Loading...

XML

Word

Printable

Type: Bug
Resolution: Cannot Reproduce
Priority: Major
Fix Version/s: None
Affects Version/s: 2.5.2.Final
Component/s: Realms
Labels:
None

As described in Zulip:

It seems that some principal transformers are not working.

We have an application running under WildFly (let's call it OSX). We would like to support a configuration where authentication is based on a smartcard cert and we would assign the role (authorization) to it from a database with a "role-decoder".

The configuration:

<security-domains>
<security-domain name="elytron_osxmp_security_domain" default-realm="elytron_osxmp_aggregate_realm" permission-mapper="elytron_osxmp_permission_mapper" role-decoder="elytron_osxmp_customdbroledecoder">
<realm name="elytron_osxmp_aggregate_realm"/>
</security-domain>
...
</security-domains>
<security-realms>
<aggregate-realm name="elytron_osxmp_aggregate_realm" authentication-realm="elytron_osxmp_keystore_realm" authorization-realm="elytron_osxmp_customdbrealm" principal-transformer="osx_regex_principal_transformer"/>
<custom-realm name="elytron_osxmp_customdbrealm" module="com.unify.osx.mp.customsecurity" class-name="com.unify.osx.mp.customsecurity.CustomDbRealm">
...
</custom-realm>
...
</security-realms>
<mappers>
<regex-principal-transformer name="osx_regex_principal_transformer" pattern=".*" replacement="X" replace-all="true"/>
<case-principal-transformer name="osx_case_principal_transformer" upper-case="true"/>
<constant-principal-transformer name="osx_constant_principal_transformer" constant="CONSTANTROLE"/>
...
<custom-role-decoder name="elytron_osxmp_customdbroledecoder" module="com.unify.osx.mp.customsecurity" class-name="com.unify.osx.mp.customsecurity.CustomDbRoleDecoder">
...
</custom-role-decoder>
...
</mappers>

In CustomDbRealm, I put a log in getRealmIdentity().getAuthorizationIdentity() to print out the principal name. At this point, I should get the name overwritten by the principal transformer.

@Override
public RealmIdentity getRealmIdentity(final Principal principal) {
...
@Override
public AuthorizationIdentity getAuthorizationIdentity()
{ logger.info("VBZ: Principal name for authorization is \""+principal.getName() + "\""); ... }
}

Based on the logs, I see that the regex and case principal transformers do nothing, but the constant transformer works.

Logs for the issue:
The aggregate-realm is configured with constant-principal-transformer:

<aggregate-realm name="elytron_osxmp_aggregate_realm" principal-transformer="osx_constant_principal_transformer" authentication-realm="elytron_osxmp_keystore_realm" authorization-realm="elytron_osxmp_customdbrealm"/>

The account name for role query is "CONSTANTROLE", as expected:

2025-02-17 11:13:09,254+0100 TRACE  security                                 getRealmIdentity: KeyStoreRealm: certificate found by X500Principal in alias [cn=daniel.peller.123456,ou=employee,ou=dev,ou=xpert,o=mitel,c=hu]
2025-02-17 11:13:09,256+0100 TRACE  security                                 getRealmIdentity: Authentication identity for principal [CN=Daniel.Peller.123456, OU=EMPLOYEE, OU=Dev, OU=Xpert, O=Mitel, C=HU] found.
2025-02-17 11:13:09,257+0100 INFO   CustomDbRealm                            getRealmIdentity: Account name for role query = "CONSTANTROLE"
2025-02-17 11:13:09,262+0100 DEBUG  OnePool                                  getConnection: mysql: getConnection(null, null) [0/20]
2025-02-17 11:13:09,262+0100 DEBUG  LocalManagedConnectionFactory            invokeNotifyMethod: java.sql.Connection#beginRequest has been invoked
2025-02-17 11:13:09,265+0100 DEBUG  LocalManagedConnectionFactory            invokeNotifyMethod: java.sql.Connection#endRequest has been invoked
2025-02-17 11:13:09,265+0100 DEBUG  OnePool                                  returnConnection: mysql: returnConnection(21f716ab, false) [0/20]
2025-02-17 11:13:09,272+0100 TRACE  security                                 verifyEvidence: KeyStoreRealm: verification succeed for alias [cn=daniel.peller.123456,ou=employee,ou=dev,ou=xpert,o=mitel,c=hu]
2025-02-17 11:13:09,273+0100 TRACE  cert                                     attemptAuthentication: X509PeerCertificateChainEvidence was verified by EvidenceVerifyCallback handler: true  verification skipped: false
2025-02-17 11:13:09,273+0100 TRACE  cert                                     get: loading from cache: null
2025-02-17 11:13:09,274+0100 TRACE  cert                                     get: loading from cache: null
2025-02-17 11:13:09,291+0100 TRACE  security                                 mapRoles: Role mapping: principal [CN=Daniel.Peller.123456, OU=EMPLOYEE, OU=Dev, OU=Xpert, O=Mitel, C=HU] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
2025-02-17 11:13:09,292+0100 TRACE  security                                 doAuthorization: Authorizing principal CN=Daniel.Peller.123456,OU=EMPLOYEE,OU=Dev,OU=Xpert,O=Mitel,C=HU.
2025-02-17 11:13:09,293+0100 TRACE  security                                 doAuthorization: Authorizing against the following attributes: [account-name, principal-name] => [null, CONSTANTROLE]
2025-02-17 11:13:09,293+0100 TRACE  security                                 doAuthorization: Authorizing against the following runtime attributes: [Request-URI, Source-Address] => [https://localhost:8443/osxmp/, 0:0:0:0:0:0:0:1|https://localhost:8443/osxmp/,%200:0:0:0:0:0:0:1]

—
The aggregate-realm is configured with case-principal-transformer:

<aggregate-realm name="elytron_osxmp_aggregate_realm" principal-transformer="osx_case_principal_transformer" authentication-realm="elytron_osxmp_keystore_realm" authorization-realm="elytron_osxmp_customdbrealm"/>

Principal transformation does not work, the account name for role query is not changed:

2025-02-17 11:25:33,551+0100 TRACE  security                                 getRealmIdentity: KeyStoreRealm: certificate found by X500Principal in alias [cn=daniel.peller.123456,ou=employee,ou=dev,ou=xpert,o=mitel,c=hu]
2025-02-17 11:25:33,553+0100 TRACE  security                                 getRealmIdentity: Authentication identity for principal [CN=Daniel.Peller.123456, OU=EMPLOYEE, OU=Dev, OU=Xpert, O=Mitel, C=HU] found.
2025-02-17 11:25:33,554+0100 INFO   CustomDbRealm                            getRealmIdentity: Account name for role query = "CN=Daniel.Peller.123456,OU=EMPLOYEE,OU=Dev,OU=Xpert,O=Mitel,C=HU"
2025-02-17 11:25:33,559+0100 DEBUG  OnePool                                  getConnection: mysql: getConnection(null, null) [0/20]
2025-02-17 11:25:33,560+0100 DEBUG  LocalManagedConnectionFactory            invokeNotifyMethod: java.sql.Connection#beginRequest has been invoked
2025-02-17 11:25:33,561+0100 DEBUG  LocalManagedConnectionFactory            invokeNotifyMethod: java.sql.Connection#endRequest has been invoked
2025-02-17 11:25:33,563+0100 DEBUG  OnePool                                  returnConnection: mysql: returnConnection(3f9e1f68, false) [0/20]
2025-02-17 11:25:33,569+0100 TRACE  security                                 verifyEvidence: KeyStoreRealm: verification succeed for alias [cn=daniel.peller.123456,ou=employee,ou=dev,ou=xpert,o=mitel,c=hu]
2025-02-17 11:25:33,569+0100 TRACE  cert                                     attemptAuthentication: X509PeerCertificateChainEvidence was verified by EvidenceVerifyCallback handler: true  verification skipped: false
2025-02-17 11:25:33,570+0100 TRACE  cert                                     get: loading from cache: null
2025-02-17 11:25:33,570+0100 TRACE  cert                                     get: loading from cache: null
2025-02-17 11:25:33,571+0100 TRACE  security                                 mapRoles: Role mapping: principal [CN=Daniel.Peller.123456, OU=EMPLOYEE, OU=Dev, OU=Xpert, O=Mitel, C=HU] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
2025-02-17 11:25:33,572+0100 TRACE  security                                 doAuthorization: Authorizing principal CN=Daniel.Peller.123456,OU=EMPLOYEE,OU=Dev,OU=Xpert,O=Mitel,C=HU.
2025-02-17 11:25:33,572+0100 TRACE  security                                 doAuthorization: Authorizing against the following attributes: [account-name, principal-name] => [null, CN=Daniel.Peller.123456,OU=EMPLOYEE,OU=Dev,OU=Xpert,O=Mitel,C=HU]
2025-02-17 11:25:33,573+0100 TRACE  security                                 doAuthorization: Authorizing against the following runtime attributes: [Request-URI, Source-Address] => [https://localhost:8443/osxmp/, 0:0:0:0:0:0:0:1|https://localhost:8443/osxmp/,%200:0:0:0:0:0:0:1]

—
The aggregate-realm is configured with regex-principal-transformer:

<aggregate-realm name="elytron_osxmp_aggregate_realm"  principal-transformer="osx_regex_principal_transformer" authentication-realm="elytron_osxmp_keystore_realm" authorization-realm="elytron_osxmp_customdbrealm"/>

Principal transformation does not work, the account name for role query is not changed:

2025-02-17 11:40:38,305+0100 TRACE  security                                 getRealmIdentity: KeyStoreRealm: certificate found by X500Principal in alias [cn=daniel.peller.123456,ou=employee,ou=dev,ou=xpert,o=mitel,c=hu]
2025-02-17 11:40:38,307+0100 TRACE  security                                 getRealmIdentity: Authentication identity for principal [CN=Daniel.Peller.123456, OU=EMPLOYEE, OU=Dev, OU=Xpert, O=Mitel, C=HU] found.
2025-02-17 11:40:38,308+0100 INFO   CustomDbRealm                            getRealmIdentity: Account name for role query = "CN=Daniel.Peller.123456,OU=EMPLOYEE,OU=Dev,OU=Xpert,O=Mitel,C=HU"
2025-02-17 11:40:38,314+0100 DEBUG  OnePool                                  getConnection: mysql: getConnection(null, null) [0/20]
2025-02-17 11:40:38,315+0100 DEBUG  LocalManagedConnectionFactory            invokeNotifyMethod: java.sql.Connection#beginRequest has been invoked
2025-02-17 11:40:38,317+0100 DEBUG  LocalManagedConnectionFactory            invokeNotifyMethod: java.sql.Connection#endRequest has been invoked
2025-02-17 11:40:38,317+0100 DEBUG  OnePool                                  returnConnection: mysql: returnConnection(14e74a7c, false) [0/20]
2025-02-17 11:40:38,328+0100 TRACE  security                                 verifyEvidence: KeyStoreRealm: verification succeed for alias [cn=daniel.peller.123456,ou=employee,ou=dev,ou=xpert,o=mitel,c=hu]
2025-02-17 11:40:38,328+0100 TRACE  cert                                     attemptAuthentication: X509PeerCertificateChainEvidence was verified by EvidenceVerifyCallback handler: true  verification skipped: false
2025-02-17 11:40:38,329+0100 TRACE  cert                                     get: loading from cache: null
2025-02-17 11:40:38,329+0100 TRACE  cert                                     get: loading from cache: null
2025-02-17 11:40:38,330+0100 TRACE  security                                 mapRoles: Role mapping: principal [CN=Daniel.Peller.123456, OU=EMPLOYEE, OU=Dev, OU=Xpert, O=Mitel, C=HU] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles []
2025-02-17 11:40:38,331+0100 TRACE  security                                 doAuthorization: Authorizing principal CN=Daniel.Peller.123456,OU=EMPLOYEE,OU=Dev,OU=Xpert,O=Mitel,C=HU.
2025-02-17 11:40:38,331+0100 TRACE  security                                 doAuthorization: Authorizing against the following attributes: [account-name, principal-name] => [null, CN=Daniel.Peller.123456,OU=EMPLOYEE,OU=Dev,OU=Xpert,O=Mitel,C=HU]
2025-02-17 11:40:38,332+0100 TRACE  security                                 doAuthorization: Authorizing against the following runtime attributes: [Request-URI, Source-Address] => [https://localhost:8443/osxmp/, 0:0:0:0:0:0:0:1|https://localhost:8443/osxmp/,%200:0:0:0:0:0:0:1]

Assignee:: Lukas Vydra

Reporter:: Balazs Varga (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/02/17 1:33 PM

Updated:: 2025/03/25 2:11 PM

Resolved:: 2025/03/25 2:11 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates