwt-realm"/>
>                         </mechanism>
>                         <mechanism mechanism-name="BASIC">
>                             <mechanism-realm realm-name="jdbc-realm"/>
>                         </mechanism>
>                     </mechanism-configuration>
>                 </http-authentication-factory>
> below the exert from the log on using the jdbc realm when jwt is the default 
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security.http.servlet] (default task-1) No AuthConfigProvider for layer=HttpServlet, appContext=default-host /veri95web
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security.http.servlet] (default task-1) JASPIC Unavailable, using HTTP authentication.
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) No CachedIdentity to restore.
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1 at 1505d380] for mechanism [BASIC]
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='BASIC' host-name='localhost' protocol='http'
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Handling AvailableRealmsCallback: realms = [jdbc-realm]
> 2019-05-30 15:28:05,290 DEBUG [org.wildfly.security.http.password] (default task-1) Username authentication. Realm: [jdbc-realm], Username: [user1].
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [jdbc-realm]
> 2019-05-30 15:28:05,291 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = user1
> 2019-05-30 15:28:05,291 TRACE [org.wildfly.security] (default task-1) Principal assigning: [user1], pre-realm rewritten: [user1], realm name: [jwt-realm], post-realm rewritten: [user1], realm rewritten: [user1]
> 2019-05-30 15:28:05,291 DEBUG [org.wildfly.security.http.basic] (default task-1) User user1 authentication failed.
> 2019-05-30 15:28:05,291 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: fail
> 2019-05-30 15:28:05,291 DEBUG [io.undertow.request.security] (default task-1) Authentication failed with message ELY06002: An authentication attempt for user 'user1' failed validation using mechanism 'BASIC'. and mechanism BASIC for HttpServerExchange{ POST /veri95web/rest/Xml/process/Equipment request {Accept=[*/*], Postman-Token=[9bba6216-81a7-4048-aa24-ec110d677e4a], Cache-Control=[no-cache], accept-encoding=[gzip, deflate], User-Agent=[PostmanRuntime/7.13.0], Connection=[keep-alive], Authorization=[Basic dXNlcjE6MGZmZDkzNDkyNzgzNzE5YQ==], Content-Type=[applicati
>  [^server.log] 



--
This message was sent by Atlassian Jira
(v7.12.1#712002)

More information about the jboss-jira mailing list