-
Bug
-
Resolution: Cannot Reproduce
-
Major
-
None
-
2.5.2.Final
-
None
As described in Zulip:
It seems that some principal transformers are not working.
We have an application running under WildFly (let's call it OSX). We would like to support a configuration where authentication is based on a smartcard cert and we would assign the role (authorization) to it from a database with a "role-decoder".
The configuration:
<security-domains> <security-domain name="elytron_osxmp_security_domain" default-realm="elytron_osxmp_aggregate_realm" permission-mapper="elytron_osxmp_permission_mapper" role-decoder="elytron_osxmp_customdbroledecoder"> <realm name="elytron_osxmp_aggregate_realm"/> </security-domain> ... </security-domains> <security-realms> <aggregate-realm name="elytron_osxmp_aggregate_realm" authentication-realm="elytron_osxmp_keystore_realm" authorization-realm="elytron_osxmp_customdbrealm" principal-transformer="osx_regex_principal_transformer"/> <custom-realm name="elytron_osxmp_customdbrealm" module="com.unify.osx.mp.customsecurity" class-name="com.unify.osx.mp.customsecurity.CustomDbRealm"> ... </custom-realm> ... </security-realms> <mappers> <regex-principal-transformer name="osx_regex_principal_transformer" pattern=".*" replacement="X" replace-all="true"/> <case-principal-transformer name="osx_case_principal_transformer" upper-case="true"/> <constant-principal-transformer name="osx_constant_principal_transformer" constant="CONSTANTROLE"/> ... <custom-role-decoder name="elytron_osxmp_customdbroledecoder" module="com.unify.osx.mp.customsecurity" class-name="com.unify.osx.mp.customsecurity.CustomDbRoleDecoder"> ... </custom-role-decoder> ... </mappers>
In CustomDbRealm, I put a log in getRealmIdentity().getAuthorizationIdentity() to print out the principal name. At this point, I should get the name overwritten by the principal transformer.
@Override public RealmIdentity getRealmIdentity(final Principal principal) { ... @Override public AuthorizationIdentity getAuthorizationIdentity() { logger.info("VBZ: Principal name for authorization is \""+principal.getName() + "\""); ... } }
Based on the logs, I see that the regex and case principal transformers do nothing, but the constant transformer works.
Logs for the issue:
The aggregate-realm is configured with constant-principal-transformer:
<aggregate-realm name="elytron_osxmp_aggregate_realm" principal-transformer="osx_constant_principal_transformer" authentication-realm="elytron_osxmp_keystore_realm" authorization-realm="elytron_osxmp_customdbrealm"/>
The account name for role query is "CONSTANTROLE", as expected:
2025-02-17 11:13:09,254+0100 TRACE security getRealmIdentity: KeyStoreRealm: certificate found by X500Principal in alias [cn=daniel.peller.123456,ou=employee,ou=dev,ou=xpert,o=mitel,c=hu] 2025-02-17 11:13:09,256+0100 TRACE security getRealmIdentity: Authentication identity for principal [CN=Daniel.Peller.123456, OU=EMPLOYEE, OU=Dev, OU=Xpert, O=Mitel, C=HU] found. 2025-02-17 11:13:09,257+0100 INFO CustomDbRealm getRealmIdentity: Account name for role query = "CONSTANTROLE" 2025-02-17 11:13:09,262+0100 DEBUG OnePool getConnection: mysql: getConnection(null, null) [0/20] 2025-02-17 11:13:09,262+0100 DEBUG LocalManagedConnectionFactory invokeNotifyMethod: java.sql.Connection#beginRequest has been invoked 2025-02-17 11:13:09,265+0100 DEBUG LocalManagedConnectionFactory invokeNotifyMethod: java.sql.Connection#endRequest has been invoked 2025-02-17 11:13:09,265+0100 DEBUG OnePool returnConnection: mysql: returnConnection(21f716ab, false) [0/20] 2025-02-17 11:13:09,272+0100 TRACE security verifyEvidence: KeyStoreRealm: verification succeed for alias [cn=daniel.peller.123456,ou=employee,ou=dev,ou=xpert,o=mitel,c=hu] 2025-02-17 11:13:09,273+0100 TRACE cert attemptAuthentication: X509PeerCertificateChainEvidence was verified by EvidenceVerifyCallback handler: true verification skipped: false 2025-02-17 11:13:09,273+0100 TRACE cert get: loading from cache: null 2025-02-17 11:13:09,274+0100 TRACE cert get: loading from cache: null 2025-02-17 11:13:09,291+0100 TRACE security mapRoles: Role mapping: principal [CN=Daniel.Peller.123456, OU=EMPLOYEE, OU=Dev, OU=Xpert, O=Mitel, C=HU] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles [] 2025-02-17 11:13:09,292+0100 TRACE security doAuthorization: Authorizing principal CN=Daniel.Peller.123456,OU=EMPLOYEE,OU=Dev,OU=Xpert,O=Mitel,C=HU. 2025-02-17 11:13:09,293+0100 TRACE security doAuthorization: Authorizing against the following attributes: [account-name, principal-name] => [null, CONSTANTROLE] 2025-02-17 11:13:09,293+0100 TRACE security doAuthorization: Authorizing against the following runtime attributes: [Request-URI, Source-Address] => [https://localhost:8443/osxmp/, 0:0:0:0:0:0:0:1|https://localhost:8443/osxmp/,%200:0:0:0:0:0:0:1]
—
The aggregate-realm is configured with case-principal-transformer:
<aggregate-realm name="elytron_osxmp_aggregate_realm" principal-transformer="osx_case_principal_transformer" authentication-realm="elytron_osxmp_keystore_realm" authorization-realm="elytron_osxmp_customdbrealm"/>
Principal transformation does not work, the account name for role query is not changed:
2025-02-17 11:25:33,551+0100 TRACE security getRealmIdentity: KeyStoreRealm: certificate found by X500Principal in alias [cn=daniel.peller.123456,ou=employee,ou=dev,ou=xpert,o=mitel,c=hu] 2025-02-17 11:25:33,553+0100 TRACE security getRealmIdentity: Authentication identity for principal [CN=Daniel.Peller.123456, OU=EMPLOYEE, OU=Dev, OU=Xpert, O=Mitel, C=HU] found. 2025-02-17 11:25:33,554+0100 INFO CustomDbRealm getRealmIdentity: Account name for role query = "CN=Daniel.Peller.123456,OU=EMPLOYEE,OU=Dev,OU=Xpert,O=Mitel,C=HU" 2025-02-17 11:25:33,559+0100 DEBUG OnePool getConnection: mysql: getConnection(null, null) [0/20] 2025-02-17 11:25:33,560+0100 DEBUG LocalManagedConnectionFactory invokeNotifyMethod: java.sql.Connection#beginRequest has been invoked 2025-02-17 11:25:33,561+0100 DEBUG LocalManagedConnectionFactory invokeNotifyMethod: java.sql.Connection#endRequest has been invoked 2025-02-17 11:25:33,563+0100 DEBUG OnePool returnConnection: mysql: returnConnection(3f9e1f68, false) [0/20] 2025-02-17 11:25:33,569+0100 TRACE security verifyEvidence: KeyStoreRealm: verification succeed for alias [cn=daniel.peller.123456,ou=employee,ou=dev,ou=xpert,o=mitel,c=hu] 2025-02-17 11:25:33,569+0100 TRACE cert attemptAuthentication: X509PeerCertificateChainEvidence was verified by EvidenceVerifyCallback handler: true verification skipped: false 2025-02-17 11:25:33,570+0100 TRACE cert get: loading from cache: null 2025-02-17 11:25:33,570+0100 TRACE cert get: loading from cache: null 2025-02-17 11:25:33,571+0100 TRACE security mapRoles: Role mapping: principal [CN=Daniel.Peller.123456, OU=EMPLOYEE, OU=Dev, OU=Xpert, O=Mitel, C=HU] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles [] 2025-02-17 11:25:33,572+0100 TRACE security doAuthorization: Authorizing principal CN=Daniel.Peller.123456,OU=EMPLOYEE,OU=Dev,OU=Xpert,O=Mitel,C=HU. 2025-02-17 11:25:33,572+0100 TRACE security doAuthorization: Authorizing against the following attributes: [account-name, principal-name] => [null, CN=Daniel.Peller.123456,OU=EMPLOYEE,OU=Dev,OU=Xpert,O=Mitel,C=HU] 2025-02-17 11:25:33,573+0100 TRACE security doAuthorization: Authorizing against the following runtime attributes: [Request-URI, Source-Address] => [https://localhost:8443/osxmp/, 0:0:0:0:0:0:0:1|https://localhost:8443/osxmp/,%200:0:0:0:0:0:0:1]
—
The aggregate-realm is configured with regex-principal-transformer:
<aggregate-realm name="elytron_osxmp_aggregate_realm" principal-transformer="osx_regex_principal_transformer" authentication-realm="elytron_osxmp_keystore_realm" authorization-realm="elytron_osxmp_customdbrealm"/>
Principal transformation does not work, the account name for role query is not changed:
2025-02-17 11:40:38,305+0100 TRACE security getRealmIdentity: KeyStoreRealm: certificate found by X500Principal in alias [cn=daniel.peller.123456,ou=employee,ou=dev,ou=xpert,o=mitel,c=hu] 2025-02-17 11:40:38,307+0100 TRACE security getRealmIdentity: Authentication identity for principal [CN=Daniel.Peller.123456, OU=EMPLOYEE, OU=Dev, OU=Xpert, O=Mitel, C=HU] found. 2025-02-17 11:40:38,308+0100 INFO CustomDbRealm getRealmIdentity: Account name for role query = "CN=Daniel.Peller.123456,OU=EMPLOYEE,OU=Dev,OU=Xpert,O=Mitel,C=HU" 2025-02-17 11:40:38,314+0100 DEBUG OnePool getConnection: mysql: getConnection(null, null) [0/20] 2025-02-17 11:40:38,315+0100 DEBUG LocalManagedConnectionFactory invokeNotifyMethod: java.sql.Connection#beginRequest has been invoked 2025-02-17 11:40:38,317+0100 DEBUG LocalManagedConnectionFactory invokeNotifyMethod: java.sql.Connection#endRequest has been invoked 2025-02-17 11:40:38,317+0100 DEBUG OnePool returnConnection: mysql: returnConnection(14e74a7c, false) [0/20] 2025-02-17 11:40:38,328+0100 TRACE security verifyEvidence: KeyStoreRealm: verification succeed for alias [cn=daniel.peller.123456,ou=employee,ou=dev,ou=xpert,o=mitel,c=hu] 2025-02-17 11:40:38,328+0100 TRACE cert attemptAuthentication: X509PeerCertificateChainEvidence was verified by EvidenceVerifyCallback handler: true verification skipped: false 2025-02-17 11:40:38,329+0100 TRACE cert get: loading from cache: null 2025-02-17 11:40:38,329+0100 TRACE cert get: loading from cache: null 2025-02-17 11:40:38,330+0100 TRACE security mapRoles: Role mapping: principal [CN=Daniel.Peller.123456, OU=EMPLOYEE, OU=Dev, OU=Xpert, O=Mitel, C=HU] -> decoded roles [] -> domain decoded roles [] -> realm mapped roles [] -> domain mapped roles [] 2025-02-17 11:40:38,331+0100 TRACE security doAuthorization: Authorizing principal CN=Daniel.Peller.123456,OU=EMPLOYEE,OU=Dev,OU=Xpert,O=Mitel,C=HU. 2025-02-17 11:40:38,331+0100 TRACE security doAuthorization: Authorizing against the following attributes: [account-name, principal-name] => [null, CN=Daniel.Peller.123456,OU=EMPLOYEE,OU=Dev,OU=Xpert,O=Mitel,C=HU] 2025-02-17 11:40:38,332+0100 TRACE security doAuthorization: Authorizing against the following runtime attributes: [Request-URI, Source-Address] => [https://localhost:8443/osxmp/, 0:0:0:0:0:0:0:1|https://localhost:8443/osxmp/,%200:0:0:0:0:0:0:1]
[ELY-2879] Some principal transformers in aggregate-realm are not working.
Hi balazs.varga@mitel.com, I haven't been able to reproduce transformers errors. I have been trying it with different realms as the authorization realm for the aggregate realm. Could you try to reproduce it on Elytron 2.6.0 or higher, as there has been an aggregate realm issue (https://issues.redhat.com/browse/ELY-2780) present since 2.4.2?
Lukas Vydra
added a comment - - edited Hi balazs.varga@mitel.com , I haven't been able to reproduce transformers errors. I have been trying it with different realms as the authorization realm for the aggregate realm. Could you try to reproduce it on Elytron 2.6.0 or higher, as there has been an aggregate realm issue ( https://issues.redhat.com/browse/ELY-2780 ) present since 2.4.2? 
I haven't been able to reproduce the issue, but I can confirm that transformers are working as supposed with standard realms. If the issue persists, feel free to reopen it.