Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1995

AggregateRealm is failing in authentication with token-realm

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 1.10.8.Final, 1.13.0.Final
    • None
    • None
    • None
    • Hide

      Configuration Snap:

      <security-domain name="aggregate-domain" default-realm="aggregate-test-realm" permission-mapper="default-permission-mapper">
      <realm name="aggregate-test-realm" role-decoder="from-roles-attribute"/>
      </security-domain>

      <aggregate-realm name="aggregate-test-realm" authentication-realm="jwt-realm" authorization-realm="ldap-realm"/>

      <ldap-realm name="ldap-realm" dir-context="ldap-context" direct-verification="true">
      <identity-mapping rdn-identifier="sAMAccountName" use-recursive-search="true" search-base-dn="CN=USERS,DC=TEST,DC=COM">
      <attribute-mapping>
      <attribute from="cn" to="Roles" filter="(& (objectClass=group)(member=

      Unknown macro: {1}

      ))" filter-base-dn="CN=USERS,DC=TEST,DC=COM" role-recursion="5"/>
      </attribute-mapping>
      </identity-mapping>
      </ldap-realm>
      <token-realm name="jwt-realm" principal-claim="preferred_username">
      <jwt issuer="http://localhost:8080/auth/realms/ldap-test" audience="RestEasy" key-store="jwt-key" certificate="jwt"/>
      </token-realm>

      Show
      Configuration Snap: <security-domain name="aggregate-domain" default-realm="aggregate-test-realm" permission-mapper="default-permission-mapper"> <realm name="aggregate-test-realm" role-decoder="from-roles-attribute"/> </security-domain> <aggregate-realm name="aggregate-test-realm" authentication-realm="jwt-realm" authorization-realm="ldap-realm"/> <ldap-realm name="ldap-realm" dir-context="ldap-context" direct-verification="true"> <identity-mapping rdn-identifier="sAMAccountName" use-recursive-search="true" search-base-dn="CN=USERS,DC=TEST,DC=COM"> <attribute-mapping> <attribute from="cn" to="Roles" filter="(& (objectClass=group)(member= Unknown macro: {1} ))" filter-base-dn="CN=USERS,DC=TEST,DC=COM" role-recursion="5"/> </attribute-mapping> </identity-mapping> </ldap-realm> <token-realm name="jwt-realm" principal-claim="preferred_username"> <jwt issuer="http://localhost:8080/auth/realms/ldap-test" audience="RestEasy" key-store="jwt-key" certificate="jwt"/> </token-realm>

    Description

      Authentication is failing when token-realm is set as an authentication-realm in aggregate-realm and ldap-realm is set as authorization realm. 

      It is found that AggregateSecurityRealm#getRealmIdentity is attempting to get the realm identity to be used for authentication using the JWT realm and it attempts to get the realm identity to be used for authorization using the LDAP realm. In both cases, the BearerTokenEvidence is being used to try to obtain the realm identity. The problem with this is that the LdapSecurityRealm won't be able to obtain the principal from the BearerTokenEvidence so the authorizationIdentity will just be the RealmIdentity.NON_EXISTENT identity, resulting in the "User does not exist" error.

      2020-06-11 08:51:06,767 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='BEARER_TOKEN' host-name='localhost' protocol='http'
      2020-06-11 08:51:06,769 TRACE [org.wildfly.security] (default task-1) Evidence verification: evidence = org.wildfly.security.evidence.BearerTokenEvidence@2587e47f evidencePrincipal = null
      2020-06-11 08:51:06,782 DEBUG [org.wildfly.security] (default task-1) Token is using algorithm [RS256]
      2020-06-11 08:51:06,789 DEBUG [org.wildfly.security] (default task-1) Token is using algorithm [RS256]
      2020-06-11 08:51:06,792 TRACE [org.wildfly.security] (default task-1) BEARER_TOKEN: org.wildfly.security.http.HttpAuthenticationException: ELY05053: Callback handler failed for unknown reason
      at org.wildfly.security.mechanism._private.MechanismUtil.handleCallbacks(MechanismUtil.java:161)
      ... 41 more

       

      Attachments

        Issue Links

          is incorporated by

          Release - A container task to coordinate the tasks for a given release. ELY-2016 Release WildFly Elytron 1.10.8.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. WFCORE-5091 Upgrade WildFly Elytron to 1.13.0.Final

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              fjuma1@redhat.com Farah Juma
              fjuma1@redhat.com Farah Juma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: