[jboss-jira] [JBoss JIRA] (ELY-1822) security domain with multiple realms
Darran Lofthouse (Jira)
issues at jboss.org
Fri May 31 09:20:00 EDT 2019
[ https://issues.jboss.org/browse/ELY-1822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13740960#comment-13740960 ]
Darran Lofthouse commented on ELY-1822:
---------------------------------------
[~i015101] If you are interested you can also join our chat server at https://wildfly.zulipchat.com/ - the WildFly Elytron engineers tend to be in a stream called #wildfly-elytron - it is good for us to hear about issues as they are being worked through so hopefully we can use the feedback to plan our next steps.
> security domain with multiple realms
> -------------------------------------
>
> Key: ELY-1822
> URL: https://issues.jboss.org/browse/ELY-1822
> Project: WildFly Elytron
> Issue Type: Clarification
> Components: Authentication Server
> Affects Versions: 1.8.0.Final
> Environment: windows mssql
> Reporter: Christopher Willems
> Priority: Optional
> Attachments: D95_J00_VM-DEV95-LS01, D95_J00_VM-DEV95-LS01.1, D95_J00_VM-DEV95-LS01.2, D95_SCS01_VM-DEV95-LS01, DEFAULT.PFL, HistorianMIIActionBlock - Shortcut.lnk, HistorianMIIActionBlock.zip, MaterialLotServicesMII.java, MovilitasFileHandling.zip, config-jwt-elytron.cli, config-jwtnw-elytron.cli, config-jwtnw-elytron.cli.txt, defaultTrace_00.8, defaultTrace_00.8.trc, defaultTracehana.txt, demofile.txt, editingactivitieswithnestedactivities.txt, inxites.be~inx~veri95.ejb.jar, jboss-ejb-client.properties, jboss-ejb3.xml, jboss-ejb3.xml, jboss-web.xml, jboss-web.xml, public.txt, server.log, standalone.xml
>
>
> we have an ear file with 2 war files and one ejb jar . Purpose of the war files is to allow for different authentication mechanisms, one for jwt (BEARER_TOKEN) the other one jdbc (BASIC) .
> After the authentication we have a call to the ejb layer which we expect to have the principal of the authentication.
> Everything works fine for one realm, the default realm. The other realm will return unauthorized . With no default nothing works. The relevant information from the standalone xml is pasted below and others are attached.
> <subsystem xmlns="urn:jboss:domain:ejb3:5.0">
> <default-security-domain value="other"/>
> <application-security-domains>
> <application-security-domain name="war-domain" security-domain="war-domain"/>
> </application-security-domains>
> <default-missing-method-permissions-deny-access value="false"/>
>
> <subsystem xmlns="urn:wildfly:elytron:6.0"
> <security-domain name="war-domain" default-realm="jdbc-realm" permission-mapper="default-permission-mapper" outflow-security-domains="ApplicationDomain">
> <realm name="jdbc-realm"/>
> <realm name="jwt-realm"/>
> </security-domain>
>
> <http-authentication-factory name="war-http-authentication" security-domain="war-domain" http-server-mechanism-factory="global">
> <mechanism-configuration>
> <mechanism mechanism-name="BEARER_TOKEN">
> <mechanism-realm realm-name="jwt-realm"/>
> </mechanism>
> <mechanism mechanism-name="BASIC">
> <mechanism-realm realm-name="jdbc-realm"/>
> </mechanism>
> </mechanism-configuration>
> </http-authentication-factory>
> below the exert from the log on using the jdbc realm when jwt is the default
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security.http.servlet] (default task-1) No AuthConfigProvider for layer=HttpServlet, appContext=default-host /veri95web
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security.http.servlet] (default task-1) JASPIC Unavailable, using HTTP authentication.
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) No CachedIdentity to restore.
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Created HttpServerAuthenticationMechanism [org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1 at 1505d380] for mechanism [BASIC]
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='BASIC' host-name='localhost' protocol='http'
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Handling AvailableRealmsCallback: realms = [jdbc-realm]
> 2019-05-30 15:28:05,290 DEBUG [org.wildfly.security.http.password] (default task-1) Username authentication. Realm: [jdbc-realm], Username: [user1].
> 2019-05-30 15:28:05,290 TRACE [org.wildfly.security] (default task-1) Handling RealmCallback: selected = [jdbc-realm]
> 2019-05-30 15:28:05,291 TRACE [org.wildfly.security] (default task-1) Handling NameCallback: authenticationName = user1
> 2019-05-30 15:28:05,291 TRACE [org.wildfly.security] (default task-1) Principal assigning: [user1], pre-realm rewritten: [user1], realm name: [jwt-realm], post-realm rewritten: [user1], realm rewritten: [user1]
> 2019-05-30 15:28:05,291 DEBUG [org.wildfly.security.http.basic] (default task-1) User user1 authentication failed.
> 2019-05-30 15:28:05,291 TRACE [org.wildfly.security] (default task-1) Handling AuthenticationCompleteCallback: fail
> 2019-05-30 15:28:05,291 DEBUG [io.undertow.request.security] (default task-1) Authentication failed with message ELY06002: An authentication attempt for user 'user1' failed validation using mechanism 'BASIC'. and mechanism BASIC for HttpServerExchange{ POST /veri95web/rest/Xml/process/Equipment request {Accept=[*/*], Postman-Token=[9bba6216-81a7-4048-aa24-ec110d677e4a], Cache-Control=[no-cache], accept-encoding=[gzip, deflate], User-Agent=[PostmanRuntime/7.13.0], Connection=[keep-alive], Authorization=[Basic dXNlcjE6MGZmZDkzNDkyNzgzNzE5YQ==], Content-Type=[applicati
> [^server.log]
--
This message was sent by Atlassian Jira
(v7.12.1#712002)
More information about the jboss-jira
mailing list