Details
-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
None
-
None
-
Undefined
Description
I am trying to use a DistributedSecurityRealm with 2 underlying custom realms to check a username and password based credential. The design is that my first realm with its RealmIdentity is meant to check the credential and should that fail, then the second realm will also check the credential and attempt to authenticate.
Having configured my DistributedSecurityRealm, I notice that only the first RealmIdentity is ever called and once that fails, the second realm is never invoked.
Having checked DistributedSecurityRealm.java#L243 it seems that when the evidence is verified, it is only ever the first realm which is asked to do the verification.
So my question here is: is this bug with the way this realm works or is there a specific design decision for it to work this way?
Here is the relevant bits of configuration I am using:
/subsystem=elytron/custom-realm=myccustomrealm1:add(module=mymodule, class-name=com.example.MyCustomRealm1, configuration={\ configProp = "my config value"\ }) /subsystem=elytron/custom-realm=myccustomrealm2:add(module=mymodule, class-name=com.example.MyCustomRealm2, configuration={\ configProp = "my config value 2"\ }) /subsystem=elytron/distributed-realm=final-realm:add(realms=[myccustomrealm1, myccustomrealm2])/subsystem=elytron/security-domain=mysecuritydomain:add(realms=[{realm=final-realm,role-decoder=NAME-from-roles-attribute}], default-realm=final-realm, permission-mapper=default-permission-mapper) /subsystem=elytron/sasl-authentication-factory=my-sasl:add(sasl-server-factory=elytron, security-domain=mysecuritydomain, mechanism-configurations=[\ {mechanism-name=PLAIN }\ {mechanism-name=ANONYMOUS }\ ]) /subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=sasl-authentication-factory, value=my-sasl)
